What Are ICAM and FICAM?
For organisations and government agencies alike, strong identity management is paramount. Millions of people share sensitive, personal information with commercial and public bodies every day, so companies and public sector agencies have a responsibility to secure their assets.
This is where ICAM and FICAM come in.
What is ICAM?
Identity, credential, and access management (ICAM) is a set of security principles that helps organisations manage, monitor, and secure access to their resources. ICAM lets the right individuals access permitted resources for the right reasons, protecting organisations from unwanted access attempts.
What is FICAM?
FICAM—short for federal identity, credential, and access management—applies ICAM policies, tools, and systems to federal agencies. It allows these organisations to control access to protected resources such as files, networks, servers, and physical spaces.
In this post, we’ll explore these principles in greater detail, consider the benefits of implementing ICAM and FICAM programs, and guide you through some best practices to get started.
The core principles of ICAM and FICAM
There are three core pillars of ICAM security: identity, credentials, and access. We’ll define each of them here and explain how FICAM puts them into practice.
1. Identity management
By “identity,” we mean the set of attributes that define an individual—in a federal context, this is often the personal or biometric information that agencies collect. Identity management, therefore, is the set of policies that allow organisations to establish, maintain, and erase user identities.
Organisations need this process to verify identities, create and delete user accounts, and to maintain current and accurate account records. Federal agencies also use identity management to find and connect disparate records for the same person or entity.
2. Credential management
Credentials are authoritative pieces of evidence that prove an individual’s identity—think passports, bank cards, passwords, and digital certificates. Credential management lets organisations issue, track, update, and revoke access credentials for user identities.
Government bodies need credential management to link identities with verifying evidence, which is essential to then register accounts, maintain information, and issue resources and communications.
3. Access management
Access management ensures that only those permitted to access resources or perform certain actions on them (e.g., “view,” “share,” “edit”) can do so. Organisations need service and other access management practices to define access policies and rules, such as: “All users must present the correct credentials to a corresponding identity.” Organisations also rely on this to determine permissions and to authenticate and authorise users.
There are two supporting elements that enhance the implementation of these principles in FICAM:
- Federation: This is defined as an agency’s ability to accept identities, attributes, and credentials issued by others, enabling them to seamlessly work together. Federation ensures policy alignment between interacting organisations, brokers authentication events, and facilitates attribute exchanges between systems. As a result, this increases interoperability between agencies and allows for more intelligent access decisions.
- Governance: The set of systems and practices that guide ICAM functions and activities. Governance policy includes analytics to identify security risks and non-compliance, along with broader operational troubleshooting.
What are the main goals of ICAM and FICAM?
Federal ICAM programs aim to make government technology experiences more secure and effective. The FICAM roadmap sets out five strategic goals for agencies to pursue, each with related objectives.
Goal #1: Comply with federal laws relevant to ICAM
- Align federal policies with ICAM initiatives
- Empower governance bodies and enforce accountability for complying with ICAM
Goal #2: Streamline access to digital government services
- Expand secure digital access to government data and systems
- Increase transparency around digital practices to promote public confidence
Goal #3: Strengthen security posture across the federal system
- Support cybersecurity programs and invest in solutions
- Use risk-based frameworks for access control
- Integrate physical security and electronic verification into a seamless process
- Improve digital auditing capabilities
Goal #4: Improve trust and interoperability
- Share information between user communities
- Align processes with external partners
- Build and maintain trusting relationships
- Use standards as benchmarks and adopt products to meet them
Goal #5: Cut costs and boost efficiencies
- Reduce administrative processes where possible
- Phase out redundant programs and procedures
- Promote interoperability and reuse of programs and systems
How ICAM and FICAM work together
Government agencies serve different users in different capacities, and each group of users has different access and authentication requirements—all of which can be regulated and made more secure by following the standards of ICAM and FICAM architecture.
What is ICAM segment architecture?
ICAM segment architecture establishes how organisations need to identify, authenticate, and authorise individuals belonging to each segment—federal community, other governments, external organisations, and the public—to provide trustworthy and interoperable access to resources.
For example, a federal agency may have a high degree of confidence in login attempts from employee accounts. As such, federal employees will only need personal identity verification (PIV) credentials, like a username and password, to gain access. Employees from a state government agency may log in with the PIV credentials issued to them by their local system.
Public members and external organisations, however, don’t have the same degree of identity assurance—the agency can’t be as confident that the intended user is trying to obtain access. Therefore, agencies might deploy stronger authentication methods (e.g., open standards like OpenID) to ascertain the identities of these users.
Agencies using this segment architecture in their FICAM program improve their security posture and efficiency in a variety of ways: they decrease the risks of identity theft and data breaches, improve regulatory compliance and customer service, and strengthen their protection of personally identifiable information (PII).
What is FICAM architecture?
FICAM architecture is a U.S. government framework for agencies to use when planning, designing, and implementing their ICAM programs. It’s a resource focused on enterprise identity practices, policies, and information security disciplines–equipping agencies with the knowledge to achieve unique performance goals in alignment with federal security and privacy initiatives.
In addition, the FICAM architecture explains how each ICAM component interacts, outlines use cases of common ICAM and FICAM procedures, exemplifies the different solutions and software that agencies can use to execute ICAM, and informs readers of the standards and policies that shape FICAM. This provides value to numerous agency personnel:
- Senior agency stakeholders have a reference architecture to use across multiple agencies and business areas.
- Program managers find common definitions and frameworks to factor into planning.
- Enterprise and app architects gain a common framework for IT systems, apps, and networks that summarise and exemplify common ICAM and FICAM procedures.
- Everyone in federal IT can implement consistent and interoperable identity, credential, and access management policies.
FICAM standards and requirements
Numerous federal laws, policies, and standards influence the design of FICAM programs. Some of the most important are:
- OMB Circular A-108: Compels agencies to prioritise compliance with the Privacy Act of 1974. They must report their efforts back to the Office of Management and Budget and publish their findings.
- OMB 19-17: Builds on existing HSPD-12 and FIPS-201 policies by requiring PIV-based authentication for both physical and logical access.
- Executive Order 13883: Authorises agency CIOs to ensure that their IT systems are as modern and secure as possible.
- NIST SP 800-63-3: Offers digital identity guidelines for agencies to use when implementing digital services and conducting risk assessments.
The full list of standards is available here.
What are the benefits of ICAM and FICAM?
By implementing ICAM, federal agencies improve their response to a number of key challenges:
- In a world of increasing cyber threats, FICAM minimises the risks of identity theft and data breaches. Notably, it helps to strengthen agency procedures for authentication, authorisation, logging, and reporting.
- The global compliance landscape is ever-evolving, and FICAM helps agencies to align with various regulations and laws like the CCPA and GDPR. This extends to greater protection of PII.
- Federal agencies have, historically, not been interoperable—FICAM connects agencies through federation and PIV credential compatibility.
- FICAM provides a modern and standardised procedural framework for agencies, which eliminates the high cost of redundant administrative processes.
Combined, all of these benefits contribute to great customer service—streamlining experiences for internal users, external organisations, and citizens.
How to get started with ICAM and FICAM
To ensure your government agency complies with the policies and standards listed above, including OMB 19-17, and make a success of your ICAM implementation, we recommend you consider the following:
1. Avoid vendor lock-in
Choose a vendor whose solutions are based on open standards and can integrate with a variety of partners. The Okta Integration Network, for example, enables interoperability with 6,500+ integrations for deep identity and access management.
2. Implement multi-factor authentication
This will reduce the risk of access breaches and create higher identity assurance in each user. Explore authentication factors that are secure yet convenient to use (like Okta Verify) and those certified by the FIDO Alliance, such as U2F tokens.
3. Incorporate risk analysis
Risk-based authentication analyses contextual factors related to user logins, like their device, IP address, and location. It then calculates a risk score based on these elements and recommends an access decision. When paired with threat intelligence feeds, risk-based mechanisms provide a powerful defense against threats.
4. Use end-to-end attribute-based access control
This model sets access privileges based on attributes, rather than job roles, giving admins a great deal of flexibility over access policies when provisioning and deprovisioning users. Plus, it’s an effective way to close any gaps with security, data privacy, and compliance.
5. Secure access to APIs
To increase interoperability, ICAM capabilities should be deployed using public application programming interfaces (APIs) and other open commercial standards. Consider implementing API access management to secure these resources and fortify authentication.
Aligning ICAM and FICAM with Zero Trust
Federal agencies face a great deal of pressure to provide crucial services efficiently, with strong protections in place. As ICAM requirements develop, they compel government organisations to continuously modernise their IT.
Agencies must respond by investing time and resources into building ICAM policies that work. We believe that adopting a Zero Trust model goes hand-in-hand with FICAM’s mission, providing a clear framework for agencies to secure identities, credentials, and access beyond doubt.
Learn more about Zero Trust in government and how Okta can help agencies to modernise:
- Bring Secure, Frictionless Customer Experiences to Government Faster with Modern CIAM (Whitepaper)
- Government Agencies Need to Migrate from Legacy On-Prem Identity Solutions—and Okta Can Help (Blog post)
- Embracing the ‘New Normal’: How Zero Trust is Empowering Government Agencies (Blog post)
- Zero Trust Maturity Across the Federal Government (Datasheet)