Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management

April 6, 2018


From: Mick Mulvaney, Director, Office of Management and Budget (OMB)

SUBJECT: Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management

Public Comment Closed

The public comment period for this draft policy has closed. OFCIO is now working to review comments and will follow up with submissions if necessary. Thank you.

The White House Office of Management and Budget (OMB) is proposing a new policy to address Federal agencies’ implementation of Identity, Credential, and Access Management (ICAM) – the security disciplines that enable the right individual to access the right resource, at the right time, for the right reason.

Agencies must be able to identify, credential, monitor, and manage user access to information and information systems across their enterprise in order to ensure secure and efficient operations. In particular, how agencies conduct identity proofing,1 establish digital identities, and adopt sound processes for authentication and access control will significantly impact the security of their digital services. Additionally, as information about individuals becomes more widely available through social media or through breaches of personally identifiable information (PII), it is increasingly important that all agencies adopt identity validation solutions that enhance privacy and mitigate negative impacts to delivery of digital services and maintenance of online trust. It is also essential that agencies’ Identity, Credential, and Access Management (ICAM) strategies and solutions are informed by risk perspectives and driven by targeted outcomes.

This memorandum sets forth the ICAM policy, providing agencies with guidance to strengthen the security of information and information systems. Specifically, it elaborates on three main areas:

  1. Implementation of effective ICAM governance;
  2. Modernization of agency ICAM capabilities; and
  3. Agency adoption of ICAM shared solutions and services.

This memorandum also outlines government-wide ICAM responsibilities, and updates previous requirements in areas such as multi-factor authentication, encryption, digital signatures, acquisition, and interoperability.

Implementation of Effective ICAM Governance

Establishing effective ICAM governance is an important part of the federal government’s continual efforts to promote robust cybersecurity. To ensure effective governance, agencies shall leverage the approaches and principles of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63, Digital Identity Guidelines.2 Agencies shall also continue to follow Homeland Security Presidential Directive 12 (HSPD-12) requirements pertaining to the identity verification and credentialing of federal employees and contractors.3

To reach these goals, agencies shall:

  1. Define and implement ICAM policies, processes, and technology solutions that encompass the agency’s entire enterprise, align with the government-wide Federal ICAM Enterprise Architecture, and meet Federal policies, standards, and guidelines;4

  2. Designate an integrated ICAM office, team, or other governance structure in support of its Enterprise Risk Management capability that includes personnel from the offices of the Chief Information Officer, Chief Security Officer, Human Resources, General Counsel, Senior Agency Official for Privacy, and component organizations that manage ICAM programs and capabilities. These offices, as well as program managers and acquisition offices, should regularly coordinate to ensure that the agency’s ICAM policies, processes, and technologies are being implemented, maintained and managed consistently. This includes coordinating the deployment of capabilities and functionality provided through the Continuous Diagnostics and Mitigation (CDM) Program;5

  3. Outline enterprise-level performance expectations for cybersecurity and privacy risk management throughout each user’s lifecycle, including changes in the user’s access privileges;

  4. Develop a mechanism to streamline and automate enterprise-level performance reporting. This mechanism should align with existing and planned reporting and analytics structures and tools, such as the CDM dashboards and FISMA reporting; and

  5. Incorporate Digital Identity Risk Management6 into existing processes as outlined in NIST SP 800-63, including the selection of Identity Assurance Levels (IALs), Authentication Assurance Levels (AALs), and Federation Assurance Levels (FALs) commensurate with the risk to their digital service offerings.7

  • Agencies shall use these levels to make risk-informed decisions when selecting and using technologies implemented across the ICAM environment; and
  • Agencies should share “Digital Identity Acceptance Statements” with NIST to drive improvements to NIST SP 800-63 where applicable.

Modernization of Agency ICAM Capabilities

It is imperative that agencies implement and harmonize their ICAM capabilities, while ensuring that ICAM solutions are not fragmented or duplicative. To achieve this objective, agencies shall take the following steps to modernize their ICAM architecture:

  1. Reduce Solution Overlap: Agencies shall establish authoritative solutions for their ICAM services, promoting the most effective solutions at an enterprise level.

  2. Promote Innovation through Modularity: Agencies shall ensure that deployed ICAM capabilities are interchangeable and developed based on open Application Programming Interfaces (APIs) and/or commercial standards to promote interoperability and enable componentized development.

Agency Adoption of ICAM Shared Solutions and Services

Common shared solutions and services have been created or are in development across government to support the accelerated adoption of modern ICAM capabilities. Agencies should begin moving to ICAM shared services and should plan to incorporate new services once they are available. Current and planned shared services include:

1.Credential Management Services: The General Services Administration (GSA) maintains the Public Key Infrastructure (PKI) Shared Service Provider Program to enable strong government oversight of service providers offering digital certificates for identity and authentication.9 Use of the PKI shared service, with standard contract language, will allow for coordinated security management and oversight and is intended to reduce the complexity of contract management at the agency level. It will also facilitate compliance with NIST standards and guidelines and Federal PKI (FPKI)10 policy requirements developed by the Federal CIO Council.

  • Agencies should leverage approved contract vehicles to procure digital certificates for identification and authentication.

2.Accelerating the Deployment of ICAM Capabilities: The CDM program enhances the overall security posture of the federal government by providing Federal agencies with capabilities to reduce the attack surface of their respective networks, identify cybersecurity risks, and enable agencies to prioritize actions to mitigate or accept cybersecurity risks based on the potential impacts to their mission. CDM accomplishes this by working with agencies to deploy commercial off-the-shelf (COTS) tools on agency networks that provide enterprise-wide visibility of what assets, users, and activities are on their networks. This actionable information allows agencies to effectively monitor, defend, and rapidly respond to cyber incidents.

  • Agencies shall leverage the CDM Program to accelerate their procurement and deployment of tools aligned to ICAM capabilities.

3.Identity Assurance and Authentication Service for Consumers: Improving the trust and safety of consumer transactions across the federal government is critical to digital service delivery. Shared identity assurance and authentication services, which enhance online trust and safety, will enable a streamlined customer experience and are expected to reduce costs and improve security and privacy for stored PII.11 Agencies should leverage private- or public-sector shared services, to the extent available, to achieve these objectives.

  • Agencies shall use shared service providers that align with NIST SP 800-63 security and privacy requirements;
  • Agencies should use shared service providers that are able to federate with other solutions so that customers are empowered to select the option that appropriately mitigates risk for their unique interactions across government; and
  • Agencies should use shared service providers that leverage more than one credential provider to provide resiliency in case of a compromise or other service failure with a credential provider.

4.Identity Assurance and Authentication Services for Businesses and Partners: The federal government has supported the establishment of federated identity frameworks including FPKI, healthcare information exchanges, defense, homeland security, higher education and law enforcement. These initiatives serve as the foundation for trust between agencies and their business and mission partners. Delivered through a centralized governance model, these capabilities support an agencies’ ability to choose its capability, improve usability, and support partnerships used to deliver services.

  • Agencies shall only accept externally issued credentials that are issued in accordance with NIST guidelines and federal government-wide ICAM requirements.

Government-wide Responsibilities

The following agencies lead Government-wide efforts to improve the management and use of digital identity.

The Department of Commerce is responsible for implementing the following actions:

  1. Develop and issue guidance to promote deployment of technology, including those in open source that address agency digital identity needs such as derived Personal Identity Verification (PIV) and other credentials;

  2. Establish and develop implementation guidance for identity federation protocol(s) for use cases such as Government-to-Business that support various authenticators and identity proofing components in alignment with NIST SP 800-63;

  3. Develop criteria, in coordination with GSA, for approving products that meet the assurance levels outlined in NIST SP 800-63;

  4. Update NIST SP 800-157, Guidelines for Derived PIV Credentials, to align with NIST SP 800-63 and develop a process to identify innovative technologies and authenticators (where applicable) that can leverage the PIV process for derived credentialing for logical and physical access; and

  5. Utilize feedback, such as Digital Identity Acceptance Statements, provided by agencies to make improvements to NIST SP 800-63 and other guidance.

The General Services Administration (GSA) is responsible for implementing the following actions:

  1. Maintain and support the evolution of the government-wide FICAM Architecture and associated guidance, previously published in the FICAM Roadmap and Implementation Guidance, v2.0: FICAM Playbooks, and establish and maintain a repository for agency best practices;

  2. Manage the FIPS 201 Evaluation Program and associated Approved Products List (APL) to provide compliant and interoperable solutions for logical and physical access control, including the development of test criteria;12

  3. Establish a capability for approving products that meet assurance levels in NIST SP 800-63 leveraging the criteria developed by NIST;

  4. Provide a solution for consumer identity assurance and authentication, such as, and establish a Technical Review Board composed of agency customers and OMB, who will provide feedback and develop customer outcome metrics to inform the solution roadmap. The feedback should be made publicly available for incorporation by agencies and shared service providers;

  5. Maintain the FPKI Program to provide government with a trust framework and infrastructure to administer digital certificates and public-private key pairs;

  6. Develop and publish, in consultation with NIST, OPM, and DHS, a Physical Access Control System (PACS) security and privacy control overlay13 to help agencies identify core controls for PACS; and

  7. Determine the feasibility of expanding the USAccess program to include Derived PIV Credentials as a service offering. For those agencies not leveraging a Federal shared service for Derived PIV credentials, the FIPS 201 Evaluation Program shall establish a process so agencies may ensure the credentials they are using meet the technical specifications outlined in NIST SP 800-157.

The Office of Personnel Management (OPM) is responsible for the following actions:

  1. Update, as necessary, Federal PIV credential eligibility and vetting requirements for non-U.S. National and temporary agency employees; and14

  2. Develop, in coordination with OMB and NIST, vetting and credentialing guidance to assist agencies in making an HSPD-12 risk determination for contractors accessing Federal information systems15 and information from non-Federally controlled facilities, such as an administrator for a cloud service.16

The Department of Homeland Security (DHS) is responsible for the following actions:

  1. Ensure that the Risk Management Process for Federal Facilities: An Interagency Security Committee Standard,17 and other pertinent Interagency Security Committee (ISC) guidance, are aligned with government-wide policy for the implementation of PIV credentials;

  2. Lead R&D coordination with the interagency, private sector, and international partner stakeholders to identify ICAM mission needs with related technology capability gaps, including in particular those that cannot be solved with currently fielded technologies, and that may require additional R&D investment to reach operational deployment maturity.


The following memoranda are rescinded:

  1. M-04-04, E-Authentication Guidance for Federal Agencies

  2. M-05-05, Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services

  3. M-06-18, Acquisition of Products and Services for Implementation of HSPD-1218

  4. M-11-11, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors

  5. OMB Memorandum, Requirements for Accepting Externally-Issued Identity Credentials, October 6, 2011

Policy Assistance

All questions or inquiries should be addressed to the OMB Office of the Federal Chief Information Officer (OFCIO) via email:

Attachment: Foundational ICAM Requirements

This attachment outlines additional agency requirements that are essential to achieving a vision for use of common services across government.

Listed below are the vetting and authentication requirements for the credentialing of users with access to Federally-controlled facilities and Federal information systems. Agencies shall implement processes to issue credentials in a timely manner to reduce potential loss of productivity.


Federal Employees and Contractors

Employees and contractors who require long-term19 access to Federally-controlled facilities or Federal information systems fall under the scope of Homeland Security Presidential Directive-12 and shall be issued a PIV credential in accordance with relevant policy, standards and guidelines.20 Agencies should refer to OMB M-05-24 for additional HSPD-12 applicability requirements.21

Agencies should support the use of Derived PIV Credentials for Federal employees, contractors and other users and enable applications on mobile devices to accept them. As Derived PIV Credential service offerings are approved in accordance with the established FIPS 201 requirements, the GSA Approved Products List shall include these solutions for agency use.

Non-U.S. National Federal Employees and Contractors

For non-U.S. national employees and contractors who require long-term access to Federally-controlled facilities or Federal information systems but are unable to complete the standard background investigation requirements, agencies shall follow the alternative credentialing standards outlined in OPM policy.22 In addition, persons shall meet eligibility requirements based upon the background checks and other requirements specified in the Office of Personnel Management (OPM) Credentialing Standards. Before the alternative identity credential may be issued, the agency must adhere to the vetting requirements outlined in OPM policy.

Applicability of HSPD-12 to Other Individuals

Applicability of HSPD-12 requirements to other agency specific categories of individuals (e.g., short-term (i.e., less than 6 months) guest researchers; volunteers; or intermittent, temporary or seasonal employees) is an agency risk-based decision. Background investigations and identity proofing of these individuals shall follow OPM and NIST standards. To ensure interoperability and reduce costs, it is recommended that credentials issued to these individuals leverage the PIV infrastructure.

Interoperability, Reciprocity, and Revocation of Credentials

Agencies shall implement processes to determine if an employee or contractor already possesses a valid PIV credential and leverage the existing, valid PIV credential rather than issuing a separate one, where feasible. Agency processes shall accept and electronically verify PIV credentials issued by other agencies. This is equally applicable for local and physical access where another agency’s employee has been provisioned access. Agencies shall also implement processes to revoke or destroy credentials in a timely manner to prevent instances of unauthorized access when the credential has been compromised, the employee or contractor has been terminated, or the credential is lost.

Acquisition of Products and Services

To ensure government-wide interoperability of facility and system access control solutions, agencies shall acquire products and services that are approved to be compliant with OMB policy, NIST standards and supporting technical specifications, and included on the GSA FIPS 201 Approved Products List (APL).

The GSA serves as the executive agency for Government-wide acquisitions of information technology related to identity management initiatives.23 In this capacity, GSA maintains the GSA FIPS 201 Evaluation Program, which was developed to organize and define a standardized approval process for PIV products and services.

The Federal Acquisition Regulation, FAR, 48 C.F.R. Subpart 4.13, requires agencies to comply with FIPS 201 for contractors who require routine logical or physical access and include language to this effect in applicable solicitations and contracts. The FAR also requires that agencies purchase only approved products and services in support of their PIV implementations. All required NIST validation and GSA testing shall be met to be an approved product or service for PIV purchases. Approved products and services, which have been demonstrated to meet NIST validation and GSA testing and have been qualified by the Evaluation Program, can be found on the APL. The APL can be accessed at:

Credential Use

PIV credentials shall be used as the standard means of authentication for Federal employee and contractor access to Federal information systems.24 All systems under development shall be enabled to integrate with PIV credentials, in accordance with NIST guidelines, prior to being made operational. Additionally, when procuring services or upgrading existing systems, agencies shall require that these services or systems be enabled to use PIV credentials for authentication.25

  1. When PIV cards as a form factor are not feasible for logical access control, other IAL 3 and Authenticator AAL 3 identity solutions can be used. Agencies shall consider the cross-government trusted federation and interoperability requirements established in HSPD-12 when implementing any other process and form factor.26

  2. Agencies shall require the use of the digital signature capability of PIV credentials capabilities in accordance with FPKI policy, and NIST standards and guidelines. For individuals that fall outside the scope of PIV applicability, agencies should leverage approved FPKI credentials when using digital signatures.

  3. Agencies should use the PIV credential as a means to encrypt information. Agencies shall encrypt Federal information at rest and in transit unless otherwise protected by alternative physical and logical safeguards implemented at multiple layers, including networks, systems, applications, and data, when the assessed risk indicates the need.27

Physical Access Control Requirements

Agencies shall require use of the PIV credentials as the common means of authentication for Federal employee and contractor access to Federally-controlled facilities. Agencies shall ensure that use of the PIV credential for physical access to Federal buildings are implemented in accordance with The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard and NIST SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). This publication provides additional information on the use of PIV Credentials, the Government-wide standard identity credential, in physical access control systems.28

Citizens, Business Partners, and Other Partners

This section addresses the management of citizens, business partners, and other partners’ identities requiring access to Federal information systems. It is imperative that agencies ensure these users are properly authenticated using an authenticator at the appropriate AAL bound to an identity proofed at the appropriate IAL. Agencies shall:

  1. Require these users to leverage a credential at the appropriate AAL, in conjunction with the appropriate IAL, in accordance with NIST SP 800-63;

  2. Ensure that identity proofing for users is conducted in accordance with Federal standards and guidelines at the appropriate IAL;

  3. Leverage existing credentials and identity federations at the acceptable AAL, IAL, and FAL rather than standing up processes or capabilities to issue new credentials to these users;

  4. Acquire approved products and services that that have been demonstrated to meet Federal policy, standards, and supporting technical specifications by the GSA FIPS 201 Evaluation Program and made available on the Approved Products List; and

  5. Implement robust practices and technologies for the efficient, secure management of user identity data and minimize the collection and storage of user identity data to only the data necessary to manage access and detect fraud while protecting it using Federally-approved encryption method.

Return to the Top


  1. Identity proofing is a process in which an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert that identity at a useful identity assurance level. For definitions like this, see NIST Special Publication 800-63, Digital Identity Guidelines available at:

  2. NIST Special Publication 800-63, Digital Identity Guidelines is available at:

  3. OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors is available at NIST FIPS 201, Personal Identity Verification of Federal Employees and Contractors, and associated NIST special publications outline more specific requirements pertaining to the identity verification and credentialing of Federal employees and contractors. Since FIPS 201 was originally issued in 2005, the PIV standards have evolved to provide for the use of alternative form factors in addition to a smartcard. A copy of FIPS 201 and associated NIST publications may be located at:

  4. Ibid. FICAM Enterprise Architecture information is available at:

  5. The Continuous Diagnostics and Mitigation (CDM) Program provides DHS, along with Federal Agencies with capabilities and tools and identify cybersecurity risks on an ongoing basis, prioritizes these risks based on potential impacts, and enables cybersecurity personnel to mitigate the most significant problems first. Congress established the CDM program to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources. Information on CDM is available at:

  6. Requirements in NIST Special Publication 800-63 provide specific guidance related to digital identity risk (inclusive of privacy) that agency relying parties apply while executing all relevant RMF lifecycle phases. Digital identity risk management does not establish additional risk management processes for agencies.

  7. Federal employees and contractors are required to be identity proofed and credentialed in accordance with OMB and OPM policy. Therefore, digital identity risk assessments described in NIST SP 800-63 complement, rather than supersede, the guidance and requirements of M-05-24 related to identity assurance and authenticator assurance levels for Federal employees and contractors with long-term access. Refer to and Final Credentialing Standards for Issuing Personal Identity Verification Cards Under HSPD-12 (or current guidance).

  8. Information on ICAM services is available at:

  9. A comprehensive list of certified PKI service providers for the Federal Government is available at

  10. Federal PKI provides the government with a common infrastructure to administer digital certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

  11. Per 6 U.S.C. § 1523(b)(1)(D), agencies shall implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication, as developed by the Administrator of General Services in collaboration with the Secretary. Refer to 6 U.S.C § 1523 (b)(2) for exceptions.

  12. GSA maintains a Special Item Number (SIN) on Information Technology (IT) Schedule 70 for the acquisition of approved HSPD-12 Implementation Products and Services. All logical and physical access control products and services provided via GSA acquisition vehicles shall be included on Schedule 70.

  13. An “overlay” is a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines. For additional information on developing security control baselines, refer to OMB Circular A-130, Managing Information as a Strategic Resource, and NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. These documents are available at: and

  14. Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12,

  15. Per OMB Circular A-130, “Federal information system” means an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency.

  16. Per M-05-24, “Applicability for access to Federal systems from a non-Federally controlled facility (e.g. a researcher up-loading data through a secure website or a contractor accessing a government system from their own facility) should be based on the risk determination required by existing National Institute of Standards and Technology (NIST) guidance.” The security categories outlined in NIST FIPS 199, Standards for Security Categorization for Federal Information and Information System, assist in making a risk determination by providing a common framework and understanding for expressing security. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.

  17. The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard defines the criteria and processes that those responsible for the security of a facility should use to determine its facility security level, and provides an integrated, single source of physical security countermeasures. The guidance is available at:

  18. The acquisition requirements included in M-06-18 are also included in M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, which continues to remain in effect.

  19. In accordance with OMB M-05-24, “long-term” is defined as a duration of 6 months or longer. Additional applicability requirements for HSPD-12 are described in OMB M-05-24.

  20. Refer to OMB M-05-24, NIST FIPS 201, and NIST SP 800-series guidelines related to PIV issuance, use, and management, as well as the OPM Federal Investigative Standards and OPM Credentialing Standards.

  21. PIV-Interoperable (PIV-I) credentials may be issued to individuals that do not meet the PIV applicability requirements outlined in OMB M-05-24. For example, a PIV-I credential may be issued to temporary/seasonal employees, visiting scientists and guest researchers, or contractor personnel requiring access for less than six (6) months; non-U.S. nationals with insufficient residency in the U.S. to satisfactorily conduct the background investigation; and personnel operating outside the contiguous U.S. under special risk security considerations, as outlined in FIPS 201. A copy of the PIV-I guidance may be located at

  22. Refer to Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12, (or current guidance).

  23. This designation is given to The GSA in accordance with section 5112(e) of the Clinger-Cohen Act of 1996 (40 U.S.C. § 11302(e))

  24. Per OMB Circular A-130, “Federal information system” means an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency.

  25. For Federal information systems accessed by citizens, business partners or others that fall outside the scope of PIV requirements, these systems must be enabled to support the appropriate level of assurance in accordance with NIST SP 800-64 for these users.

  26. PIV cards meet IAL 3 and AAL 3 in accordance with NIST 800-63. To assess the reliability of issuers of PIV cards, and Derived PIV Credentials, agencies should follow NIST SP 800-79, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI).

  27. In accordance with Executive Order 13556, the Controlled Unclassified Information Executive Agent (CUI EA) issues guidance on the implementation of specific measures to safeguard CUI, including encryption for CUI at rest and in transit.

  28. PACS are considered information systems, and they include, for example, servers, databases, workstations and network appliances in either shared or isolated networks.