GSA Blog

Managing digital identity risk

The GSA Office of Government-wide Policy is here to help federal agencies implement a digital identity risk assessment process. We’ve helped agencies identify and implement entire risk assessment processes or streamline portions of existing processes or tools.

What is a digital identity risk assessment (DIRA)?

A DIRA is a method to identify the identity-related transaction risks within an application. It is a process to apply digital identity risk management as required by OMB Memorandum 19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management, and National Institute of Standards and Technology (NIST) Special Publication 800-63-3 Digital Identity Guidelines. Most federal agencies offer digital services through an IT system or application to their employees, other agencies, and the public. To access an application, users may need to provide identity information, create an account, and log in. These actions are factors in a digital identity risk assessment.

NIST used feedback from industry, and consulted and worked with the White House and the Office of Management and Budget to more closely match how the private sector does digital identity. The output of a digital identity assessment process will provide the minimum individual assurance levels an agency should consider implementing within their application. Here’s a basic description of each individual assurance level:

• Identity assurance aligns with identity proofing to help establish the individual is who they claim to be.
• Authenticator assurance (not authentication) provides reasonable assurances that the individual accessing the application is the same individual who previously accessed the service.
• Federation assurance is confidence in using assertions to communicate identity or authentication information across applications or across agencies.

How should my agency implement a DIRA?

Use the DIRA Playbook. This playbook was written as a governmentwide, technology-agnostic resource to implement a DIRA process.

Follow these five main steps to implement a DIRA:

1. Identify users, transactions, and roles. Identify the users and transaction information as well as the application’s functional and business roles.
2. Identify risks and assurance levels. Determine the digital identity risk for each assurance category by assessing the impacts for each community of user, user type, common role, and transactions identified in step 1.
3. Determine steps to meet assurance levels. Analyze available technology and solutions at your agency, determine if they suffice to meet the application needs, and identify what you need to implement.
4. Finalize digital identity assessment statement. Formalize the results of the assessment process with a Digital Identity Acceptance Statement (DIAS) (template included as an appendix in the DIRA Playbook).
5. Reassess. Your digital identity reassessment may be driven by time or events; it means you’re reassessing the DIRA.

The playbook includes more plays to help integrate, streamline, and potentially automate the process.

Email icam@gsa.gov to set up a discovery session or ask questions.