CISA - Identity, Credential, and Access Management (ICAM)

Model:

Summary:

The FICAM Model

The Federal Identity, Credential, and Access Management (FICAM) framework is designed to enhance the security and efficiency of federal agencies by providing a structured approach to managing digital identities, credentials, and access. This comprehensive model outlines five core service areas: identity management, credential management, access management, federation, and governance. Each area is detailed with specific services that help agencies implement robust security measures and ensure compliance with federal standards and policies.

FICAM Services Summary

1. Identity Management - Identity Management focuses on establishing and maintaining digital identities.
1. The Creation service establishes an identity using attributes that define a person or entity. 
2. Identity Proofing connects digital identities to real-world entities using various validation methods. 
3. Provisioning manages the lifecycle of accounts and entitlements, including creation, management, and deprovisioning. 
4. Maintenance ensures that identity records are accurate and up-to-date throughout their lifecycle. 
5. Identity Aggregation reconciles and links disparate identity records for the same entity.
6. Deactivation removes or suspends enterprise identity records when they are no longer needed.
2. Credential Management - Credential Management involves the processes of issuing and maintaining credentials. 
1. Sponsorship formally establishes the need for a credential.
2. Registration collects necessary information to issue it. 
3. Generation & Issuance assigns credentials, ensuring they are activated and tokens are provided.
4. Maintenance includes renewing, resetting, suspending, and reissuing credentials throughout their lifecycle. 
5. Revocation involves terminating credentials or deactivating authenticators when they are no longer valid.
3. Access Management - Access Management defines how access to resources is controlled and monitored. 
1. Policy Administration involves creating and maintaining the technical access requirements that govern protected services. 
2. Authentication verifies that claimed identities are genuine through validation processes, including two-factor and multi-factor authentication. 
3. Authorization determines access permissions based on policies, identity attributes, and entitlements, granting or denying access accordingly. 
4. Privileged Access Management secures accounts with elevated permissions, protecting critical configurations and data from unauthorized access and potential misuse.
4. Federation - Federation focuses on establishing trust and enabling interoperability between different systems. 
1. Policy Alignment develops relationships and mutual understanding between parties through established authorities, policies, standards, and principles. 
2. Authentication Broker transforms authentication events into alternative formats to support secure access across different systems. 
3. Attribute Exchange involves discovering and sharing identity attributes to promote consistent access decisions and system interoperability.
5. Governance - Governance ensures that identity, credential, and access management practices align with organizational policies and standards. 
1. Identity Governance links enterprise personnel, applications, and data to help manage access and mitigate risk. 
2. Analytics leverages continuous data collection and monitoring to identify conflicts in entitlements and ensure compliance with access requirements. 
3. Mitigation addresses identified risks and corrects problems through redress and remediation efforts, ensuring ongoing security and compliance.

Summary

The FICAM model provides a detailed and structured approach to managing digital identities, credentials, and access within federal agencies. By focusing on identity management, credential management, access management, federation, and governance, FICAM helps organizations enhance their cybersecurity measures, streamline operations, and comply with federal regulations. Implementing these services ensures that agencies can effectively protect sensitive information and maintain a robust security posture.

Sources:

CISA - Identity, Credential, and Access Management (ICAM) Reference Architecture

NIST SP 1800-35 - Implementing a Zero Trust Architecture - Privileged Access Management

Quotes:

"Identity and access management is at the heart of cybersecurity; it is critical to verify that people are who they say they are and that they have the appropriate access to systems and data." - Bruce Schneier

Tools:

IAM / PAM - NIST Zero Trust Mapping Tool