Agencies are scoring quick wins with robotic process automation, deploying bots that can handle rote tasks more quickly and efficiently than federal employees, which frees them up to handle higher-value tasks.
Making that shift, however, requires collaboration between agency IT offices and their counterparts in information security. To assist in that dialogue, the General Services Administration is launching a Digital Worker Credentialing Handbook that will give agencies a common reference.
GSA analyzed the common policy and implementation challenges and put together a set of recommendations. From there, the agency’s Identity Assurance and Trusted Access Division used those recommendations as the basis for the handbook.
Medved said the playbook should give agencies a common reference for launching and overseeing bots. More significantly, however, she said the handbook aims to help agencies overcome a common “mental barrier” with leaving bots unattended.
The handbook outlines a three-step process for agencies to consider when fielding a supervised or unsupervised bot. The first step calls on agencies to determine the bot’s impact level, which is determined through a six-factor impact score.
Ken Myers, a GSA cyber policy and strategy planner, said the handbook makes it clear that not every digital worker requires a digital identity, especially if the bot is considered low impact, but that determination can vary by agency.
“We found that a lot of agencies were using human-based identity processes to credential a digital worker, and it doesn’t always work like that. There’s some things that are specific to humans that don’t correlate to a digital identity,” Myers said.
The handbook’s recommend agencies routinely conduct access reviews to determine whether a digital work has the privileges needed to complete a task, but none beyond that. During this review, agency program offices should consider if a digital worker has access to privileges that could result in fraud, theft, or other errors.
The handbook’s final step recommends agencies provision and govern the digital identities of bots.
Along with this step, GSA urges agencies assign both a sponsor and custodian for the bots they deploy. A sponsor is usually an executive, such as a chief information security officer, that’s accountable for the digital worker, while a custodian oversees the day-to-day functions of the bot.