Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

FICAM is the foundation for ZT adoption

FICAM is the foundation for U.S. Government agencies to mature towards Zero Trust cyber security architecture. Implementing identity credentials and access management concepts, policies, procedures and playbooks provides agencies with a Zero Trust implementation strategy framework. The FICAM Key ICAM components directly help implement Zero Trust Architecture with:

  • Person and non-person entities - authenticate all users before providing access. Managing identities and providing secure MFA credentials is the first step in knowing who requests access.
  • Endpoints - in addition to authenticating users, Zero Trust requires authenticating and approving endpoints, such as workstations, mobile devices, or Internet of Things devices.
  • Data, assets, applications, and services - definition and implementation of access policies are needed to implement the continuous evaluation aspect of Zero Trust.

Zero Trust can only be achieved with strong identity management and mature ICAM capabilities for person and non-person entities. OMB M-22-09, the Federal Zero Trust Strategy and CISA Zero Trust Maturity Model version 2.0 are a comprehensive set of access control policies and guidelines, setting the foundation for agencies to implement a Zero Trust architecture and related initiatives for your agency.


Zero Trust concepts assume there is no implicit trust granted to assets or user accounts based on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (subject and device) are discrete functions performed before a session to an enterprise resource is established.

FICAM areas aligned to M-22-09

Privileged user is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users cannot perform—also known as a privileged IT user, privileged network user, or superuser. FICAM Privileged Identity Playbook is a great place to start with ensuring robust management of privileged users and identities.

Phishing-resistant authenticator is a form of authentication that is not susceptible to interception or replay attacks. In addition, the ICAM Subcommittee is drafting a phishing-resistant playbook to help agencies get a head start in implementing the concepts, saving agencies time and money. Agencies can understand phishing, phishing-resistant, and examples of phishing-resistant authenticators in the Phishing-Resistant Authenticator Playbook.

Single Sign On centralizes application access for agency employees and contractors or federates access with other federal executive agencies. Leveraging the Enterprise Single Sign On Playbook will help agencies with enhanced management control of identities in a consolidated manner. Agencies are encouraged to use this playbook to centralize application access for agency employees and contractors or federate access with other federal executive agencies.

User authorization decides whether to grant access to a user or machine account following authentication. Authorization to resources can be fine-grained to help achieve attribute-based access vs. traditional role-based access. FICAM has resources to help agencies with user authorization management activities as part of their ICAM solutions. Agencies can get started by leveraging Cloud Identity Playbook as a starting point. This playbook provides practical guidance to assist federal agencies in starting or further expanding their use of workforce identity, credential, and access management services in a cloud operating model.

Identity lifecycle management encompasses creating, identity proofing, vetting, provisioning, aggregating, maintaining, and deactivating digital identities on an agency’s enterprise ICAM systems. The FICAM team provides a detailed Identity Lifecycle Management Playbook to help shift the focus from managing the access based on credentials to managing the entire lifecycle of identities.

FICAM alignment to CISA Zero Trust Maturity Model

The CISA Zero Trust Maturity Model is a good place to start while agencies plan their Zero Trust implementation journey. This model has five pillars that complement each other as part of the overall objective to achieve continued modernization efforts related to Zero Trust within a rapidly evolving technology landscape. One of the main pillars of this model is Identity which is in line with the FICAM framework. Even though this maturity model is one of the many paths to zero trust, it leads agencies to success by providing guidance. Use IDManagement resources to achieve Identity pillar objectives defined within this maturity model efficiently.

Functions and guidance

ICAM practice area CISA zero trust maturity model identity function FICAM guidance
Access Management - Authentication Authentication - agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted.
Identity Management - Identity Aggregation Identity stores - agencies securely integrate their identity stores across all partners and environments as appropriate.

Governance - Analytics Risk assessments - agencies determine identity risk in real-time based on continuous analysis and dynamic rules to deliver ongoing protection.
Access Management - Authorization Access management - agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and resource needs.
Governance - Analytics Visibility and analytics capability - agencies maintain comprehensive visibility and situational awareness across enterprises by performing automated analysis over user activity log types, including behavior-based analytics.
Governance - Identity Governance Automation and orchestration capability - agencies automate the orchestration of all identities with full integration across all environments based on behaviors, enrollments, and deployment needs.
Access Management - Digital Policy Administration Governance capability - agencies implement and fully automate enterprise-wide identity policies for all users and entities across all systems with continuous enforcement and dynamic updates.

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit Edit this page