Driven by recent events and several White House and Congressional directives, federal agencies are focused on identity management like never before. With all this pressure, agency leaders face a difficult task ensuring secure access to agency resources by the right people, at the right time, and for the right reasons, without restricting the organization’s operational effectiveness.
2. Purpose
Driven by White House and Congressional directives such as HSPD-12, the National Strategy
for Trusted Identities in Cyberspace (NSTIC), Insider Threat Task Force, and FICAM, federal
agencies are focused on identity management like never before. Agency leaders face a difficult
task in ensuring secure access to agency resources by the right people, at the right time, and for
the right reasons, without restricting the organization’s operational effectiveness.
Understanding the difficult task of balancing these two priorities, Government Business Council
(GBC), Symantec, and HP undertook a study to explore the current state of identity and access
management (IAM) in the federal government.
Methodology
To assess the perceptions, attitudes, and experiences of federal executives regarding IAM, GBC
deployed a survey to a sample of Government Executive’s online and print subscribers in
December 2013. The pool of 975 respondents includes those of GS-11 through 15 grade
levels and members of the Senior Executive Service in defense and civilian agencies.
2
3. Table of Contents
1 Executive Summary
4
2 Respondent Profile
6
3 Research Findings
10
i.
ii.
iii.
iv.
Current State of Federal IAM
Security Concerns Can Limit Mission
The Need for an Identity Ecosystem
Public-Private Partnerships in IAM
4 Final Considerations
3
11
15
21
26
30
5. Executive Summary
Federal leaders are confident in identity management within their own agencies
A majority of respondents (72 percent) are confident or very confident in their agency’s ability to
ensure appropriate physical access to resources. Slightly fewer (63 percent) are equally confident in
their agency’s ability to ensure appropriate logical access. For many, the two are linked: 71 percent of
respondents indicate that their agencies have integrated physical and logical IAM.
Outside of one’s own agency, security concerns limit collaboration
Nearly all respondents interact with groups outside of their agency, but security concerns limit their
ability to provide services to these groups over the Internet. While respondents view the growth of
mobile devices as an opportunity to improve collaboration, security concerns have limited their
uptake in federal agencies.
An “Identity Ecosystem” that links an electronic identity across multiple platforms could improve
collaboration and efficiency while lowering costs
The idea of a common framework for establishing trusted identities is a new concept for some federal
leaders, but anticipated effects are largely positive. A majority of respondents expect an “Identity
Ecosystem” to increase efficiency and confidence in using online services, among other benefits. To
create an “Identity Ecosystem,” respondents are open to public-private partnerships, but security,
privacy, and liability concerns will need to be addressed.
5
7. Survey respondents are senior federal executives
Job Grade
SES
Reports/Oversees
5%
Over 200
22%
GS/GM-15
GS/GM-14
78%
of respondents
are GS/GM-13
or above
23%
GS/GM-13
3%
51-200
59%
7%
21-50
of respondents
oversee at least
one report
7%
28%
6-20
1-5
21%
16%
GS/GM-12
4%
GS/GM-11
None
2%
Other
0%
10%
Percentage of respondents, n=975
7
21%
20%
30%
41%
0%
20%
40%
60%
8. Most respondents work in operations
Job Function
▶
▶
Most respondents work
in operations, a category
that includes program/
project managers and
logistics specialists.
“Other” includes
categories such as legal,
research, management,
technical professionals,
and auditors.
32%
Operations
Human capital
12%
Engineering
11%
Finance
8%
Acquisition and procurement
6%
Legislative
5%
Information technology
5%
Facilities, fleet and real estate
management
3%
Communications and
telecommunications
3%
Other
Percentage of respondents, n=975
8
16%
0%
10%
20%
30%
40%
50%
9. Most Represented Agencies
Department of Treasury
Office of Personnel Management
Department of Agriculture
Small Business Administration
Department of the Interior
United States Postal Service
Department of Transportation
Department of Homeland Security
Department of Commerce
United States Agency for International Development
General Services Administration
Nuclear Regulatory Commission
Environmental Protection Agency
Department of Health and Human Services
National Aeronautics and Space Administration
Department of Veterans Affairs
Social Security Administration
National Science Foundation
Department of Housing and Urban Development
Executive Office of the President (including OMB)
Department of Energy
Department of Defense (OSD, DISA, DIA, DLA, etc.)
Department of Labor
Department of Justice
United States Government Accountability Office
Department of the Army
Department of State
Other independent agency
Department of Education
Agencies listed in order of frequency
9
12. What is Identity and Access Management?
▶ As
used in this report, identity and access management
(IAM) refers to a security practice that ensures access by
the right people, at the right time, and for the right reasons.
▶ IAM
can be used in reference to both physical access (e.g.,
to facilities, areas, or rooms) and logical access (e.g., to
networks or files).
12
13. Federal leaders are confident in IAM within
their own agencies
Physical access
(e.g., to facilities, areas, rooms)
29%
Logical access
(e.g., to networks, files)
Very confident
19%
63%
72%
of respondents are
very confident or
confident
44%
43%
Somewhat confident
Not confident
21%
7%
1%
DK
Percentage of respondents, n=975 and n=974, respectively
13
of respondents are
very confident or
confident
Confident
26%
8%
2%
14. For many, physical and logical access are
interconnected
Has your department/agency integrated physical and
logical IAM?
▶
▶
A majority of
respondents indicate
that their agencies have
integrated physical and
logical IAM.
Typically, integration
involves using a common
card or device to access
the agency’s building and
computer networks.
Percentage of respondents, n=974
14
No, not
considering
5%
No, but
considering
15%
Don’t
know
9%
Yes
71%
16. 94% of federal leaders interact with external
groups, especially other agencies
Groups interacted with through the course of work
85%
27%
56%
56%
49%
of respondents interact with
other federal agencies, citizens,
state/local/regional government
agencies, and industry partners
8%
Other federal
departments/
agencies
Citizens
Percentage of respondents, n=972
16
State, local, Industry partners
regional
government
departments/
agencies
6%
Other
None of the
above
17. Security concerns limit service provision
A majority of respondents (68 percent) indicate that security concerns limit online service
provision. Even those who are currently providing services to citizens believe they are limited:
72 percent identify limits to online service provision.
Security concerns prevent my department/
agency from offering certain services online.
68%
of respondents agree
or strongly agree
9%
22%
Strongly disagree
Percentage of respondents, n=825
“Don’t know” not included
17
44%
Disagree
Agree
24%
Strongly agree
18. Mobile devices offer an opportunity to
enhance interaction with external groups
Mobile device usage presents an
opportunity for my department/agency
to enhance interaction with other groups.
81%
of respondents agree
or strongly agree
9%
10%
57%
Strongly disagree
Percentage of respondents, n=863
“Don’t know” not included
18
Disagree
24%
Agree
Strongly agree
19. …but security concerns limit mobile expansion
Security concerns present an obstacle to
my department/agency using mobile
devices to interact with other groups.
65%
of respondents agree
or strongly agree
5%
30%
Strongly disagree
Percentage of respondents, n=809
“Don’t know” not included
19
46%
Disagree
Agree
19%
Strongly agree
20. The lack of a common framework for
establishing trusted identities limits interaction
with external groups
The lack of a common framework for establishing
trusted identities limits my department/agency’s
interaction with other groups.
7%
57%
of respondents agree
or strongly agree
36%
Strongly disagree
Percentage of respondents, n=645
“Don’t know” not included
20
41%
Disagree
Agree
Strongly agree
16%
22. The White House has called for the creation of
an “Identity Ecosystem”
▶
▶
April 2011’s National Strategy for Trusted
Identities in Cyberspace (NSTIC) highlights the
need for an “Identity Ecosystem” where
individuals and organizations leverage
universally-recognized digital identities to
securely interact with one another.
By linking an individual’s electronic identities
across multiple websites, NSTIC envisions that
the “Identity Ecosystem” will provide online
services in a manner that promotes confidence,
privacy, choice, and innovation.
National Strategy for Trusted Identities in Cyberspace, April 2011.
22
23. Federal leaders expect largely positive effects
from the creation of an “Identity Ecosystem”
Sizable amounts of respondents are unsure of the effect that an “Identity Ecosystem” will
have on efficiency, confidence, cost-effectiveness, citizen service quality, privacy, help desk
calls, and security (23-34 percent select “don’t know”). Of those respondents who have an
opinion, most anticipate positive effects:
Expected effects of an Identity Ecosystem
Efficiency
Confidence in using online services
11%
7%
15%
Security risks
Percentage of respondents, n varies
“Don’t know” not included
23
60%
26%
58%
34%
9%
Privacy protections
Help desk calls
64%
29%
Cost-effectiveness
Quality of citizen services
66%
23%
15%
57%
28%
38%
10%
28%
30%
42%
52%
Increase
No change
Decrease
24. Respondents identify additional benefits of an
“Identity Ecosystem,” including…
“ Better data quality. ”
security clearance
“ Streamlinedindividuals. processes and better
tracking of
”
effectively outside the office
“ The ability to work moregive me access to sites that I need
environment. It would
to use but are restricted if not on a government system.
“ Improved intergovernmental activities. ”
Sampling of open-ended responses
24
”
25. “Identity Ecosystem” may be far off
How soon do you think government could achieve an “Identity Ecosystem”?
0-1 years
2%
56%
2-5 years
30%
6-10 years
24%
More than 10 years
Never
Don't know
Percentage of respondents, n=971
25
11%
3%
30%
of respondents
think government
can achieve
Identity Ecosystem
in the next 10 years
27. To reach “Identity Ecosystem,” the federal
government supports public-private
partnerships in IAM
“The private sector will lead the
development and implementation of this
Identity Ecosystem, and it will own and
operate the vast majority of the services
within it.”
-National Strategy for Trusted Identities in
Cyberspace, April 2011
"The Obama administration is
committed to supporting publicprivate partnerships that both enhance
consumer privacy and ensure the
Internet remains a driver of innovation
and economic growth."
-Secretary of Commerce Penny Pritzker,
September 2013
National Strategy for Trusted Identities in Cyberspace, April 2011.
NIST.gov, “NIST Awards Grants to Improve Online Security and Privacy,” September 2013.
27
28. Though few respondents are opposed to publicprivate partnerships in IAM, many are unsure
Opinion of public-private partnerships in IAM
50%
40%
31%
31%
30%
18%
20%
20%
10%
0%
Support
Percentage of respondents, n=970
28
Neither support
nor oppose
Oppose
Don't know
29. Security, privacy, and liability top the list of
concerns about public-private partnerships in
IAM
Concerns about public-private partnerships in IAM
Security
55%
51%
Privacy
Liability
50%
Changes in work/operational flows
40%
Vendor lock-in
30%
Loss of IT jobs
Other
14%
7%
Don't know
None of the above
Percentage of respondents, n=965
29
15%
5%
31. When considering an IAM strategy in your
agency…
Make room for mobile.
Though federal agencies may be late mobile adopters, citizens using government services are
more and more likely to be doing so from a mobile device. As this trend continues, providing a
secure, usable mobile interface for citizen services will be essential to mission effectiveness.
Look to agencies already experiencing IAM success.
The Federal Cloud Credential Exchange (FCCX), run by GSA and USPS is a good look into the
future of identity management. FCCX will unify six different civilian agencies using FICAM
authentication standards to allow the public to securely access online services through a single
sign-on. This streamlined authentication will reduce costs for participating agencies, while
providing a “secure, privacy-enhancing, easy-to-use-solution.”
Count all costs, including the hidden expense of forgotten passwords.
Forgotten passwords are expensive. Agencies should look at how they can reduce operational
costs by passing those expenses on to credential service providers—federal or commercial—
who can unify services around a single sign on.
USPS participating in creation of digital Federal Cloud Credential Exchange program
31
32. Underwritten by
About HP and Symantec
For over 20 years, HP and Symantec have
delivered joint technology solutions and services
that enable organizations worldwide to secure
and manage their most critical information. HP
integrates Symantec into security, storage,
server, and client solutions, and delivers
enterprise services based on market-leading
Symantec solutions.
33. About GBC
Contact
Our Mission
Zoe Grotophorst
Manager, Research &
Strategic Insights
Government Business Council (GBC), the research arm of
Government Executive Media Group, is dedicated to
advancing the business of government through analysis and
insight. GBC partners with industry to share best practices
with top government decision-makers, understanding the
deep value inherent in industry’s experience engaging and
supporting federal agencies.
Tel. 202.266.7335
zgrotophorst@govexec.com
govexec.com/GBC
@GovBizCouncil
33