New DHS AccessID network built on SDP proofs IDs
In 2019, OMB issued a new cybersecurity memorandum, M-19-17 – Enabling Mission Delivery through Improved Identity, Credential, and Access Management, setting forth a modernized policy for the federal government’s approach to Identity, Credential, and Access Management (ICAM).
It represents an overhaul of federal identity policy and strategically points agencies to the risk-based approach detailed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines.
First generation ICAM systems were long overdue for improvements and modernization because identity federation and managing access based upon ICAM guidelines were non-existent. Existing ICAM solutions were static, closed, place onerous restrictions on the trust mechanism and did not account for mobile environments.
There are many recommendations and policy changes in the new guidance but two in particular are proving instrumental in fixing what had been the weak link in ICAM – “Identity Proofing”.
Identity Proofing is the critical piece that must be achieved before allowing access. Until now, accurately proving a user’s identity via credentials such as electronic forms and papers was very problematic.
M-19-17 features two areas of emphasis that changes this:
- Commitment to Zero Trust– Zero Trust is a strategy that advances the concept of using identity as the underpinning for managing cyber-risk. The new guidance emphasizes Zero Trust based architecture requirements requiring agencies to establish authoritative solutions for ICAM services, ensure that deployed ICAM capabilities are interchangeable, use commercially available products, and leverage open APIs and commercial standards to promote interoperability. Next-generation Software Defined Perimeters (SDP), based on a deny all, authenticate first architecture, are critical for achieving true Zero Trust solutions that enable proofing to be done dynamically for every connection.
- Flexibility in Authentication– Policy changes allow Agencies to give the public more options and allow them to bring non-Government furnished authenticators to their digital identity when they access digital services. It emphasizes strong authentication, cost reduction, and reduces the number of authenticators individuals use in their daily lives.
Waverley Labs was awarded a $1 million contract by DHS to develop the Dynamic AccessIDTM Network to improve identity proofing on the fly for crisis and emergency managers. During emergencies, systems of interest that leverage Waverley Labs’ Software Defined Perimeter for protection, can accept certificates issued by the Incident Manager for dynamic access to these systems ONLY for that emergency. The Dynamic AccessIDTM Network will not only provide a multi-jurisdictional trust mechanism for a specific emergency, but also the ability to securely on-board first responders to use said emergency systems. Once implemented it will have proved the much needed identity proofing capability for any Zero Trust implementation for successful commercialization.
Waverley Labs worked closely with the Cloud Security Alliance (CSA) to develop the first commercial SDP specification and recently co-authored the CSA’s new white paper – Software Defined Perimeter and Zero Trust.