NSA Provides Guidance for ICAM

NSA Releases Recommendations for Maturing Identity, Credential, and Access Management in Zero Trust

Greg Thomas
3 min readMar 15


Photo by Compare Fibre on Unsplash

The National Security Agency (NSA) has followed up on, Embracing a Zero Trust Security Model to assist system operators in maturing their identity and credential access management (ICAM) capabilities. Check out HashiCorp’s response to the initial model in a three-part series featured in the Intelligence Community News.

Just Start! — Implementing Zero Trust Workflows for the Intelligence Community

How to Prevent Lateral Movement (Is the “Bad Actor” Already Inside?)

Why you should be using an Identity-Aware proxy (IAP)

In the three-part series, we outlined how to properly manage credentials with HashiCorp vault, Secure NPE communications with consul, and leverage boundary to secure sessions to any target system mitigating legacy VPN or SSH techniques. The NSA’s guidance was more detailed than the initial model, focusing on three core problems. The industry terms for these problems can be summarized as follows.

  1. How do I stop secret sprawl?
  2. How do I secure service mesh with a trusted Identity?
  3. How do I move away from legacy access methods like VPN?

For authentication systems or “Auth-N,” NSA recommended NIST’s Digital Identity Guide (NIST 880–63–B), an excellent baseline to model against.

“The strength of authentication systems is described in NIST’s SP 800–63 part B in terms of authenticator assurance levels (AAL) ranging from AAL 1 to AAL 3. Strongly assured methods are recommended for all person users with access to critical resources. NSA recommends strong multi-factor authentication for person users.” (Page 9)

The part that addresses secret sprawl is, “To prepare for higher maturity levels, inventory all credentials associated with each user” (Page 12). This is very common in regulated industries. How do I know where all my credentials/secrets are? This requires a system to centrally control secrets where the API is continuously audited, logged, and time-bound. We do not recommend excel spreadsheets! Going “passwordless” is the thing to do now in days…



Greg Thomas

Passionate writer with a focus on tech, leadership and fitness. Sharing my take on these topics on Medium