Identity, Credentialing, and Access Management (ICAM) is the set of security disciplines that allows agencies to manage, monitor, and secure access to protected resources. These resources may be electronic such as files or computer systems, or physical resources such as server rooms and buildings.
In May of this year, the Office of Management and Budget (OMB) released an updated policy on Identity, Credentialing, and Access Management (ICAM). The policy provides ICAM guidance for the federal government and outlines specific responsibilities for federal agencies.
As one of the agencies that leads governmentwide ICAM efforts, GSA is committed to ensuring the federal government’s long-term viability, security, responsiveness, and efficiency. To do so, we have specific responsibilities regarding the ICAM acquisition solutions we make available to agencies.
This ICAM policy comes at a crucial time. The discussion around defining identity is evolving rapidly. Identity is now more than just a person; it is a unique representation of a subject and can include devices like cell phones, tablets, TVs, or any network connected item. Ensuring the right people (or device) have the right credentials and access are paramount.
OMB’s ICAM policy gives the federal government direction by first clarifying what it considers to be identity. The policy further defines what it means to:
- manage those identities,
- provide credentials to not only government employees and contractors but the public as well, and
- allow access to the right information systems and physical access to buildings.
ICAM is now an agency-level responsibility. Agencies’ approach to ICAM should consider governance, architecture, and acquisition. The ICAM policy lays out agency responsibilities to meet policy outcomes accordingly.
What must agencies do? Here’s a high-level list:
- Develop an agency-wide ICAM office, which may require more resources.
- Assess current ICAM capabilities, identify gaps for new capabilities, and develop plans to transition obsolete capabilities.
- Use acquisition vehicles such as Best-In-Class, Tier 2, or federal shared services to procure new capabilities.
Also, the ICAM policy specifies responsibilities for agencies that lead governmentwide efforts in identity management. GSA, along with the National Institute of Standards and Technology (NIST), Office of Personnel Management (OPM), and Department of Homeland Security (DHS), will update to the ICAM guidance and develop ICAM roadmaps. The other agencies’ responsibilities are described within the policy.
GSA is specifically tasked with ensuring all current ICAM solutions and shared services are immediately available for agencies to use to begin meeting policy requirements.
Also, GSA will ensure ICAM acquisition solutions comply with this OMB ICAM policy as well as other relevant laws, standards, and guidance.
GSA’s ICAM Solutions
Agencies can visit GSA’s eLibrary to see the current ICAM SINs on IT Schedule 70 available, which includes the PKI Shared Service Provider (SSP) Program (132-61), HSPD-12 (132-62), and PKI Professional Services (132-60f).
Another important ICAM solution is the USAccess Program. GSA’s USAccess program provides federal government agencies with identity credential solutions. This shared service provides an efficient, economical and secure infrastructure to support agencies’ credentialing needs. Currently, the program supports over 600,000 users and continues to add more users.
The Department of Veterans Affairs is the most recent large federal agency to choose USAccess for its identity credentialing solution. When fully operational, this will bring over 500,000 additional cardholders onto the USAccess system.