The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance on how federal agencies can integrate identity and access management (IDAM) capabilities into their identity, credential, and access management (ICAM) architectures.
The new document (PDF) was released as part of CISA’s Continuous Diagnostics and Mitigation (CDM) program, which provides information security continuous monitoring (ISCM) capabilities to help federal agencies improve the security of their networks.
“There is no singular, authoritative, recognized way to architect an ICAM capability across an enterprise, which results in many U.S. government agencies approaching this from different directions with different priorities. Compounding this issue, agency Identity Management maturities vary, especially those related to tool expertise and ICAM-related policies, which may complicate the ongoing CDM integration efforts and lead to incomplete or ineffective ICAM deployments,” CISA notes.
To address this issue, CISA’s new guidance clarifies the CDM program’s IDAM scope, CDM IDAM capabilities, and federal agencies’ ICAM practice areas, and provides a CDM ICAM reference architecture that can be used to deploy a robust and effective ICAM capability with CDM functionality, the agency explains.
CDM IDAM capabilities, CISA notes, include sub-capabilities for privileged access management (PAM), identity lifecycle management (ILM), and mobile identity management (MIM). Non-person entities (NPE) and other non-PKI authenticators are also included, under manage credentials and authentication (CRED).
PAM focuses on the management of privileged human and non-person entities and includes tools for ensuring strong authentication, ILM focuses on the lifecycle management of user identity and associated privileges, while MIM focuses on securing the use of mobile devices.
The CDM ICAM reference architecture, which also includes federation services (this includes additional service endpoints, the identity provider, and the service provider), is also meant to help agencies enable Zero Trust Architecture (ZTA).
The new guidance also details a notional CDM ICAM physical architecture, provides an overview of challenges that CDM ICAM faces, describes how ICAM use cases are implemented in ICAM services and components, and provides a series of recommendations for federal agencies to advance the development of the Identity Pillar of a ZTA.
Federal agencies are encouraged to review CISA’s new guidance and use it for implementing ICAM capabilities.