Identity & Access Management

Policy Overview

The memorandum OMB M-19-17 in May 2019, Identity, Credentialing, and Access Management (ICAM), sets forth the Federal Government's latest ICAM policy and overrides a number of prior OMB memos dating to 2004.

Generally speaking, ICAM comprises the tools, policies, and systems that allow an organization to manage, monitor, and secure access to protected resources. To ensure secure and efficient operations, agencies of the Federal Government must be able to identify, credential, monitor, and manage subjects that access Federal resources. This includes information, information systems, facilities, and secured areas across their respective enterprises. In particular, how agencies conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of their services, as well as individuals' privacy.

Furthermore, in line with the Federal Government's updated approach to modernization, it is essential that agencies' ICAM strategies and solutions shift from the obsolete Levels of Assurance (LOA) model towards a new model informed by risk management perspectives, the Federal resource accessed, and outcomes aligned to agency missions. To set the foundation for identity management and its usage to access physical and digital resources, agencies must implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3 and any successive versions (hereafter referred to as NIST SP 800-63). While NIST SP 800-63 is the foundation for digital identity, agencies must use it in combination with the remaining suite of publications that relate to identity management issued by NIST, the Office of Personnel Management, and the Department of Homeland Security, to form a comprehensive approach to identity proofing that safeguards privacy and security.