ABAC is coming (a)back.

The Government has previously shown a considerable interest in Attribute Based Access Control (ABAC) as a means to improve information sharing and IT security. For those not aware, ABAC is a method of logical access control where a subject’s request to perform operations on objects is granted or denied based on the attributes assigned, the current environmental conditions, and a set of policies that are defined for those attributes and conditions. In other words, it externalizes an application’s controls and uses dynamic policy based on user and object attributes.

Updating existing access control infrastructures to ABAC was a high priority that was, in part, a reaction to very real events in our nation that highlighted the need for a more dynamic, adaptable and logical access control method to protect its resources. In 2005, Hurricane Katrina emphasized the need for multiple federal and state or local agencies to share information in a dynamic and flexible manner.  The WikiLeaks Incident in 2010 highlighted the government’s needs to further protect and secure its classified materials.

Between 2009 and 2014, the government highlighted the need to move to towards the ABAC model by releasing policy and guidance, starting with the FICAM roadmap and culminating in the NIST Special Publication 800 – 162, which provided a clear definition and guidance to implementing ABAC. Since then, very little guidance has been released.  It appears the government has not made a great deal of progress on its implementation as whole.  ABAC projects were started and then funding was cut.  So what happened?  Is it no longer considered a priority?

To start with, implementing ABAC is an incredibly challenging task that does not happen overnight. It requires a change in the way people administrator their applications and data, causing a change in business and technical processes.  It requires an infrastructure with a mature identity management solution in place that assigns and controls attributes.  To share attributes across agencies requires a standard set of attributes and a backend exchange that currently does not exist.  Implementing all of this requires a substantial investment in time and money.  The policy that required ABAC did not consider some of these challenges, and as a result, the timelines were unachievable.  When you give someone an impossible task (or, in this case, timeframe), they tend to give up or lower the initiative’s priority.

During the summer of 2015, two mammoth hacks were revealed at the Office of Personnel Management (OPM), which caused the White House to react with the “Cyber Sprint.” This meant most agencies dropped everything related to other ICAM endeavors and concentrated on strong authentication for privileged and unprivileged users by ensuring everyone was issued and using a PIV card (or, at the very least, some other type of two factor authentication). Constant reporting to OMB was required during this 30 day review, and a lot of pressure was put on senior leadership across the government. In fact, the White House assigned “grades” to all agencies, and many did not fare well (By July, only 14 of 24 agencies hit their major goals).  While federal mandates have required PIV card use for quite some time, the “Cyber Sprint” (which later turned into the “Cyber Marathon” requiring weekly and then monthly reports on progress) highlighted just how poor that adoption had been, and some agencies required a major push to quickly implement this authentication method.  Agencies were left shaken by the sprint.  Some agencies performed reorganizations to ensure cyber security offices were broadly alignment across the Department.  In some cases, the reorganization caused changes in personnel and Department strategies, which caused instability and had a negative effect on some agencies’ ABAC implementations.

The merits of ABAC are clear. A few years ago, Gartner stated that, by 2020, 70% of businesses will leverage ABAC, and vendors in this space are developing new technologies to make it easier to implement all the time. ABAC remains a federal requirement, but these changes may result in the deadlines for classified and unclassified implementations being extended.  We can expect additional guidance to be provided by NIST (per their promise in SP 800-162), and additional resources to be allocated in this area, based on the Government’s increasing cyber security budget requests for the next fiscal year (President Obama proposed $14 billion this year, an increase of over $1 billion from the previous year). The government is making ICAM and cyber security a priority in the wake of the cyber sprint.  ABAC took “a back” seat for a while, but it will be back.

Do you have any experience with delays in implementing ABAC? How did the cyber sprint affect you?  Let us know your thoughts! For more information on implementing ABAC in the Federal area, check out eMentum’s white paper at http://ementum.com/downloads/.  Do Good.  Have Fun.  Add Value.

John Carr

John B. Carr, PMP, CSM, ITIL, is a senior project manager, scrum master, and strategic consultant who enjoys exploring creative solutions to resolve those complex, “wicked” problems of the federal government using empathy and agile approaches. He is the author of several white papers including “Innovating IT Solutions Using Human-Centered Design” and “Implementing Attribute Based Access Control in the Federal Arena” found here. Feel free to contact him at jcarr@ementum.com.

Leave a Reply

Your email address will not be published. Required fields are marked *