GSA Hits First Deadline On New Federal Identity Management Policy

The Trump administration issued a new policy in May regarding how people, devices and bots are credentialed and granted access to federal systems. With the arrival of August comes the first deadline under this new policy: for the General Services Administration to create a catalog of approved identity, credential and access management, or ICAM, products and services for agencies to buy.

GSA had three months from the issuance of the policy to develop the catalog, which the agency released Monday.

The list includes 14 products and services, all available through different special item numbers, or SINs, on GSA’s IT Schedule 70, or through other GSA services, such as Login.gov for electronic identity management and USAccess for physical access card services.

GSA also put out a short questionnaire through Google Forms, asking four questions about the most and least helpful parts of the catalog. The agency plans to incorporate that feedback into a finalized catalog, which will be posted on IDManagement.gov.

With this initial milestone out of the way, GSA will be looking ahead to its next ICAM policy deadline in November: developing a strategy for keeping that catalog up to date and establishing new shared services options for agencies.

The agency has five other mandates under the policy, though none of them come with specific deadlines. From the memo:

• Maintain and support, in coordination with OMB and DHS, the evolution of the governmentwide Federal Identity, Credential and Access Management, or FICAM, Architecture and associated guidance, previously published in the FICAM Roadmap and Implementation Guidance, v2.0: FICAM Playbooks, and establish and maintain a repository for agency best practices.
• Maintain and innovate the Federal Information Processing Standard, or FIPS, 201 evaluation process, and associated Approved Products List to enable the acquisition of interoperable solutions for physical and logical access control.
• Determine the feasibility, in coordination with OMB, of establishing or leveraging a public or private sector capability for accrediting ICAM products and services available on GSA acquisition vehicles, and confirm the capability leverages National Institute of Standards and Technology-developed criteria for assurance levels. This capability should support and not duplicate existing federal approval processes.
• Innovate capabilities and update federal public key infrastructure to provide government with a trust framework and infrastructure to administer digital certificates and other authentication solutions, such as those based on public key cryptography. This includes updating the PKI shared service provider approach to enable strong government oversight of service providers, including procurement and cost controls through GSA acquisition solutions as applicable.
• Ensure that all GSA acquisition solutions for ICAM meet all relevant law, OMB circulars and policies, Federal Acquisition Regulations, and NIST standards.

Other agencies have deliverables under the policy as well.

The Commerce Department will be on the hook in November to provide a plan to update existing ICAM guidance developed by NIST, and the Office of Personnel Management has until May 2020 to update vetting requirements for new forms of credentials.

Commerce, OPM and the Homeland Security Department all have additional requirements under the policy, though no other hard deadlines.