So, what does FICAM even stand for?

The acronym stands for Federal Identity, Credential, and Access Management (FICAM) Architecture

 FICAM is the Federal Government’s implementation of Identity, Credential, and Access Management (ICAM). ICAM is the set of tools, policies, and systems that an agency uses to enable the right individual to access the right resource, at the right time, for the right reason in support of federal business objectives.

FICAM was created in 2009, with major updates in 2015 and 2020. It is also supplemented with policies from stakeholders across the government including the Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), Department of Commerce (DOC), General Services Administration (GSA), Office of Personnel Management (OPM), Office of Management and Budget (OMB). Implementation of FICAM will align your organization with Federal security and privacy initiatives by unifying information technology (IT) services and improving physical access control and information security and decisions. 

FICAM implementation consists of five practice areas: 1. Identity Management, 2. Credential Management, 3. Access Management, 4. Federation, and 5. Governance.

Identity Management is how an organization handles the identities of federal government employees, contractors, and authorized partners, not customers or members of the public. Identities will consist of a variety of attributes, including but not limited to, name, contact info, and job title. An identifier for an individual must be a unique attribute and could be an assigned Personal Identification Verification (PIV) card/number.

Credential Management is how an agency issues, manages and revokes credentials linked to specific identities. A credential is a data structure that authoritatively confirms the identity of an individual. Unlike identities, credentials can expire or be modified as necessary.

Access management is how an agency authenticates enterprise identities and authorizes appropriate access to protected services. The level of required authentication is most often dependent on the importance of the secured resource or facility. Authentication procedures can be as simple as having an individual self-assert an identifier or as complex as having an individual present both a physical token, such as a PIV card, and biometric information, such as fingerprints.

Federation is the technology, policies, standards, and processes that allow an agency to accept digital identities, attributes, and credentials managed by other agencies. To achieve federation, separate organizations must align their ICAM policies to ensure interoperability. Organizations should share proofing confirmations amongst each other when possible in order to reduce the burden on individuals to submit identification data to multiple organizations to access Federal government resources. Appropriate consent and privacy protections should always be in effect.

Governance is the set of practices and systems that guides ICAM functions, activities, and outcomes. Data analytics is critical to this practice area. Real-time monitoring and periodic audits should be used to ensure employees and contractors only accessed resources to which they have the need. Improper access permissions should be corrected as quickly as possible. Policies should also be regularly reviewed to ensure compliance with the latest updates to FICAM standards.

Why should the private sector care about FICAM?

The private sector should be concerned with FICAM regulations because they could affect their organization’s current or future eligibility to work with the Federal government, and not understanding the security requirements could lead to the procurement and installation of a non-compliant Physical Access Control System (PACS). Additionally, there are physical access control systems available today that meet FICAM requirements, but compliance with the specifications requires more than just installing any security system.

Individual products and services must be evaluated for security vulnerabilities and interoperability in accordance with the FIPS 201 Evaluation Program. Security system components, both hardware and software, meeting the requirements are added to the Approved Products List (APL). It is important to note that products can lose their FIPS 201 Certification. If this occurs, they are placed on the Removed Products List (RPL). For more information on approved products, including how to purchase them, please visit the Buy Page.

So what can you do?

So many of you understand why the government would want a unified system for being able to rapidly authenticate the digital identity credential of a person and determine whether they have permission to access a secure location, but some of you are probably wondering why you as private sector companies should care. And the key to that comes from the last clause in the description??? of FICAM: for the right reason in support of federal business objectives.

In the local area, that most frequently means, a company conducts business ON/WITH/UNDER THE JURISDICTION of the Georgia Port Authority. If your employees are issued TWIC cards, then you are already subject to aspects of FICAM whether you were aware of this or not. For those not familiar with TWIC, it stands for Transportation Worker Identification Credential cards, and this card is required by the Maritime Transportation Security Act for workers who need access to secure areas of the nation’s maritime facilities and vessels. In order to receive one, the TSA (Transportation Security Administration) conducts a security threat assessment (a fancy term for a background check) to determine a person’s eligibility and issues the credential.

For government facilities, security requirements are laid out under the FIPS 201 (Federal Information Processing Standard Publication 201) and Personal Identity Verification (PIV) specification. FIPS 201 and a few other major sources of FICAM related standards will be covered in greater depth later in the presentation. But for right now, the important thing to remember is there are many requirements in place to ensure your security system is compliant. And to do this, you need to make sure your security system uses NDAA (that stands for National Defense Authorization Act) compliant/GSA approved equipment AND ensure it can properly verify identities against Federal databases.

If you are responsible for implementing PACS, it is important that you know what type of system is currently required or may be required in the near future for your organization.

If you want to learn more about FICAM and other government regulations that may affect your organization, reach out to our team of experts!