Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

FICAM Program

Introduction

The GSA Federal ICAM (FICAM) program helps federal agencies plan and manage enterprise identity, credentialing, and access management (ICAM) through collaboration opportunities and guidance on IT policy, standards, implementation, and architecture. Most of the guidance and best practices found on this website are developed through interagency working groups. The FICAM Program is a Federal CIO Council initiative managed by the GSA Office of Government-wide Policy.

The main difference between the GSA OGP FICAM program and an agency ICAM program (including GSA’s own enterprise ICAM program) is the GSA OGP FICAM program focuses on government-wide initiatives that support interoperability between organizations.

Federal Workforce Identity Framework

The FICAM Program governs through a four-part framework for identity federations.

  1. Governance - Sets policies, sign legal agreements, approves members and applicants, and oversees compliance activities.
  2. Technical and Security Requirements - Outline technical and security requirements for all members.
  3. Recognition - List of members and compliant services.
  4. Compliance - Members and services complete 2nd party (OIG) or 3rd party compliance activity to increase trust.

Through this four-part framework, the GSA FICAM Program leads or coordinates the following governmentwide functions.

  1. Governance
    1. ICAM Governance - Maintain and update idmanagement.gov which includes the FICAM Architecture and accompanying playbooks and configuration guidance as well as secretary/co-chair the Federal CISO Council ICAM Subcommittee. Lead governmentwide ICAM initiatives like the FIDO2 Community of Action and Digital Identity Community of Practice.
    2. Federal PKI Governance - Review Federal PKI 3rd party PKI audits and secretary/co-chair the Federal PKI Policy Authority
  2. Technical and Security Requirements
    1. FIPS 201 and accompanying Special Publications
    2. NIST Special Publication 800-63
    3. GSA FIPS 201 Functional Requirements and Test Cases
  3. Recognition
    1. Workforce identity trust services - The current service providers that have an identity federation agreement with the U.S. government.
    2. FIPS 201 Approved Product List - List of tested and certified products from the FIPS 201 Evaluation Program.
    3. GSA PKI Shared Service Provider Program - Manage commercial PKI service providers that issue Federally-compliant digital certificates.
  4. Compliance
    1. FIPS 201 Evaluation Program - Tests and certify services and commercial products used in PIV credentialing systems and physical access control systems.
    2. Federal PKI Annual Review Process - Independent compliance audit requirement and schedule of Federal PKI Certification Authorities.

ICAM Governance Bodies

The GSA FICAM Program coordinates and oversees governmentwide ICAM initiatives as directed by the Federal CISO Council and the Office of Management and Budget. It accomplishes this mission through various governance bodies outlined below.

An organization chart of the FICAM Governance Bodies and Working Groups.

Identity, Credential, and Access Management Subcommittee

The Identity, Credential, and Access Management Subcommittee (ICAMSC) is the principal interagency forum for identity management, secure access, authentication, authorization, credentials, privileges, and access lifecycle management. It’s a sub-committee of the Federal CIO Council’s Chief Information Security Officer (CISO) Council.

The ICAMSC is co-chaired by the GSA Office of Government-wide Policy, Department of Justice and Department of Homeland Security, Cybersecurity and Infrastructure Security Agency. The ICAMSC aligns the identity management activities of the federal government and supports collaborative government-wide efforts to:

  • Increase agency flexibility in addressing ICAM challenges;
  • Coordinate interagency efforts to meet agency mission needs;
  • Identify gaps in policies, procedures, standards, guidance, and services; and
  • Align ICAM policies and compliance with other cybersecurity initiatives.

Activities

  • Address Agency Challenges: provides opportunities for agencies to troubleshoot issues and challenges associated with the planning, implementation, and operations of ICAM programs and solutions.
  • Develop Policy Recommendations: recommends new ICAM policies and updates existing ones.
  • Provide Flexible Tools for ICAM Programs: develops specific tools to assist agencies’ abilities to meet ICAM policy objectives and overcome ICAM implementation challenges.
  • Facilitate Communications and Information Sharing: acts as a vehicle for cross-government collaboration by sharing information, lessons learned, and best practices related to ICAM.

Membership and Meetings

Membership is open to federal agency employees with a .gov or .mil email address. Contractors are permitted to join on a case-by-case basis. See the ICAMSC Meeting Page on Connect.gov for more information. Access to the page requires a multifactor authentication using a PIV/CAC. See the ICAMSC Charter (PDF, September 2023) for information on membership requirements, voting rights, etc.

ICAMSC Working Groups

The ICAMSC charters working groups based on a defined-purpose and timeline. See the complete list of active and inactive working groups at the ICAMSC Max.gov page. Send an email to icam@gsa.gov for more information and join a working group.

Working Group Name Purpose Activities Membership Requirements Meeting Schedule
Physical Access Control Systems Modernization (PACSMod) Facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS (ePACS) within the federal government (USG). By September 30th, 2021, develop a PACS Assessment Toolkit, a self-assessment that agencies can use to assess the FICAM compliance of PACS implementations. Federal employees and designated contractors operating a PACS. Monthly

Other ICAM Working Groups

Other ICAM working groups may be charted under other committees or subcommittees of the Federal CIO Council.

Working Group Name Purpose Activities Membership Requirements Meeting Schedule
Derived-PIV Working Group Accelerate the implementation of mobile identity management across the federal government. Document and share PKI and non-PKI uses cases to increase the available technical and information resources. Provide a feedback look to inform policy and standard. Federal employees and designated contractors Monthly

ICAM Community Listserv

The Federal ICAM Community Technical Listserv (ICAM-COMMUNITY-TECH List) aims to provide a communications platform to share and discuss technical issues impacting the Federal ICAM Community. We hope to leverage the knowledge of ICAM Subject Matter Experts to identify, share, and hopefully resolve technical issues that exist in Agencies and Departments. This list is open to anyone with a .gov email.

Subscribe by contacting the list owner: ICAM-COMMUNITY-TECH-request at LISTSERV.GSA.GOV with subscribe in the subject line.

Federal Public Key Infrastructure Policy Authority

The Federal Public Key Infrastructure Policy Authority (FPKIPA) serves the interest of U.S. federal government organizations as relying parties and promotes interoperability between federal and non-federal entities by:

  • Setting policy governing the Federal Public Key Infrastructure (FPKI) Trust Infrastructure;
  • Approving applicants for cross certification with the Federal Bridge Certification Authority (FBCA); and
  • Providing oversight to the Certified PKI Shared Service Provider (SSP) Program.

It is co-chaired by the GSA Office of Government-wide Policy. The GSA Office of the Chief Information Officer (OCIO) is responsible for security authorizations and continuous monitoring for commercially-operated PKI shared service providers.

Activities

  • Approve Policies and Practices – Approve Federal Bridge Certification Authority (FBCA) and Federal Common Policy Certification Authority Certificate Policies (CPs), including revisions; approve FPKI Trust Infrastructure Certification Practice Statements.
  • Approve Entity Cross-Certification – Establish and administer criteria and methodology for cross-certification with the FBCA; approve cross-certifications and execute Memoranda of Agreement (MOAs); maintain the FPKI Certification Applicant Requirements and the Common Policy CPS Evaluation Matrix.
  • Maintain Compliance – Ensure cross-certified entities are compatible with the FBCA Certificate Policy (CP) (or the Federal Common Policy Certification Authority (FCPCA) CP for Federal Legacy CAs).
  • Agreement with FPKI Management Authority – Oversee the FPKI Management Authority (FPKIMA) to issue and revoke cross-certificates, ensure adherence to the FPKI CPs, and provide documentation to be archived.
  • Interoperability Practices – Coordinate legal, policy, technical, and business practices and issues related to FPKI Trust Infrastructure.

Membership and Meetings

Members are appointed by each federal agency’s CIO, and the group operates under the authority of the Federal CIO Council through the Information Security and Identity Management Committee (ISIMC) and the Identity, Credential, and Access Management Subcommittee (ICAMSC). See the FPKIPA Charter (PDF, August 2021) for information on membership requirements, voting rights, etc.

The FPKIPA meets in the morning on the second Tuesday of each month. Contact fpki@gsa.gov to participate in the FPKIPA or its working groups.

Federal Public Key Infrastructure Management Authority

The Federal Public Key Infrastructure Management Authority (FPKIMA) enables government-wide trust by providing trust infrastructure services to federal agencies. The FPKIMA is governed under the FPKI Policy Authority (FPKIPA) and managed by the GSA Federal Acquisition Service.

Activities

  • Manage digital certificate policies and standards to ensure secure physical and logical access, document sharing, and communications across federal agencies and between external business partners.
  • Operate the FPKI Trust Infrastructure, which consists of two main certification authorities (CA):
    • Federal Common Policy CA (FCPCA) is the trust anchor for the federal government. Authorized CAs issue certificates for exclusive use by the federal government for federal employees and contractors, to include the PKI certificates on the Personal Identity Verification (PIV) credential.
    • Federal Bridge CA (FBCA) is the PKI Bridge that enables interoperability between and among federally operated and business partner PKIs.

FPKIMA Newsletter

If your agency is experiencing issues related to the FBCA or FCPCA, contact fpki-help@gsa.gov

Federal Public Key Infrastructure Working Groups

The FPKIPA charters three ongoing working groups and potentially other short-term working groups and tiger teams.

If you meet the membership criteria and wish to join a working group, email fpki@gsa.gov and include the text “Request to Join xx,” where “xx” is the name of the working group.

Working Group Name Purpose Activities Membership Requirements Meeting Schedule
Certificate Policy (CPWG) The Federal Bridge and Common policies advisory group. Facilitate proposed Certificate Policy changes, facilitate the FPKI cross-certification process, and address and resolve issues through policy analysis and modification. Federal employees, designated contractors, and PKI providers involved in the FPKI. As needed.
Shared Service Provider (SSPWG) The Shared Service Provider program advisory group. Identify policy changes that impact the Shared Services Program, address and resolve issues through policy analysis and modification. Only FPKI Shared Service Provider representatives. As needed.
Technical (TWG) Investigate and resolve complex FPKI technical issues. Identify and scope technical FPKI issues, address security concerns and vulnerabilities, and identify technical improvements to enhance the security and operational capabilities. Federal employees, designated contractors, and PKI vendors. As needed.

IDManagement.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov Edit this page