Federal agencies will need to find the balance between risks and user experience when developing and implementing digital identity systems, according to Ryan Galluzzo, digital identity lead for the Applied Cybersecurity Division at the National Institute of Standards and Technology.
In an interview, the government tech leader said agencies must look at various factors such as application context and rights, type of data, and who will be using the system, and on what devices.
“The whole point of the digital identity risk management process is to want to understand what is the application context you’re working in? What are the different users that you have? What kind of data are you accessing? What kind of rights do you have once they are in the application? Can they modify things, just view things, and what’s the potential impact?” Galluzzo asked.
NIST previously published Special Publication 800-63, which consists of four volumes to guide agencies on how they can manage risks with digital identity programs.
On Privilege Access
The U.S. government has adopted phishing-resistant multifactor authentication as part of its cybersecurity strategy. Agencies are also exploring access governance, such as attribute-based access control, or ABAC.
According to Galluzzo, ABAC enables system administrators to manage access based on user and transaction attributes. ABAC considers where the user is located, the time of day they are trying to access a system, what kind of device is being used and the type of network it is connected to and applies the appropriate policies.
The official added that his office is specifically looking at passkeys and Fast Identity Online, or FIDO, authentication and credentials used in mobile wallets. He commented that technologies that consolidate increased security and smoother user experience “show a lot of value and gain a lot of traction.”
Learn more about the innovative solutions that can provide security and strengthen resilience across the public sector at the Potomac Officers Club’s 2025 Cyber Summit on May 15. Register for the in-person event here.
