Our annual federal identity and access security conference, known as Securing Federal Identity, wrapped up last week in Washington, DC. Much of the attention at this year’s conference was on the widely distributed document (still unnamed but known as M-18-XX due to its current draft-only status) released for public comment in April by the Office of Management and Budget. After many references to it by keynote speakers from OMB, GSA, DHS, and NIST and the audience during Q&A sessions, the group collectively settled on referring to the document as “THE Federal Identity Policy Document.” This is an appropriate name given its significance in reinforcing the existing identity roadmap under HSPD-12 and shaping the future of identity, credential, and access management for years to come.
It was refreshing and encouraging to see a federal policy document – one intended to replace several older security policy directives and technical reference documents – strongly recommit to the core trusted PIV credentialing standard and use mandates that have been official policy (though not always followed) for more than ten years. In some cases, the directives could not keep up with the rapidly changing cybersecurity landscape and the technology shifts involving mobile and multi-factor authentication.
“THE” Federal Identity Policy Document embraces the changing cybersecurity landscape and challenges agencies to be accountable to work together to enable innovation by filling the gaps in the specifications, the training and oversight, and the procurement vehicles. It also advocates the use of shared services providers so that each agency does not have to build and operate their own identity ecosystem. Having these federal identity, credential, and access management leaders present to explain the intent and direction of the new policy was greatly appreciated by the audience of more than 300 registrants and conference speakers, of which more than 50 percent were government employees.
The event was also an opportunity for security industry suppliers and integrators to speak out about some of the challenges they face in implementing what the government asks industry to provide. Procurement challenges, tightened budgets, and deployment of PIV-enabled PACS to work together or side-by-side with non-compliant legacy systems were some of the issues raised. Other security industry leaders demonstrated how mobile solutions and derived mobile credentials could take the current PIV card into the future with multiple means of secure mobile authentication. It was a good showing for how government and industry can help each other achieve present and future cybersecurity goals.
Thank you for your support of the Secure Technology Alliance.