OMB Issues New Policy for Credentialing People, Devices and Bots

OMB Issues New Policy for Credentialing People, Devices and Bots

The best security in the world means nothing if you don’t know and manage who is allowed access. But in the evolving digital world, physical credentials like federal employees’ personal identity verification or common access cards just aren’t enough.

This reality spurred the Office of Management and Budget to release a long-awaited update to the identity, credential and access management, or ICAM, policy. A new memo, “Enabling Mission Delivery Through Improved Identity, Credential and Access Management,” issued Wednesday outlines a future in which agencies lean on each other to authorize users—and other entities, like bots—and move toward managing identity as a continuous, digital signature rather than a point-in-time authorization.

“To ensure secure and efficient operations, agencies of the federal government must be able to identify, credential, monitor and manage subjects that access federal resources, including information, information systems, facilities and secured areas across their respective enterprises,” according to a memo from acting OMB Director Russell Vought.

The central shift in policy is in direct response to something happening across federal networks: the dissolving perimeter. As more apps, systems and workloads move to the cloud—and more employees, contractors and citizens connect remotely and from several devices—having a single point of access and authentication has become outdated.

“While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems,” the policy states.

This new reality is seen in updates to other federal policies, as well, such as issues policy credentialing people devices