GSA released a Draft Identity, Credentialing, and Access Management (ICAM) Solutions Catalog in response to an Executive Order and a new Office of Management and Budget (OMB) policy. These ICAM Solutions will assist federal agencies in managing and monitoring user access to information systems in order to ensure secure operations and could change security and authentication procedures for federal contractors. From the President on down, cybersecurity, including authentication, is a pressing concern for all federal contractors.
In May, the President released an Executive Order on Securing the Information and Communications Technology and Services Supply Chain, declaring a national emergency regarding the nation’s “vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information[.]” The Order explained:
To deal with this threat, additional steps are required to protect the security, integrity, and reliability of information and communications technology and services provided and used in the United States.
In accordance with the Order, the Office of Management and Budget (OMB) promptly released an updated ICAM policy memorandum, providing guidance for the federal government and outlining specific responsibilities for the agencies. The memorandum said that “[a]dvances in technology have enabled more digital interactions and business transactions, offering the Federal Government an opportunity for faster, more reliable connections and operations.” But it cautioned that, with such advances, “a new set of challenges has emerged.” The memorandum explained:
In favor of this opportunity, the Federal Government continues to refresh its digital infrastructure through comprehensive efforts focused on cybersecurity, procurement, and management of a workforce capable of operating modem, frequently cloud-based environments.
The memorandum explained that “GSA serves as the executive agency for Government-wide acquisitions of information technology related to identity management initiatives[,]” and it specifically instructed GSA to publish “a consolidated catalog of existing ICAM solutions and shared services.” GSA released its Draft ICAM Solutions Catalog in August.
GSA’s assistant commissioner for the Office of Information Technology Category says this ICAM policy comes at a “crucial time,” and explains:
[T]he discussion around defining identity is evolving rapidly. Identity is now more than just a person; it is a unique representation of a subject and can include devices like cell phones, tablets, TVs, or any network connected item. Ensuring the right people (or device) have the right credentials and access are paramount.
GSA’s ICAM solutions will assist agencies in conducting identity proofing, establishing digital identities, and adopting secure processes for authentication and accessing secure information. The ICAM Solutions Catalog “is designed to help agencies translate between requirements and technical solutions.” And GSA intends for agencies to “leverage these solutions now to begin meeting the requirements of the OMB ICAM policy.”
The Draft ICAM Solutions Catalog includes several special item numbers (SINs) within Multiple Award Schedules (MAS) IT Schedules 70 and 84, which were part of GSA’s MAS consolidation this year. The enhanced security and authentication requirements could affect electronic resources, such as files or computer systems, and physical resources, such as server rooms and buildings.
One requirement of the ICAM policy is that GSA work with OMB to establish or leverage “a public or private sector capability for accrediting ICAM products and services available on GSA acquisition vehicles,” intended to “support and not duplicate existing Federal approval processes[.]”
These authentication concerns will bring about new opportunities for IT contractors to provide services, but could also result in additional interface verification requirements for federal contractors and tighter security restrictions on privately and publicly stored federal contract information. No matter what, agencies and contractors doing business through a GSA IT Schedule, or planning to, should expect to see at least some changes to the previous security and authentication procedures.