The CISA and the National Security Agency (NSA) have collaborated to address the challenges faced by developers and technology manufacturers in implementing identity and access management (IAM) solutions. This document, titled “Identity and Access Management: Developer and Vendor Challenges,” is part of the Enduring Security Framework (ESF). It focuses on the limitations of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations [2] [3] [4], as well as the technology gaps that hinder their adoption. The report offers recommendations for vendors to enhance their products and align them with NIST requirements, ultimately improving the security of organizations.


The publication highlights the importance of adopting MFA and SSO technologies securely [5]. It emphasizes the need for vendors to standardize MFA terminology, invest in phishing-resistant authenticators [5], and support high-assurance MFA for enterprise use [5]. Additionally, the report suggests enhancing enrollment security, improving SSO systems [5], implementing broader support for identity standards [5], creating open-source solutions for integration challenges [5], and making SSO capabilities accessible to small and medium organizations [5]. The guidance is applicable to both large and smaller organizations, encouraging public-private partnerships to enhance overall security [5].

The recent SolarWinds breach has underscored the necessity for a new approach to cybersecurity [1]. Traditional security measures are no longer sufficient against sophisticated attacks that compromise identities and manipulate privileged access [1]. The U.S. [1] Cybersecurity and Infrastructure Agency (CISA) has emphasized the importance of identity in securing networks and called for a reevaluation of infrastructure [1]. As hybrid and multi-cloud environments become more prevalent [1], the shift towards a Zero Trust approach gains momentum. This approach requires authentication and authorization for every identity [1], providing enhanced security for sensitive data and systems. The U.S. [1] National Security Agency (NSA) has released guidelines for embracing this approach [1], recognizing its potential [1]. CISA encourages cybersecurity defenders to review the guidance and engage in discussions with their software vendors regarding its implementation.


The collaboration between CISA and the NSA in addressing the challenges of IAM solutions is crucial in the face of evolving cybersecurity threats. By adopting the recommendations outlined in the publication, organizations can enhance their security posture and mitigate the risks associated with compromised identities and privileged access. The shift towards a Zero Trust approach offers a promising solution, particularly in hybrid and multi-cloud environments. It is essential for cybersecurity defenders to stay informed about the latest guidance and work closely with software vendors to implement effective security measures. This collaborative effort will contribute to the overall security of organizations and protect sensitive data and systems from malicious actors.