Meeting the US Government’s ICAM Requirements

Meeting the US Government’s ICAM Requirements

ICAM (Identity, Credential and Access Management) is a key information security requirement for the US government. Whether you are in government or serve the government as a supplier, these requirements matter. You may already have an identity and access management program in place. However, that program may be fully aligned with ICAM expectations.

Before you invest in new systems or training, start with the fundamentals. Let’s dig into ICAM and what it requires from organizations.

Step 1: Know The ICAM Requirements

Managed by the US General Services Administration, ICAM is a US government program to guide organizations in effectively managing IT security.

What Is The Scope of ICAM?

While ICAM impacts technology, it is a mistake to view it exclusively as a technical standard. It has a much broader scope. According to federal guidance, “Identity, credential and access management (ICAM) comprises the tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources.” Your technology (i.e. tools), policies and processes all need to work together to achieve ICAM success.

Identity Management

ICAM starts with a strong focus on managing identity information. This process is critical to ensure that changes, approvals and other transactions are approved by the right individuals. For example, you might use identity management to restrict approval for large invoice approvals to individuals with a certain level (e.g. senior managers or directors).

Key points for Identity management under ICAM:

●  Protection of PII. Identity management systems often require PII (i.e. personally identifiable information). Such data must be thoroughly protected since it may enable fraud if it is disclosed.

●  Lifecycle requirement: Identity information needs to be managed through the lifecycle. A “one and done” approach is not acceptable for managing identities.


A credential is a token controlled by a person. For example, credentials may include passwords and security key cards. These items must be strictly controlled and tracked to maintain ICAM compliance.

Key points for credentials management under ICAM:

●  Credential Expiration. All credentials should have an expiration date and be managed accordingly.

●  Credential Sponsorship. Every credential must be sponsored by an individual. For example, a credential for an analyst may be sponsored by a manager.


Access is related to the above principles, but it has its requirements as well. Specifically, access governs when and how individuals can access resources. For example, an intelligence agency would need extraordinary access controls to prevent disclosure of classified information.

Key points for access management under ICAM:

●  Enable access. ICAM is more than data protection. ICAM also requires that organizations proactively enable information access so people can be productive at work. Therefore, ICAM has expectations that access is extended to facilitate productivity.

●  Maintain Access Policy Controls. To align with ICAM, you need to define what a given access level provides to a user. For instance, you may prohibit most employees from modifying their salary levels in an HR system.

Step 2: Self-Assess Your Organization’s ICAM Status

Now you need to find out where your organization’s processes, policies and technology stand to ICAM. To cover your whole organization, we recommend giving yourself a score of 0-10 in each of the following areas.

●  Identity. Measure your organization’s approach to managing identity information throughout the lifecycle.

●  Credentials. Assess all of your credentials including digital credentials, hardware tokens and physical security items (e.g. badges and keys)

●  Access. Evaluate how well your organization responds to changing access requirements. For example, have you carried out an access review to see if access privileges are adequately organized?

As you go through this self-assessment exercise, note specific systems, policies and users where there are problems. You will need to capture those details to make ICAM compliance improvements.

Tip: Remember to keep in mind that ICAM is also concerned with enabling access and productivity. Therefore, you should avoid limiting your self-assessment to security matters alone. Make sure you ask users about the work effort involved in using your current systems.

Step 3: Prioritize ICAM Compliance Gaps

From the step above, you will end up with a large document showing your maturity in terms of achieving ICAM. In this step, you need to make some difficult decisions. Segment the issues and gaps into two categories: quick wins and projects.

Quick wins will move you closer to ICAM compliance in less than thirty days. For example, you can update a company policy and start the approval process reasonably quickly.

Projects will require several months of effort, new tools and support to implement. You might find that access levels are not being monitored adequately as people change jobs in the company.  If you rely on manual processes like a central spreadsheet, you need an access management software solution. That’s the best way to achieve consistency.

Step 4: Recommend ICAM Improvement Projects

Based on your analysis, it is time to recommend projects to your executives. If your organization has to become ICAM compliant, focus your efforts on the projects that will provide the most benefit. Specifically, a successful ICAM improvement project should cover the following areas:


Create and update policy documents in your organization to translate ICAM requirements to your context. You can reference ICAM documents, but make sure you translate these ideas so employees can easily understand them.


If you scored low on ICAM compliance during your self-assessment, your staff would probably need guidance to get up to speed. The new training should cover both technical topics (e.g. how to use an IT security chatbot) and security principles.


Make a business case for identity and access management software like a password management tool. Without specialized tools, it is difficult to achieve ICAM compliance consistently.

Why Get Started With ICAM Even If You Are Outside of Government

If you are in the US government, ICAM compliance is an immediate priority. What about everyone else? There is mounting concern about the increasing number of cyberattacks. As an IT security manager, you need to show that you are keeping up with industry best practices. By implementing ICAM, you are more likely to keep your organization safe.

Written by Nelson Cicchitto