OMB updates identity management policies
- By Chase Gunter
- May 29, 2019
In a push to better adapt to changing technologies, the Office of Management and Budget issued a memo updating its identity management policies. One section directs agencies to work to remove the obstacles preventing acceptance of personal identity verification (PIV) use across agencies. Another addresses non-person entities.
Chih-Wei Yi, a risk and financial advisory principal at Deloitte, said that while "most" of memo consisted of "codifying" best practices in industry, the focus on interoperability would make doing business across agencies easier.
Eventually the cross-government collaboration could mean that contractors and others who work with multiple agencies would not have to get individual PIV cards for each agency, which would save time, money and "make for a more productive workforce," Yi said.
In the private sector, organizations have been pushing for the federal government to update its identity management policy.
Jeremy Grant, coordinator of the Better Identity Coalition, called the new memo "a critical step" in better securing digital identity and closing the "identity gap" between traditional, physical credentials and digital environments.
"It lays the policy foundation for a new array of more secure, privacy-enhanced digital identity solutions to help consumers better protect their identities and more easily do business online," he said.
The memo also directs "agencies that are authoritative sources for attributes," such as the Social Security Administration, to "establish privacy-enhanced data validation APIs for public and private sector identity proofing services to consume, providing a mechanism to improve the assurance of digital identity verification transactions based on consumer consent."
Another key update in the memo is the inclusion of non-human entities as part of the identity management policy. Agencies are also responsible for managing the digital identities of devices, non-person entities and automated technologies such as robotic process automation tools and artificial intelligence. They must ensure "the digital identity is distinguishable, auditable, and consistently managed across the agency."
Yi said he found the extension of the definition of identity to non-human entities to be pertinent.
"There are going to be more and more of these advanced technologies, and adding that layer to the workforce requires that agencies figure out how to have these bots access sensitive information," he said.
This article was first posted to FCW, a sibling site to GCN.
Chase Gunter is a former FCW staff writer.