Access Control & Identity: All Roads Lead to FICAM

Inside the federal government’s standardization of Identity, Credential and Access Management systems

The most important roadmap to consider this summer isn’t leading you to the beach — it’s the Federal Identity Credential and Access Management, or FICAM, and it delineates the route to sound, federal-government endorsed access control practices. Your Federal customers should know it well. Do you?

FICAM presents agencies with a holistic, common approach to improving cyber security government-wide by efficiently managing identities and their associated credentials. The Federal Chief Information Officer’s Council issued FICAM in 2009 and revised it in 2011. The roadmap seeks to improve on Identity, Credential and Access Management (ICAM) efforts by standardizing and strengthening existing approaches.

Those existing approaches have proven problematic, FICAM authors acknowledge. A fragmented approach to identity management and cyber security leaves policy gaps and introduces security vulnerabilities. FICAM is, in the words of its authors, “a call to action for ICAM policy makers and program implementers across the Federal Government to take ownership of their role in the overall success of the federal cyber security, physical security and electronic government.”


Compliance is beneficial/required

FICAM offers a way forward, but don’t let the “roadmap” label mislead you. FICAM is more than simply a friendly suggestion from the Federal CIO Council — its enterprise approach dictates the federal credentialing and access policies of the future. For your federal customers to secure their physical and logical assets, maintain the privacy and security of their personnel, and interact seamlessly with their contractors and fellow agencies, they must align with the architecture it describes.

FICAM guidance is not just another check-the-box exercise or another required response to a government mandate. Agencies whose identity and credentialing practices align with FICAM will find it easier to securely interoperate with fellow agencies.

Moreover, in this era of budget spats and federal cut-backs, agencies can realize significant cost savings by aligning with FICAM. The inefficiencies eliminated by streamlining and standardizing credentialing across the federal government translate into better allocation of staff and resources, recouping lost time addressing IT hiccups. It can also aid in automating and even eliminating processes formerly completed by personnel. For example, FICAM calls for automated provisioning and de-provisioning of identities and associated credentials to physical access control systems and IT applications. Provisioning of the digital credentials streamlines access to resource, while de-provisioning ensures access to resources is cut off in a timely manner.

And, yes, FICAM also offers the benefit of compliance with related laws and government mandates. Its foundation is the Federal Enterprise Architecture and, by streamlining access to services, facilitates the goals of e-government. FICAM also complements the objectives of Homeland Security Presidential Directive-12 (HSPD-12) and incorporates the standards issued in FIPS 201. This is mainly because Personal Identity Verification, or PIV, credentials have been issued government-wide as a means to align employee and contractor identification.

In terms of FICAM, the PIV credential, or Department of Defense equivalent Common Access Card (CAC), is the instrument that makes enterprise FICAM a reality. The credentials are not only built on an open standard, but they also permit strong authentication, enhancing overall security to buildings or IT resources.

Making the case for FICAM is only half the job. Now that you understand why federal agencies should apply the FICAM model to their ICAM solution, you must also understand how they undertake this task.

In the advice of the standard:

First, create trusted digital identities;

Second, bind those identities to credentials; and

Third, leverage these credentials to provide authorized access to resources.

This content continues onto the next page...