There is no singular, authoritative, recognized way to architect an Identity, Credential, and Access Management (ICAM) capability across an enterprise, which results in many U.S. government agencies addressing this critical capability from different directions with different priorities. Compounding this issue, the maturity level of Identity Management varies across agencies , especially as related to tool expertise and ICAM-related policies, which may complicate ongoing CDM integration efforts and lead to incomplete or ineffective ICAM deployments.
This document refines and clarifies the CDM Program’s Identity and Access Management (IDAM) scope by providing a reference for how CDM IDAM capabilities may integrate into an agency’s ICAM architecture. A description of the federal ICAM practice area, including how ICAM services and components implement ICAM use cases, is provided, along with a description of related CDM capabilities. For each CDM ICAM capability, assumptions and constraints are made in reference to agency capabilities.
Figure ES-1 summarizes the CDM IDAM capabilities (left) and the related federal ICAM (FICAM) practice areas and services (right) diagram and highlights that both users and devices need to be considered in Access Management. CDM CRED (Manage Credentials and Authentication), BEHAVE (Manage Security-Related Behavior), TRUST (Manage Trust in People Granted Access), and PRIV (Privilege Management) all collect desired and actual states. The actual state shows the respective capabilities and comparing the desired state and actual state allows reporting of defects.
CDM IDAM capabilities have evolved since initial implementations to include sub-capabilities for Privileged Access Management (PAM) and Identity Lifecycle Management (ILM) under the PRIV capability area and Mobile Identity Management (MIM) under the CRED capability area. CRED has evolved to include non-person entities (NPE) and other non-PKI authenticators beyond the original, which was focused on Personal Identity Verification (PIV) credentials.
Functionality in the PAM sub-capability is focused on ensuring that privileged human and non-person entities are managed separately from unprivileged users and provides tools to assist with ensuring strong
authentication where modern methods are not natively available. PAM sub-capability provides a Policy
Decision Point (PDP) and a Policy Enforcement Point (PEP) for privileged user Access Management. PDPs and PEPs play an essential role in ensuring policies are enforced in both legacy and cloud environments. PDPs and PEPs are central within ICAM’s “Access Management” service area, which we will expand upon herein.
Functionality in the ILM sub-capability is focused on the lifecycle management of a user’s identity and their associated privileges throughout the user’s association with the agency. Although ILM applies to all users, human and non-person, in an enterprise, CDM takes a particularly focused view on ILM in relation to privileged users because these are the most powerful and abused and therefore require closer evaluation throughout the identity lifecycle.
MIM is a sub-capability under CRED that enables an agency to secure users the use of mobile devices. The MIM capability participates in the Derived Personal Identity Verification (PIV) Credentials (DPC) lifecycle through the Enterprise Mobility Manager. DPC lifecycle includes issuance, renewal, reissuance, activation and deactivation, and revocation and deletion events. It also supports the provisioning of derived PIV credentials for mobile devices.
In this architecture, we introduce federation services. In a manner similar to PDPs and PEPs used in the PAM sub-capability, Federation services are an extension of Access Management and rely on PDPs and PEPs to operate. Federation services include additional service endpoints, the Identity Provider (IDP), which is responsible for the authentication event, and the relying party (RP) (aka Service Provider), which provides access to the service itself. The service expectations are defined in federation agreements between the parties.
Zero Trust is a cybersecurity model for a network architecture that implicitly trusts no device or user by default, authenticating every transaction. The federal government has released much guidance on Zero Trust Architecture (ZTA) and has called for its implementation on federal networks. This CDM ICAM Reference Architecture addresses ZTA and illustrates how ICAM and CDM help enable it.
