GSA’s Office of Government-wide Policy is pleased to announce the Identity Lifecycle Management (ILM) Playbook, designed for identity program managers, and enterprise and application architects interested in modernizing their identity management process for federal employees. This practical guide helps federal agencies understand how to shift their focus from managing employee access based on credentials to managing the lifecycle of identities as outlined in section III of OMB Memo 19-17. This will help agencies achieve an enterprise Identity, Credential, and Access Management (ICAM) system that is agile enough to support technology modernization and aligns with the Federal Identity, Credential, and Access Management (FICAM) architecture.
The ILM playbook defines ILM as stages of digital identity from creation to deactivation. This lifecycle is also known as the joiner-mover-leaver process. The intent of implementing lifecycle management is to ensure an agency has visibility into all digital identities they control. For example:
- Ensure only active employees can access federal resources;
- Remove access when employees haven’t completed the required security training;
- Ensure least privilege is enforced when accounts are created or a user changes roles; and
- Implement fine-grained access control using attributes.
This playbook also assists agencies in understanding how to support FIDO2 phishing-resistant authenticators, as outlined in the identity section of OMB Memo 22-09. Agencies can use this playbook to:
- Understand identity lifecycle management; and
- Identify the steps to create and integrate identity lifecycle management within an agency.
The playbook also outlines a four-step process that an agency can utilize to implement identify lifecycle management:
- Document the purpose and goals of identity lifecycle management in an agency policy;
- Architect a solution based on either using a virtual directory or an identity governance and administration (IGA) tool;
- Create a master user record that aggregates digital identity attributes, entitlements, accounts, credentials, and other information; and
- Integrate identity lifecycle management into agency enterprise services.
Agencies are encouraged to tailor this playbook to fit their unique organizational structure, requirements, and mission needs. Other IT program participants, including program managers and application teams, may find value in incorporating this playbook approach in their planning as well.
Join our communities!
This playbook is iterative and agencies are encouraged to collaborate, share best practices, and lessons learned. Join the committee or community of practice linked below to learn and engage in ILM.