Federal agencies and their public sector counterparts are employing identity security in the face of an uphill challenge to provide the appropriate levels of security to protect their data. This is happening while also providing access to those working behind the scenes and the general public when necessary.
As technology advances, the risk of threat actors attempting to use privileged credentials is at an all-time high. Federal agencies, with the assistance of NIST’s Cybersecurity Framework, are advancing their cybersecurity strategies. NIST’s Special publication 800-63 consists of four volumes that direct agencies on how to manage risk within the context of digital identity programs.
Ryan Galluzzo, digital identity lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology, said agencies will face various challenges when developing a digital identity system. He emphasized the importance of balancing risks with the user experience.
“The whole point of the digital identity risk management process is to want to understand what is the application context you’re working in? What are the different users that you have? What kind of data are you accessing? What kind of rights do you have once they are in the application? Can they modify things, just view things, and what’s the potential impact?” Galluzzo said on Federal Monthly Insights: Identity Security in the Public-Private Sector.
Proliferation of devices
A full-scale security strategy starts with the devices accessing the system. Security managers have to consider each access point from the hand held devices to laptops and other systems that need to be granted access. Galluzzo explained that it comes down to concept of context, rights and understanding who the users are and what devices are available to them.
“If you can sync or copy a pass key, how do you make sure that doesn’t end up in the wrong kind of storage or export it out of the enterprise?” Galluzzo said. “We look at how we can place additional controls through other kinds of security mechanisms on your identity and authenticator systems to make sure they’re functioning and giving you the security you need.”
The risk posture assumed by the agency changes with the customer accessing the system. For enterprise users, some devices have endpoint management, mobile device management software and certain security tools. While these can provide a greater sense of confidence and provide additional authentication means and access controls, public facing users are likely to have a completely different set of contexts, and therefore a different risk posture. Each user presents a different level of considerations.
Privilege access management
Phishing-resistant multifactor authentication has become the baseline of the federal government at large and any system administrator’s zero trust strategy. Agencies are applying access governance. These include granting access aligning with a users role, granular access control, the ability to define specific permissions for users attribute based access control (ABAC).
“The big thing with attribute-based access control is it really allows you to manage access based on both the attributes of the user and the transaction, like where I’m originating from, the kind of device I’m using, the networks I’m connected to and the time of day. Then applying policies that support that based on the attributes of the resource you’re attempting to protect,” Galluzzo said.
Authentication technologies are continuing to evolve as well. Personal Identity Verification (PIV) cards, Common Access Cards (CAC), Fast Identity Online (FIDO) tokens, hardware authenticators and passkeys for public facing applications are assisting in adding layers of secure access.
“Any technology that can start to consolidate a smooth user experience with increased security is the kind of thing that can show a lot of value and gain a lot of traction. That’s why were’ so interested in things like passkey and FIDO authentication, as well as things like mobile wallets, and the credentials that reside inside them.” Galluzzo told Federal News Network’s Justin Doubleday.
Advancing multi-factor authentication also comes with its challenges. Is the legacy system compatible with the MFA practices? What are the costs? How do you account for the constant changes of mobile access scenarios that could alter certain attribute-based controls?
Fraud management
The risk management process also requires multiple team viewpoints, including the security team, privacy manager, the fraud management team, and the customer service teams. Customer service is likely to be the first team to notice when something is broken, then usability engineers, who look at how the systems actually work. Fraud management teams don’t investigate, but take a proactive role in updating technical systems potentially stopping a breach. This team integration ties back to cybersecurity threat feeds that keep systems updated on a consistent basis, and provide information about evolving threats and new attacks to your identity system.
While NIST is already at work on SP 800-63 revision 4, the National Cybersecurity Center of Excellence is working on mobile driver’s license implementations, verifiable digital credentials and public-private sector use cases for financial, government and healthcare purposes.
“Wherever you can find that nexus of secure and usable, I think is a really interesting innovation point for the overall industry, as well as for folks like us who are looking to help standardize those things and make sure they’re interoperable and make sure they are providing a consistent degree of protection, as well as that usability,” Galluzzo said.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
