Identity Management Solution Boosts Agency Security

Challenge

A large federal agency, with hundreds of thousands of external users, needed a solution to provide authentication and validation for these users upon login. The process required modern technology, updates to the organization’s Zero Trust policies, and compliance with OMB Directive M-19-17, “Enabling Mission Delivery through Improved Identity, Credential, and Access Management”¹. The federal standard outlines how agencies must protect external user data, and access through identity and credential management, and access control methods.

The agency recognized that security measures for users outside the organization must be different than those implemented for users within it, including the need to vet internal and external accounts to varying degrees. The tools to vet external users had to reflect the necessity to prove personhood and identity. With a new solution, the agency considered the following criteria:

• Collaboration with state and local entities
• Management of external user identity authentication in a single “hub” with accounts managed at the application layer
• Capability for external users to access the entire platform of applications (i.e., one identity, multiple accounts)
• Standardized vetting for external users regardless of which application service(s) they access
• Alignment with Zero Trust principles

Solution

The Guidehouse team led the selection and deployment of an identity provider (IdP) to consolidate identity data and authenticate external users to access applications and data. The team also applied NIST 800-63-3, “Digital Identity Guidelines for Authentication Assurance Levels,”² to the solution which included:

• Building the architecture to consolidate multiple instances of tools for enhanced federation
• Incorporating requirements for sub-organizations
• Integrating with other enterprise applications, such as Identity Governance and Administration tools, cloud storage tools, and security applications
• Developing documentation, including the concept of operations (CONOPS) for administrators and users

While the implementation started with a smaller pilot, the organization, with Guidehouse’s support, is planning for and integrating hundreds of future applications. This effort will consolidate other legacy IdPs to the new IdP solution. Guidehouse is also providing training for end users, administrators, and help desk personnel to support solution deployment and usage.

Impact

The platform enables secure, phishing-resistant authentication and single sign-on (SSO) capabilities for all internal and external users accessing the agency’s information systems and networks. The IdP met the agency’s criteria and enhanced security for the organization by placing internal users in one hub, and external users in another, while utilizing the same IdP platform.

The solution also simplified the process of vetting identities with application accounts by placing that responsibility and risk with the application owners. These outcomes have enabled stronger security protocols for the department and streamlined login processes across applications.

¹ “Enabling Mission Delivery through Improved Identity, Credential, and Access Management”, May 21, 2019, MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES (whitehouse.gov).

² “NIST Special Publication 800-63-3", June 2017, Digital Identity Guidelines (nist.gov).