FICAM: A Foundation for Zero Trust and IT Compliance

FICAM Acts as a Cross-Agency Security Umbrella

FICAM mirrors the private sector ICAM approach in many ways. Where it differs is in its overarching holistic approach, providing a standardized, governmentwide framework that emphasizes interoperability, security and compliance based on government requirements across all agencies.

“While traditional ICAM systems may focus on managing identity and access within a single organization, FICAM promotes cross-agency collaboration through identity federation and ensures alignment with federal policies such as National Institute of Standards and Technology guidelines,” says Henry Bagdasarian, founder and president of the Identity Management Institute.

DIVE DEEPER: Agencies release guidance on federal identity management.

This cross-agency collaboration is a key aspect of FICAM as it reduces infrastructure redundancies and overlapping administrative processes. It also enables agencies to efficiently extend secure services not only to federal staff but also to contract employees and third-party resources.

Most important, FICAM minimizes the risks of identity theft and data breaches. In particular, FICAM accomplishes this by strengthening agency procedures for authentication, authorization, logging and reporting. This contributes to stronger alignment with relevant regulations and local laws including the California Consumer Privacy Act and the EU’s General Data Protection Regulation.

FICAM Secures the User Experience

The issuance of personal identity verification credentials to personnel plays a big role in FICAM’s success, helping maintain physical and logical access control across agencies’ systems. PIV cards are at the heart of FICAM, improving the overall user experience by allowing single sign-on and multifactor authentication access controls. But balancing risk avoidance with ease of use can be a challenge.

“A good ICAM system lets you operate with a reasonable amount of risk while still staying secure,” says Terry Halvorsen, vice president of federal client development for IBM and former CIO for the Department of Defense.

“I always advise agencies to concentrate on the user experience,” says Sean Frazier, federal chief security officer for Okta. “Security is important, but you have to keep the user experience foremost in practice. If it becomes onerous, users just won’t use it. They will avoid it, which leads to insecure activity by users.”

READ MORE: Identity management is critical for zero trust.

Identity, Credential and Access Management for FICAM

The effectiveness of FICAM comes from how it weaves together multiple cybersecurity practices into a strong, secure fabric. The main practices are what give it its name:

• Identity management: This practice oversees how an agency collects, verifies and manages attributes to establish and maintain enterprise identities for employees and contractors.
• Credential management: This practice directs how an agency issues, manages and revokes credentials bound to enterprise identities.
• Access management: This practice guides how an agency authenticates enterprise identities and authorizes appropriate access to protected services.

On their own, these three practices go a long way toward securing agencies. But it is governance (a framework of processes and systems) and federation (supporting interoperability across agencies) that binds these practices into the robust cybersecurity approach that is FICAM.

“Interoperability ensures that diverse technologies and platforms can work together efficiently, supporting collaboration and information sharing while maintaining security and compliance,” Bagdasarian says. “These capabilities are essential for a cohesive identity management strategy.”

“Interoperability is necessary because different agencies have different systems,” Frazier says. “There’s legacy technology and all of these commercial partners that need to be accommodated, as well as more modern, open standards like SAML and FIDO2.”

How Agencies Can Implement FICAM Improvements

In its 15 years of existence, there has been widespread adoption of FICAM across federal agencies. But to maintain effective risk management, FICAM strategies need continuous review and updating. Multifactor authentication has proved effective in preventing user accounts from being compromised. To encourage wider adoption of this layered approach to security, CISA has been advocating for agencies to implement FIDO2.

FIDO2 is an open standard that supports WebAuthn, a set of technologies that enable passwordless authentication between servers, browsers and authenticators. It requires users to provide a security key, which can be a piece of hardware or a biometric authenticator such as a fingerprint or a face scan. But FIDO2 does present some challenges.

“Multifactor is great. But some agencies will want many authentications, which can slow down access. How much will users tolerate?” Halvorsen says. “Also, we need to better figure out and have agreement on the best attributes. I like biometrics, they are easy to carry around. But there are also ways to get around them. Agencies will need to agree on the key biometrics.”

RELATED: Federal identity cards must adapt to changing environments.

Another new technology being adopted by agencies is security assertion markup language (SAML), an open standard used for authentication that allows users to access multiple web applications using one set of login credentials.

“A shared infrastructure now exists across all of these government platforms,” Frazier says. “They’re all speaking the same language. SAML is a great fit for this environment. Risk tolerance varies between agencies, but the tech framework is all the same. This technology can be brought to bear to safely access services.”

Identity, credential and access technologies continue to evolve, so FICAM teams need to be vigilant in maintaining continuous governance and monitoring.

“One of the most overlooked aspects of FICAM is the importance of continuous governance and monitoring,” Bagdasarian says. “Management teams often focus on the initial implementation of systems but may neglect the need for ongoing oversight to maintain security and compliance. Regular audits, risk assessments, and updates to align with the evolving threat landscape and policies are crucial for sustaining the effectiveness of FICAM. Without active governance, agencies risk having control gaps and vulnerabilities, noncompliance, and inefficiencies in their identity management practices.”

Tools and Technologies for Successful FICAM Deployment

A successful FICAM deployment, not surprisingly, requires the implementation of several core technologies. Identity management systems are needed to handle user identities. A public key infrastructure is required for issuing secure digital credentials, as well as access control systems to manage and enforce permissions. Single sign-on and other federation services facilitate secure and seamless access across systems and agencies. Multifactor authentication should also be deployed to strengthen overall security.

“Agencies will also want to deploy audit and monitoring tools to ensure continuous oversight to detect unauthorized access and maintain compliance with federal standards,” suggests Bagdasarian.

DISCOVER: Federal agencies face these top cybersecurity threats.

FICAM Faces Threats from Artificial Intelligence

While agencies continue to evolve their security measures, attackers are not sitting idle. They continue to improve their strategies and tools as well. The use of artificial intelligence to improve the effectiveness of phishing and spoofing operations is a growing concern.

“AI offers a route to attack identity, so we need new, better architecture today,” Halvorsen says. “I think we will start to see lifestyle multifactor credentials that really say ‘me.’ We’ll also need multifactor baselines, not just a birthdate or Social Security number. We’ll need a collection of those factors that are randomized in application. We need to ensure it is much harder for the AI-based threats to crack. This is a threat we can’t wait to address.”