Access Control & Identity: All Roads Lead to FICAM

Aug. 9, 2013
Inside the federal government’s standardization of Identity, Credential and Access Management systems

The most important roadmap to consider this summer isn’t leading you to the beach — it’s the Federal Identity Credential and Access Management, or FICAM, roadmap, and it delineates the route to sound, federal-government endorsed access control practices. Your Federal customers should know it well. Do you?

FICAM presents agencies with a holistic, common approach to improving cyber security government-wide by efficiently managing identities and their associated credentials. The Federal Chief Information Officer’s Council issued FICAM in 2009 and revised it in 2011 with specific advice for various agencies. The roadmap seeks to improve on Identity, Credential and Access Management (ICAM) efforts by standardizing and strengthening existing approaches.

Those existing approaches have proven problematic, FICAM authors acknowledge. A fragmented approach to identity management and cyber security leaves policy gaps and introduces security vulnerabilities. FICAM is, in the words of its authors, “a call to action for ICAM policy makers and program implementers across the Federal Government to take ownership of their role in the overall success of the federal cyber security, physical security and electronic government.”

Compliance is beneficial — and required

FICAM offers a way forward, but don’t let the “roadmap” label mislead you. FICAM is more than simply a friendly suggestion from the Federal CIO Council — its enterprise approach dictates the federal credentialing and access policies of the future. For your federal customers to secure their physical and logical assets, maintain the privacy and security of their personnel, and interact seamlessly with their contractors and fellow agencies, they must align with the architecture it describes.

FICAM guidance is not just another check-the-box exercise or another required response to a government mandate. Agencies whose identity and credentialing practices align with FICAM will find it easier to securely interoperate with fellow agencies. They will find it simpler to enable trust among internal and external entities, and they will reap the benefit of improved security.

Moreover, in this era of budget spats and federal cut-backs, agencies can realize significant cost savings by aligning with FICAM. The inefficiencies eliminated by streamlining and standardizing credentialing across the federal government translate into better allocation of staff and resources, recouping lost time addressing IT hiccups. It can also aid in automating and even eliminating processes formerly completed by personnel. For example, FICAM calls for automated provisioning and de-provisioning of identities and associated credentials to physical access control systems and IT applications. Provisioning of the digital credentials streamlines access to resource, while de-provisioning ensures access to resources is cut off in a timely manner, if not immediately.

And, yes, FICAM also offers the benefit of compliance with related laws and government mandates. Its foundation is the Federal Enterprise Architecture and, by streamlining access to services, facilitates the goals of e-government. FICAM also complements the objectives of Homeland Security Presidential Directive-12 (HSPD-12) and incorporates the standards issued in FIPS 201. This is mainly because Personal Identity Verification, or PIV, credentials have been issued government-wide as a means to align employee and contractor identification.

In terms of FICAM, the PIV credential, or Department of Defense equivalent Common Access Card (CAC), is the instrument that makes enterprise FICAM a reality. The credentials are not only built on an open standard, but they also permit strong authentication, enhancing overall security to buildings or IT resources.

Practical ways to use FICAM

Making the case for FICAM is only half the job. Now that you understand why federal agencies should apply the FICAM model to their ICAM solution, you must also understand how they undertake this task.

In the advice of the standard:

  • First, create trusted digital identities;
  • Second, bind those identities to credentials; and
  • Third, leverage these credentials to provide authorized access to resources.

To achieve the first step, agencies will want to implement what’s called the “core person model.” This model incorporates data that is unique to a person’s identity, such as his or her name as well as data related to the person’s digital identity, such as a unique credential and department affiliation. By establishing the core-person model government-wide, FICAM can standardize the information agencies will use as the enterprise digital identity and also streamline procedures for employees who may hold credentials at one or more agencies.

To achieve the second step, agencies should ensure the PIV or FIPS 201 CACs are paired with the personnel whom originally requested and received the credential. To fully ensure the security of their credentials, agencies must still authenticate transactions. Comparing a presented credential with a list of approved credentials is NOT authentication and provides little to no security. Authentication is the process of establishing confidence in the credential that was presented. Authentication must be strong, and it must occur across the enterprise. Centralized authentication will afford agencies the overall security protections they aspire to achieve and maximizing resources by using the cloud or Software as a Service (SaaS) can further reduce costs and improve efficiency for enterprise smart card authentication and authorization.

Finally, to achieve the third step, agencies will need to institute enterprise authorization of the digital identity that is effectively represented by the PIV credential. Often, this proves to be the most difficult task for technology vendors. Recognizing that a smart card is more than a username and password is the first step — username and password solutions will require add-ons and continuous upgrades to support smart card authentication and authorization. Unfortunately, most agencies have IT systems or building access control that is legacy-based; thus, the systems are designed based on what has been the status quo for decades. Leveraging credential management as the whole of identity management is a necessity for enterprise smart card use.

It’s not as difficult as it sounds

Luckily for integrators and their government clients, the first major obstacle of a FICAM program — issuing credentials — has been hurdled, with more than 4.5 million PIV cards already out there. Still, agencies should strive to achieve a point where the issuance of the credential sets the ball in motion for its actual use. It is entirely possible for PIV cardholders to receive their PIV credential, walk out of the office and immediately be able to access resources, such as entrance to required buildings, sign on to computer workstations, email encryption and even mobile device to access permitted applications.

Some agencies undoubtedly recognize the benefits of FICAM but cringe at the perceived complexity of implementation. This is where you, as a qualified systems integrator, come into the picture. Luckily, this challenge has been recognized and for dedicated vendors, it is well overstated.

The advice regarding integration of smart cards is crucial for agencies that understand the basics on implementation but struggle to see how to get from the “as-is” state to the target state.

Sit down with your government security executive customers to think and talk it over, and to peruse the roadmap.

Kevin Kozlowski is Vice President at XTec Inc., a provider of authentication and security solutions to government and commercial enterprises. Request more information about XTec at