Contents
In the public sector, identity, credential, and access management (ICAM) is no longer just a box on an IT checklist. With escalating cyberthreats, tightening regulatory mandates, and citizens who are expecting secure, seamless digital services, ICAM has become a key component for mission success.
In this blog post, we explore how adopting modern ICAM — powered by the correct capabilities — can help government agencies meet mandates, ensure cyber resilience, and transform the function of identity into a distinct security advantage.
Yesterday’s outdated view: Identity as overhead
Historically, identity management in government was treated like plumbing: necessary but invisible. Think siloed directories, VPN vulnerabilities, endless reset requests for the help desk, and glaring gaps in visibility.
This legacy approach often slowed down operations. It also increased risk: Attackers could still exploit weak or shared credentials, “trusted” internal networks, or poorly protected apps. And compliance, while necessary, commonly felt like a burden rather than an opportunity to modernize.
Today’s strategic view: Identity as mission advantage
Modern ICAM flips that script. When done right, it delivers four major mission advantages:
Continuity and resilience
Mandate compliance
Secure service delivery to maintain citizen trust
Operational agility and cost efficiency
Continuity and resilience
Agencies must remain operational even during high-volume attacks, supply chain disruptions, or other cyber stress events. Strong ICAM reduces the risk of account takeover, insider threats, and lateral movement.
Mandate compliance
U.S. federal mandates like Executive Order (EO) 14028 (Executive Order on Improving the Nation’s Cybersecurity) require civilian agencies to adopt Zero Trust architectures, use multi-factor authentication (MFA), secure software supply chains, and improve identity/authentication controls.
The Office of Management and Budget’s M-22-09 Federal Zero Trust Strategy further defines identity (specifically, enterprise-managed identities and phishing-resistant MFA for agency staff) as one of its five foundational pillars.
And the National Institute of Standards and Technology Special Publication (NIST SP) 800-207 provides the technical framework that agencies use to architect Zero Trust, also emphasizing identity/authentication, least-privilege access, continuous verification, and segmentation.
By aligning ICAM solutions with Zero Trust requirements, agencies not only check the compliance box but also strengthen mission assurance by meeting federal mandates with comprehensive Zero Trust adoption.
Secure service delivery to maintain citizen trust
U.S. federal mandates like Executive Order (EO) 14028 (Executive Order on Improving the Nation’s Cybersecurity require civilian agencies to adopt Zero Trust architectures, use multi-factor authentication (MFA), secure software supply chains, and improve identity/authentication controls.
The Office of Management and Budget’s M-22-09 Federal Zero Trust Strategy further defines identity (specifically, enterprise-managed identities and phishing-resistant MFA for agency staff) as one of its five foundational pillars.
And the National Institute of Standards and Technology Special Publication (NIST SP) 800-207 provides the technical framework that agencies use to architect Zero Trust, also emphasizing identity/authentication, least-privilege access, continuous verification, and segmentation.
By aligning ICAM solutions with Zero Trust requirements, agencies not only check the compliance box but also strengthen mission assurance by meeting federal mandates with comprehensive Zero Trust adoption.
Operational agility and cost efficiency
By modernizing ICAM, agencies can reduce VPN dependencies, streamline contractor/partner access, cut help desk burden, and improve identity lifecycle management (onboarding, offboarding). That leads to cost savings, faster mission delivery, and better security.
How Akamai powers strategic ICAM for government
To turn these advantages into reality, you need a vendor that can cover the entire access and identity chain. The following table illustrates how Akamai’s ICAM-relevant portfolio delivers on that mission.
Product |
Capability |
Why it matters for public sector missions |
|---|---|---|
Akamai App & API Protector |
Protects citizen-facing and internal apps/APIs against bot attacks, account abuse, API misuse, and distributed denial of service (DDoS) |
Ensures the availability of mission-critical services; prevents fraud and abuse at the perimeter |
Akamai API Security |
Secures APIs used for identity and authentication flows, third-party integrations, and partner systems |
Identifies vulnerabilities and risks in the APIs that many modern government services depend on |
Akamai Enterprise Application Access |
Provides Zero Trust access to internal apps, replaces or reduces VPNs, gives least-privilege access, enforces MFA/adaptive controls |
Supports remote work, contractor access, and agency continuity; simplifies access controls across hybrid infrastructures |
Akamai Guardicore Segmentation |
Restricts microsegmentation/lateral movement, controls east-west traffic post-login, and enforces access boundaries based on identity and role |
Limits the spread even if credentials are compromised; this is essential under Zero Trust to protect sensitive systems (e.g., personally identifiable information, classified data) |
Akamai’s ICAM-relevant portfolio covers the entire access and identity chain
What ICAM can look like in the public sector
Here’s a plausible example scenario to illustrate what strategic ICAM can look like in practice.
A federal agency responsible for public benefits was seeing frequent login failures, bot attacks, and occasional credential stuffing targeting its benefits portal. At the same time, remote staff and contractors required VPN access to internal systems, which increased operational overhead.
The agency decided to implement a modern ICAM stack, including:
App & API Protector to shield the portal, which reduced credential abuse and bot traffic by more than 70%
API Security to safeguard identity‐exposed APIs and integrations, which strengthened validation and logging
Enterprise Application Access to move staff and contractors off legacy VPN by using least-privilege access and adaptive MFA
Akamai Guardicore Segmentation to define boundaries inside the network; in the case of an intrusion, lateral movement is now limited so that only noncritical zones are exposed
In our example scenario, the outcomes would’ve been improved uptime of citizen services, fewer breaches and disruptions, lower operations cost, and better auditor and compliance readiness for a more secure and more agile mission.
How to advance ICAM adoption in government agencies
The game plan to move from legacy identity toward identity as a strategic security advantage includes:
Defining mission outcomes and metrics
Architecting for Zero Trust and least privilege
Securing the full access chain: Apps to APIs to infrastructure
Continuously validating, monitoring, and adapting
Integrating governance, culture, and compliance
Defining mission outcomes and metrics
Identify what matters most: uptime of citizen services, number of authentication failures, mean time to credential compromise, and compliance gaps. Tie identity metrics to these areas to get a sense of how you’re delivering on the mission.
Architecting for Zero Trust and least privilege
Adopt NIST SP 800-207’s architectural principles: strong identity verification, continuous authentication/authorization, segmentation of resources, and the inclusion of policy enforcement points. Be sure to craft policies that take into account both human and machine identities.
Securing the full access chain: Apps to APIs to infrastructure
Don’t leave identity exposure at the edges. Be sure to protect your front-door apps, internal APIs, and internal network zones. Look for a vendor solution that can include web application firewall (WAF) and API protection alongside access controls and robust network segmentation.
Continuously validating, monitoring, and adapting
Identity isn’t “set it and forget it.” Monitor any failures, anomalous behavior, privilege creep, or credential abuse. Be sure to update your policies and refine access as roles change, ideally in an automated way. Use the telemetry and audit logs provided by the ICAM solution within your broader management strategy.
Integrating governance, culture, and compliance
Ensure leadership buy-in by mapping solution capabilities to legal and regulatory requirements (the Federal Information Security Modernization Act [FISMA], the Federal Risk and Authorization Management Program [FedRAMP], EO 14028, OMB guidance). Establish identity governance and train your staff to be familiar with it. Treat compliance as an opportunity to modernize, rather than as an obligation.
The time is now
The following indicators should induce you to start your move toward modern ICAM today.
Mandates and policy requirements are clear and urgent. EO 14028 demands Zero Trust, secure authentication, and software integrity.
OMB-level strategy (M-22-09) identifies identity as foundational to the Zero Trust framework, including requirements for phishing-resistant MFA.
Cyberthreats are evolving. Credential-based attacks, API abuses, and lateral movement inside networks, are frequent vectors. Zero Trust architectures built around identity provide the strongest defenses.
Public expectation is rising. Citizens demand digital services that are both secure and seamless. Government failure to protect identity data can erode trust quickly.
Conclusion
ICAM isn’t just about stopping what’s bad, it’s also about enabling what’s good. ICAM can enable agencies to serve constituents reliably, permit remote work without adding risk, and allow cyber compliance to become a foundation for cyber excellence.
Akamai’s ICAM solutions span the whole journey — securing app front doors, protecting APIs, controlling internal access, and employing segmentation — to help you not only meet those mandates, but also gain a strategic mission advantage.
Learn more
Ready when you are! Contact us to explore how Akamai can help your agency modernize identity, reduce risk, and ensure mission assurance.
Tags
