Notice ID: VA-24-00004090
Description
The VA is modernizing its Identity, Credential, and Access Management (ICAM) capabilities to improve reliability, usability, functionality and resiliency. In a recent Office of the Inspector General (OIG) report titled “VA Needs to Improve Governance of Identity, Credential, and Access Management Processes,” there were multiple findings indicating that the VA’s identity management landscape needs significant modernization in order to keep pace with evolving cybersecurity guidance and threat mitigation while maintaining proper governance.
Information Requested
The VA is working towards a modernized ICAM infrastructure and seeks guidance, best practices and market research to inform our efforts. As part of your response, please provide a submission addressing the following topics:
Describe in detail your approach and utilization of technology to support standards-based identity management components in the following subject areas:
- Identity Governance and Administration
- At least three reports have highlighted the VA’s lack of identity governance and administration. Describe how the solution would address the organization-wide issues highlighted by these reports to enable:
- The ability to request enterprise roles and entitlements that span across multiple VA applications
- Automated workflow tooling that incorporates business rules and approvals
- Segregation of duty detection and prevention across various applications and systems
- Auditing and reporting capabilities
- Oversight in onboarding/offboarding
- Credential management
- Continuous diagnostics and maintenance
- At least three reports have highlighted the VA’s lack of identity governance and administration. Describe how the solution would address the organization-wide issues highlighted by these reports to enable:
- Internal and External user authentication and access management
The VA has unique authentication challenges where users are not fully considered “external” in the classic sense and blur the lines between internal and external. Also, a large percentage of the VA workforce are Veterans themselves. How would you address these challenges? What limitations exist in your solution around these challenges?
The VA relies heavily on PIV for phishing resistant authentication for its workforce. How would the proposed approach for strong MFA with phishing resistance address both PIV-centric workflows as well as situations where alternatives are required (e.g. users without PIVs, mobile devices, etc.)?
The VA leverages credential service providers (CSPs) to authenticate external users through federation. How will the solution support federated authentication, fraud prevention and centralized access management while leveraging CSPs?
- Identity lifecycle management…