This blog post is an excerpt from GovLoop’s recent guide “Your Guide to Identity and Access Management.” Download the full guide here.
The identity, credential and access management (ICAM) program at the Agriculture Department (USDA) started about 16 years ago with the E-Authentication Initiative. It’s evolved since then to support more 120,000 employees and 750,000 public users.
Adam Zeimet, Branch Chief for ICAM at USDA, has been with the program since it started. He talked to GovLoop about central considerations to ICAM at the agency.
The responses below have been lightly edited for brevity and clarity.
GOVLOOP: The USDA is making it easier for farmers to access services online, such as paying loans. Are you involved in these efforts?
ZEIMET: Yes. We support a lot of that on the backend. I think that as more of those kinds of citizen interactions move online, we have to focus on how we establish trust in those users and verify them, but also do it in a way where we can prioritize customer-focused experiences. Our CIO [chief information officer] likes to say customer-obsessed experiences have probably never been more important than they are now. The challenge for us is enabling enterprise-grade security for these types of systems, but with consumer-grade experiences. The expectation of the user experience that the average user — and especially public citizens — has now is high, and the government is no exception.
GOVLOOP: What issues are top of mind for you as an ICAM professional in government?
ZEIMET: On a broad scale, I want to shape ICAM from being seen as just a domain of cybersecurity, or even just compliance, which is how it’s been thought about for a long time. It should be something that is a strategic partner and value-add enabler for the business and the mission that the agencies are trying to serve.
GOVLOOP: What does being a strategic partner look like? Does that mean that you’re a part of the conversation early on when people are talking about launching a digital service or doing something new online?
ZEIMET: A lot of these kinds of things come from being a part of the team and not bolting things on afterward. I think that applies to the security aspect, but it applies to the user experience aspect as well. As we move to more and more digital services, especially citizen-interaction-type things, it’s impossible to plan those initiatives without planning for how we get the users that need access to the system into it. How do we deliver services directly to users?
I think it’s impossible to build and plan those services without accounting for how identity and access should be incorporated into that. Really starting to drive that kind of identity-centric thinking, whether we’re planning services or initiatives like moving to the cloud, moving workloads to the cloud outside of the traditional security perimeter, mobile as that applies to employees or citizens: all of those little things require identity-centric planning when security and those user experiences are being planned for.
GOVLOOP: Are there any trends in this space that we should focus on? Any challenges in particular?
ZEIMET: I think cloud mobility, artificial intelligence and robotic process automation are becoming big things. All of those represent a fundamental shift for what IAM [identity and access management] programs need to be able to focus on. Especially in government, I think that the era of focusing on smart cards is really over, and we need to be expanding ICAM to look at more of these types of services and how we support them. I think ICAM is an enabling platform for those kinds of initiatives.
As it relates to ICAM, I think user experience and automation and increasingly building in security from the start are some of the key items for what all those things mean for ICAM. ICAM needs to help enable broader digital transformation.
GOVLOOP: You mentioned artificial intelligence (AI) and robotic process automation (RPA), and when I think about those technologies in particular, it’s almost like bots have identities. Can you speak to the relationship among AI, RPA and ICAM and how you view your role in enabling that?
ZEIMET: To say that bots have a sort of identity is absolutely the right way to think about it. If the entity on the network has access — it is often quite a bit of access — and the same access that a human might have in various systems. So, it’s really essential that those identities — nonperson identities but identities nonetheless — be managed.
The whole goal of RPA is to streamline processes and automate simple tasks to the greatest extent. So with that, a lot of those tasks are going to include access to systems, authenticating things, being accepted or rejected for the types of things that they’re trying to do. We have to be able to automate the issuance of those robotic-type identities and the types of credentials that they have and make sure that their credentials are just as strong as the credentials that a human would be using and doing in a way that streamlines those processes.
GOVLOOP: Is there something you’re actively looking at or focusing on now? What kind of state are you in?
ZEIMET: I think USDA is just starting to look at those kinds of capabilities and where they can be implemented into the different agency workflows that exist. From an ICAM perspective, I think our goal right now is to modernize our systems and capabilities so that we can have a platform that supports those initiatives when they really begin in earnest.
GOVLOOP: Are any current projects or efforts related to ICAM under way? What are the objectives of those efforts?
ZEIMET: We’re working to modernize our ICAM platform specifically around identity lifecycle management and our authentication services. The goal there is to increase automation around identity and around the assignment and granting of access, but also improving user experience.
We recently finished implementing Phase 2 of the Homeland Security Department’s CDM [Continuous Diagnostics and Mitigation] program. The CDM program was a huge accelerator for us on these different modernization efforts that we’ve been undertaking as we try to continuously improve and evolve our ICAM capabilities.
We are also rolling out a Derived PIV [personal identity verification] credential solution for our mobile devices, which enables us to get away from passwords and get our mobile computing infrastructure compliant with HSPD-12. With the release of OMB’s [Office of Management and Budget’s] new ICAM policy, we are also looking to expand this to other credential types.