Federal agencies face unique challenges when it comes to deploying Derived Person Identity Verification (PIV) credentials. Legacy Identity, Credential, and Access Management (ICAM) and Public Key Infrastructure (PKI) can make this process complicated, expensive, and sometimes simply not practically achievable. However, security mandates and massive adoption of smart phones, tablets, and laptops that don’t support card readers makes solving this problem urgent for federal IT security and identity access management teams. This article provides a blueprint to meet procurement, security, compliance, operations, speed, flexibility, and integration requirements. It can be possible and affordable to broadly deploy Derived PIV credentials.
Procurement
The procurement process for Derived PIV credentials should be streamlined and cost-effective. Look for solutions available in General Services Administration (GSA) MAS Schedule and NASA Solutions for Enterprise-Wide Procurement (SEWP) contract vehicles. Government focused partners such as Carahsoft, GuidePoint Security, Red River, Thundercat Technology, and 4points Technology can also simplify the procurement process by putting an integrated solution into a single purchase order.
Look for FedRAMP authorized solutions that meet the Executive Order 14271 (Ensuring Commercial Cost Effective Solutions in Federal Contracts). Finally, you can fast-track the procurement process by using commercial one Federal Acquisition Regulation (FAR) frameworks, Other Transaction Agreements (OTA), and Commercial Solutions Openings (CSO). Finally, look for contracts that tie Derived PIV solution payments to well defined performance metrics such as improving your Federal Information Security Modernization Act (FISMA) score.
Security
Security is paramount in any federal deployment. Too often security is sacrificed when workers must use phones, tablets, and other devices not equipped with PIV card readers or when working in hazardous or remote locations. In these cases, they may use common less-secure workarounds that rely on insecure username and password systems. These less-secure approaches are not phishing resistant and do not meet minimum required federal security requirements for access.
Executive Order 14028 emphasizes the need for robust cybersecurity measures across federal agencies. Derived PIV credentials will meet this security mandate requiring the implementation of strong authentication mechanisms to protect against cyber threats and ensure the integrity of federal information systems.
The Office of Management and Budget (OMB) Memorandum M-22-09 mandates the use of phishing-resistant multi-factor authentication (MFA) for federal agencies. Derived PIV credentials meet this requirement by offering a secure method of authentication that is resistant to phishing attacks. Look for Derived PIV solutions with simple self-enrollment processes that can immediately upgrade access security to meet phishing-resistant MFA and minimum ICAM requirements.
Finally, look for vendors with well thought out internal security practices who prioritize support for federal security mandates and who include regular security audits and continuous monitoring. Indicators of an ICAM security-focused vendor mindset include those who have adopted strong ICAM for their own internal use and those who make the effort to achieve security-related compliance certifications such as FedRAMP and SOC2 authorization.
Operational Efficiency
Operational efficiency is crucial for the successful deployment of Derived PIV credentials. Manual systems are too cumbersome to be effective.
Look for Derived PIV solutions with simple self-enrollment processes that can immediately upgrade access security to meet phishing-resistant MFA and minimum ICAM requirements. Watch out for systems that claim to offer self-enrollment but in practice always require a tech support call to complete it.
Automating the credential issuance and management processes can reduce the administrative burden on IT staff but it’s one thing for vendors to claim they provide automated self-service systems and it is another thing for these automated systems to be usable without heavy technical support overheard. When evaluating a Derived PIV system, remember to analyze both the admin experience and worker experience to ensure self-service automations are actually navigable by the user and don’t create a high volume of help desk calls.
Compliance
Derived PIV credentials are essential for ensuring compliance with various federal mandates. By implementing Derived PIV credentials, agencies can meet the requirements of Executive Order 14028, OMB M-22-09, FIPS 201, SP 800-63, SP 800-157, CMMC 2.0, and DAFMAN 17-1304. These standards provide guidelines for the issuance, management, and use of PIV credentials.
An optimal Derived PIV solution should provide comprehensive compliance reporting. This ensures that all activities related to Derived PIV credentials are documented and can withstand scrutiny during compliance reviews. Additionally, adherence to the Office of Management and Budget (OMB) Circular A-130 and the Homeland Security Presidential Directive 12 (HSPD-12) is essential for maintaining compliance with federal mandates regarding information security and privacy.
The Derived PIV solution you implement should include a comprehensive approach to compliance and security that helps protect federal information and ensures the integrity of federal operations.
Speed of Deployment
Speed of deployment is a critical factor for federal agencies. An optimal solution should offer rapid provisioning and de-provisioning of credentials. Leveraging cloud-based solutions can enhance scalability and speed, enabling agencies to quickly respond to changing requirements and user needs. Utilizing solutions that support automated workflows and self-service capabilities can further expedite the process. Evaluate any potential Derived PIV solutions to be sure automations and integrations don’t require additional middleware or custom contracted services to be implemented.
Modern cloud solutions come with inherent benefits for speed and convenience, just be sure to look for FedRAMP authorized solutions. And if you have a requirement for a hybrid, on-prem, or air-gapped deployment because you run classified, remote, or disconnected environments, make sure your chosen solution supports these deployment options.
Flexibility
Flexibility is essential. Evaluate Derived PIV solutions based on your agency use cases. Will automated enrollment cover temporary, remote, and cross-agency access? Do you need a solution that will work in hazardous environments not suited to using a PIV card? Is it easy to link the Derived PIV credential into the “chain of trust” for your user devices?
Solutions should support various form factors, including smart cards, security keys, mobile devices, FIDO, and PKI/certificate-based authentication (CBA). This flexibility ensures that agencies can choose the most appropriate method for their specific use cases. Additionally, Derived PIV support for off-the-shelf devices without card readers and Bring Your Own Device (BYOD) policies will deliver enhanced security (including identity proofing), user convenience, and eliminate budget spend on specialized devices.
Integration
Integration with existing systems is a key consideration for any Derived PIV credential solution. The solution should seamlessly integrate with current ICAM and PKI infrastructures, as well as other systems such as HR, finance, resource management, ticketing, and access control systems. This ensures a cohesive and unified approach to identity management across the agency.
A Derived PIV solution should not require you to rip and replace existing systems (unless you want to replace existing systems). It is possible to add Derived PIV solutions that integrate with existing ICAM and PKI systems out-of-the-box to further streamline credential lifecycle management operations. Specific integrations with solutions such as Microsoft, Okta, Ping/ForgeRock, MDMs, and legacy Certificate Authorities such as Entrust can streamline deployment and ensure a cohesive identity management strategy.
Finally, avoid Derived PIV systems that require you to install and maintain middleware on endpoints. It’s nearly impossible to support a BYOD program with a solution that requires the installation and maintenance of software on personal devices. Beyond the expense of supporting such a time-consuming support activity, many end users simply won’t allow you to do it.
Conclusion
Deploying Derived PIV credentials in US Federal agencies requires a comprehensive approach that addresses procurement, security, compliance, operations, speed, flexibility, and integration requirements. By using pre-approved vendors, adhering to stringent security standards, ensuring compliance, automating operations, and integrating with existing systems, federal agencies can effectively solve Derived PIV use cases and enhance their overall security posture in a budget conscious manner.
For ICAM and PKI buyers, selecting a solution that meets these criteria is essential for a successful deployment. With the right approach, federal agencies can achieve a secure, efficient, and compliant Derived PIV credential system that meets their unique needs.
Learn more about Axiad Derived PIV solutions.