U.S. General Services Administration
Are You Securing Your Digital Workforce?
Post filed in: Emerging Technology
What’s A Digital Workforce?
A digital workforce is made up of digital workers, which are automated, software-based tools, applications, or agents that perform a business task or process. These processes are performed similarly to a human user and are driven by Artificial Intelligence or other autonomous decision-making processes. OMB memo 19-17 requires agencies to ensure the digital identity of digital workers are “distinguishable, auditable, and consistently managed.” Are you securing your digital workers?
How Do Agencies Use Digital Workers?
Federal agencies use digital workers to automate processes, increase efficiencies, and discover insights from large volumes of data. Digital workers may interact with or use sensitive information to perform unattended, high-risk tasks, which may critically impact an agency's mission. It is common for agencies to use existing, human-based processes to create a digital worker identity. However, this may hinder a digital worker's access or success. GSA is excited to share a playbook that addresses the challenges in determining digital worker risk and outlines a process to establish a digital worker identity.
Guidance For Agencies
GSA’s Office of Government-wide Policy developed the Digital Worker Identity Playbook. This playbook helps Identity, Credential, and Access Management (ICAM) teams as well as CIO and CISO offices at federal agencies determine the risk of and define a process for digital worker identity management.
Ensuring digital workers are distinguishable, auditable, and consistently managed is a challenge for agencies. Most often they attempt to use human worker processes which may hinder digital worker creation or access, such as assigning system or group accounts with excessive privileges or not using attributes to uniquely identify a digital worker from other human or non-digital workers. The playbook’s three step process outlines how to identify a digital worker's potential for adverse impact or risk, the requirements to create and govern an identity based on this risk, and what to track for accountability and auditing. Agencies can use this playbook to uniquely identify and monitor automated technologies and decrease the creation of overly privileged or unauthorized accounts for digital workers. Employing least privilege, separation of duties, and regular access recertification enhances security posture and improves auditability and incident response analysis when managing your digital workforce.
Join Our Communities!
This playbook is iterative and agencies are encouraged to collaborate, share best practices, and lessons learned. Federal employees may consider joining the below committee or community of practice to learn and engage in digital worker identity management.