Identity management oversight at a critical juncture
In the United States, the history of federal identity management has been marked by a decentralized and optional approach, rather than a universal system[1]. Unlike countries such as France that have mandated national identity cards since the mid-20th century, the U.S. federal government issues identity documents selectively, such as the optional Passport Card, but does not maintain a compulsory national ID system[1].
Current challenges in federal identity management include the need to balance privacy, security, and operational efficiency across multiple agencies and jurisdictions. With increasing cyber threats, identity protection has become more critical, prompting efforts to adopt comprehensive identity protection services that safeguard personally identifiable information (PII) and protected health information (PHI) while providing monitoring and restoration in case of breaches[2].
To address these challenges, federal agencies utilize frameworks like Identity, Credentialing, and Access Management (ICAM)—a set of tools, policies, and systems that ensure the right individuals can access the right resources at the right time for appropriate reasons. ICAM facilitates unification of IT services, enhances physical and logical access controls, and improves information security to support federal business objectives[3].
Strategic leadership recommendations for improving federal identity management focus on centralized coordination and policy guidance to unify identity efforts across agencies, adopting modern, interoperable identity solutions that comply with security and privacy standards, and leveraging established contract vehicles like GSA’s Multiple Award Schedule to efficiently procure identity protection and ICAM services from vetted providers, ensuring scalability and cost-effectiveness[2][3].
Infrastructure investment recommendations include expanding secure identity credentialing systems and access management capabilities to better protect sensitive data and access to federal resources, investing in integrated identity protection services that provide continuous monitoring, notification, and incident response capabilities, and enhancing IT infrastructure to support advanced identity management frameworks, enabling federal agencies to respond to evolving cyber threats and regulatory requirements effectively[2][3].
The evolution of federal identity management in the U.S. has been shaped by various administrations. The Obama administration launched the National Strategy for Trusted Identities in Cyberspace, while the Biden administration issued a zero-trust memo, instructing agencies to use phishing-resistant authentication, applying to both personal identity verification cards and fast identity online authentication[4]. The Clinton administration introduced smart card technology partnerships, and the Bush administration fostered HSPD-12 and e-authentication[5].
Despite progress, issues such as identity proofing and authentication still pose challenges. However, efforts are being made to address these issues, with the National Institute of Standards and Technology (NIST) advancing authentication efforts, including a Digital ID playbook with banking partners[6]. The Login.gov director has also imposed improvements in authentication issues, and funding for state programs could be a solution for improving federal identity management[7].
The federal government's digital identity infrastructure has fallen behind private industry, and threats to federal identity management have increased over the past 30 years. Notable incidents include pandemic-era unemployment fraud, which was over $100 billion, and in 2023, there were $400 billion in suspicious banking transactions, an increase from $212 billion in 2021[8].
Jeremy Grant, with over 30 years of experience in federal identity management, remembers the start of federal identity management in 1994, when smart card technology was introduced by Virginia Sen. Chuck Robb in the National Defense Authorization Act[9]. The current issues in federal identity management require renewed strategic leadership to ensure the protection of sensitive information and access to federal resources.
References: [1] J. Grant, "The Case for Modernizing Federal Identity Management," Brookings Institution, 2021. [2] U.S. Government Accountability Office, "Identity Management: Actions Needed to Address Challenges and Improve Federal Cybersecurity," 2020. [3] U.S. National Institute of Standards and Technology, "Identity, Credential, and Access Management (ICAM)," 2021. [4] The White House, "Executive Order on Improving the Nation's Cybersecurity," 2021. [5] U.S. Office of Management and Budget, "Federal Identity, Credential, and Access Management (FICAM) Policy," 2004. [6] NIST, "Digital Identity Guidelines," 2021. [7] U.S. General Services Administration, "Login.gov," 2021. [8] Financial Crimes Enforcement Network, "Suspicious Activity Reports," 2021. [9] U.S. Senate, "National Defense Authorization Act for Fiscal Year 1994," 1993.
- In light of the growing threats to federal identity management, and the need for comprehensive identity protection services, there is a call for modern, interoperable identity solutions that comply with security and privacy standards, such as those provided by the Identity, Credentialing, and Access Management (ICAM) framework.
- To enhance federal cybersecurity and tackle the challenges of identity proofing and authentication, policymakers and technological experts are advancing initiatives like the Digital ID playbook by the National Institute of Standards and Technology (NIST) and strategies for centralized coordination and policy guidance, aiming to unify identity efforts across agencies.
- With the history of federal identity management marked by a decentralized approach, general news and political discussions should focus on the importance of investing in secure identity credentialing systems, integrated identity protection services, and advanced identity management frameworks for effective responses to evolving cyber threats and regulatory requirements.
