Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

FICAM is the foundation for ZT adoption

FICAM is the foundation for U.S. Government agencies to mature towards Zero Trust cyber security architecture. Implementing identity credentials and access management concepts, policies, procedures and playbooks provides agencies a Zero Trust implementation strategy framework. The FICAM Key ICAM components directly help implement Zero Trust Architecture with:

  • Person and non-person entities - authenticate all users before providing access. Managing identities and providing secure MFA credentials is the first step in knowing who is requesting access.
  • Endpoints - in addition to authenticating users, Zero Trust requires authenticating and approving endpoints, such as workstations, mobile devices, or internet of things devices.
  • Data, assets, applications, and services - definition and implementation of access policies are needed to implement the continuous evaluation aspect of Zero Trust.

Zero Trust cannot be achieved without strong identity management and mature ICAM capabilities for person and non person entities. OMB M-22-09, the Federal Zero Trust Strategy and CISA Zero Trust Maturity Model version 2.0 are a comprehensive set of access control policies and guidelines, setting the foundation for agencies to implement a Zero Trust architecture and related initiatives for your agency.

Definition

Zero Trust concepts assume there is no implicit trust granted to assets or user accounts based on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

FICAM areas aligned to M-22-09

Privileged user is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users cannot perform—also known as a privileged IT user, privileged network user, or superuser. FICAM Privileged Identity Playbook is a great place to start with ensuring robust management of privileged users and identities.

Phishing resistant authenticator is usually immune to social engineering type of attacks and provides a greater level of security and resilience than traditional authenticators. The FICAM team has created a Phishing Resistant Authenticator Criteria to help agencies accelerate adoption of phishing resistant authenticators. This criteria is a starting point for agencies to get started in their journey towards phishing resistant authenticators as they enhance their identity management systems. In addition, phishing resistant playbook helps agencies get a head start in implementing the concepts, saving agencies time and money.

Single Sign On centralizes application access for agency employees and contractors, or federate access with other federal executive agencies. Leveraging the Enterprise Single Sign On Playbook will help agencies with enhanced management control of identities in a consolidated manner. Agencies are encouraged to use this playbook to centralize application access for agency employees and contractors, or federate access with other federal executive agencies.

User authorization is a decision whether to grant access to a user or machine account following authentication. Authorization to resources can be fine grained to help achieve attribute based access vs the traditional role based access. FICAM has resources to help agencies with user authorization management activities as part of their ICAM solutions. Agencies can get started by leveraging Cloud Identity Playbook as a starting point. This playbook provides practical guidance to assist federal agencies startor further expand their use of workforce identity credential, and access management services in a cloud operating model.

Identity lifecycle management encompasses the activities of creating, identity proofing, vetting, provisioning, aggregating, maintaining, and deactivating digital identities on an agency’s enterprise ICAM systems. The FICAM team provides a detailed Identity Lifecycle Management Playbook to help shift the focus from managing the access based on credentials to managing the entire lifecycle of identities.

FICAM alignment to CISA Zero Trust Maturity Model

The CISA Zero Trust Maturity Model is a good place to start while agencies plan their Zero Trust implementation journey. This model has five pillars that complement each other as part of the overall objective to achieve continued modernization efforts related to Zero Trust within a rapidly evolving technology landscape. One of the main pillars of this model is Identity that is in line with the FICAM framework. Even though this maturity model is one of the many paths to zero trust, it leads agencies to success by providing guidance. Use IDManagement resources to achieve Identity pillar objectives defined within this maturity model efficiently.

Functions and guidance

Identity function FICAM guidance
Authentication - agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted.
  • Phishing-resistant authenticator playbook (coming soon)
  • WHfB Configuration Guide
  • Azure CBA Configuration Guide
  • PIV Implementation Guide
Identity stores - agencies securely integrate their identity stores across all partners and environments as appropriate.
  • ILM Playbook
  • CDM MUR Architecture
  • Privileged Identity Playbook
Risk assessments - agencies determine identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection.
  • DIRA Playbook
  • Cloud Identity Playbook
Access management - agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs.
  • CISA Hybrid Identity Playbook
  • Cloud Identity Playbook
  • SSO Playbook
Visibility and analytics capability - agencies maintain comprehensive visibility and situational awareness across enterprises by performing automated analysis over user activity log types, including behavior-based analytics.
  • SSO playbook
  • ILM Playbook
  • Privileged Identity Playbook
  • NIST NCCOE PAM Guide
Automation and orchestration capability - agencies automate orchestration of all identities with full integration across all environments based on behaviors, enrollments, and deployment needs.
  • SSO Playbook
  • ILM Playbook
Governance capability - agencies implement and fully automates enterprise-wide identity policies for all users and entities across all systems with continuous enforcement and dynamic updates.
  • CISA Hybrid Identity Playbook
  • Cloud Identity Playbook
  • SSO Playbook
  • Privileged Identity Playbook

IDManagement.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.

Edit this page