The White House Office of Management and Budget released updated guidance on how agencies should purchase IT resources. Highlighted in the new guidance is mention of PIV credentials, digital signatures and identity assurance for citizens.
The update to Circular A-130, Managing Information as a Strategic Resource, puts all the resources for a range of policy updates for agencies regarding cybersecurity, information governance, privacy, records management, open data and acquisitions.
The circular makes many references to PIV credentials and calls for agencies to purchase IT products and services in accordance with government requirements, specifically mentioning PIV, PKI and FIPS 201.
The use of PIV for physical access is also mentioned. The circular points agencies to NIST SP 800-116 for information on using PIV for physical access control. PIV use for access to IT systems is more widespread than its use for physical access.
Derived credentials are also highlighted. “With the emergence of a newer generation of computing devices and in particular with mobile devices, the use of PIV cards has evolved technically to include other form factors that can be deployed directly with mobile devices as specified in NIST SP 800-157. Derived PIV Credentials are based on the general concept of derived credentials in NIST SP 800-63. Issuing a Derived PIV credential to PIV cardholders does not require repeating identity proofing and vetting processes. The user simply proves possession and control of a valid PIV Card to receive a Derived PIV Credential.”
Agencies are also reminded of the digital signature requirement. “For employees and contractors, agencies must require the use of the digital signature capability of PIV credentials. For individuals that fall outside the scope of PIV applicability, agencies should leverage approved Federal PKI credentials when using digital signatures.”
The circular also makes mention of President Obama’s 2014 executive order calling for effective online identity proofing and multi-factor authentication for citizen access to government data.
“Citizens, businesses, and other partners that interact with the Federal Government need to have and be able to present electronic identity credentials to identify and authenticate themselves remotely and securely when accessing Federal information resources. An agency needs to be able to know, to a degree of certainty commensurate with the risk determination, that the presented electronic identity credential truly represents the individual presenting the credential before a transaction is authorized.”
This was supposed to be a service provided by Connect.Gov but that program has since been scrapped and the GSA’s IT acquisition organization, 18F, is not taking over the project.
Connect.Gov was going to enable citizens to use credentials they already have to access federal services, if something was higher security they would step up that credential by providing more details. That seems to be part of the plan from 18F but the group is also planning to create a credential service for citizens to use as well.
The circular calls for agencies to “use a standards-based federated identity management approach that enables security, privacy, ease-of-use, and interoperability among electronic authentication systems.”