5 FAM 160
IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT
(CT:IM-321; 06-07-2024)
(Office of Origin: DT/ES/ITI)
5 FAM 161 SCOPE
(CT:IM-316; 04-23-2024)
This subchapter defines the Department of State's Enterprise Identity, Credential, and Access Management (SE-ICAM) program as mandated by the Federal ICAM policy. Participation in the ICAM program is mandatory for all Department entities with systems that integrate into the Department's enterprise solutions. The Department program provides Single Sign-On (SSO), multi-factor authentication (MFA), identity governance, and user access lifecycle management for all Department entities and articulates secure and efficient operations.
5 FAM 162 AUTHORITIES
(CT:IM-316; 04-23-2024)
a. Executive Order (EO) 14028: Improving the Nation’s Cybersecurity
b. Executive Order (EO) 14058: Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government
c. Office of Management and Budget (OMB) Memorandum M-19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management
d. Office of Management and Budget (OMB) Memorandum M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
e. Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors
f. Federal Information Security Modernization Act (FISMA) of 2014
g. Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, v2.0, 2011
h. National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations
i. NIST SP 800-63-3, Digital Identity Guidelines
j. NIST SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing Requirements
k. NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management
l. NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions
5 FAM 163 PROGRAM OBJECTIVES
(CT:IM-316; 04-23-2024)
a. The mission of the Department’s SE-ICAM program is to provide an end-to-end solution for Identity, Credential and Access Management through governed identity, verified and trusted credentials, and access management.
b. This subchapter enables the Department to fulfill its mission obligations under Office and Management and Budget (OMB) Memorandum M-19-17 “Enabling Mission Delivery through Improved Identity, Credential, and Access Management.” OMB M-19-17 includes the establishment of an agency-wide ICAM program charged with defining and implementing policy and procedures and establishing a comprehensive roadmap that guides ICAM.
5 FAM 164 DEFINITIONS
(CT:IM-316; 04-23-2024)
Access:- The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., Federal buildings, military establishments)
Cloud:– Defined in 5 FAM 1113
Consumer Identity Access Management (CIAM):- CIAM focuses specifically on managing the identities of customers who need access to corporate websites and web portals. Rather than managing user accounts in every instance of a software application of a company, the identity is managed in a CIAM component, making reuse of the identity possible.
Continuous Diagnostic and Mitigation (CDM) Program:- Enhances the overall security and privacy posture of the Federal government by providing Federal agencies with capabilities to reduce the attack surface of their respective networks, identify cybersecurity risks, enabling agencies to prioritize actions to mitigate or accept risk based on the potential impacts to their mission.
Credential:– An object or data structure that authoritatively binds an identity – via an identifier or identifiers – and (optionally) additional attributes, to at least one authenticator possessed and controlled by a subscriber.
Governance:– Is the set of practices and systems that guides ICAM activities, functions, and outcomes. To perform effective governance, agencies must collect data about ICAM functions from many sources, such as policies and entitlements stores, and analyze this data.
Identity:– The unique representation of a subject, for example, a person, a device, or an automated technology, which is engaged in a transaction involving at least one Federal subject or Federal resource.
Master User Record (MUR):– The MUR identifies an entity (user) that requests access to information or systems. It includes attributes about trust, credentials, access and permission authorization, accounts, and training for specific roles and responsibilities.
Multi-factor Authentication (MFA):- Multi-factor authentication, is an authentication method in which a user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism: something the user knows (e.g., password), something the user has (e.g., a token), or something the user is (e.g., a biometric).
Personally Identifiable Information (PII):- Defined in 5 FAM 463
Personal Identity Verification (PIV):- Defined in 5 FAM 114
Single Sign-On (SSO):- Single sign-on is an authentication process that allows a user to log in with a single authentication to any of several related, yet independent, software systems.
5 FAM 165 RESPONSIBILITIES
5 FAM 165.1 SE-ICAM Program Responsibilities
(CT:IM-292; 04-28-2023)
Consistent with Department authorities and operational mission needs, the SE-ICAM program is the single, centralized point of contact for the Department’s ICAM systems, and is responsible for the following:
(1) Implementing and operating an integrated, comprehensive set of ICAM technology solutions throughout Department infrastructure;
(2) Providing identity governance solutions to manage digital identities and associated privileges throughout the lifecycle of a user’s relationship with the Department;
(3) Ensuring compliance with ICAM related EOs, OMB memorandums, NIST publications, and policy directives;
(4) Developing and implementing policies that guide, manage, and direct ICAM activities and interactions across the Department;
(5) Coordinating internal and external ICAM program communications and outreach to Department stakeholders;
(6) Deploying ICAM capabilities using commercially available products to the maximum extent possible;
(7) Leveraging open Application Programming Interfaces (APIs) and commercial standards to enable modularized development and promote interoperability across all levels of government;
(8) Ensuring that products and services are compliant with OMB policies, NIST standards, and supported technical specifications to further ICAM implementations and operations;
(9) Limiting the collection of PII for establishing an individual's identity to that which is legally authorized and deemed necessary for accurate identification;
(10) Leveraging existing personal identity verification (PIV) credentials and identity federations that meet the agency's determined acceptable risk level;
(11) Implementing and operating technological solutions on cloud and on-prem systems to ensure only authenticated users are accessing Department owned systems; and
(12) Providing ICAM support for cloud and on-premises applications and services.
5 FAM 165.2 HSPD-12 Joint Advisory Council
(CT:IM-316; 04-23-2024)
The Joint Advisory Council (JAC) is the working level group for the technical implementation of Homeland Security Presidential Directive 12 (HSPD-12) and OMB Memo M-19-17. The Executive Steering Committee provides guidance and direction and approves policy decisions proposed by the ICAM JAC:
(1) HSPD-12 JAC guides the planning, development, implementation, and promulgation of standards-based, secure and reliable forms of identification of the enterprise-wide identity management policy within the Department;
(2) The purpose of HSPD is to:
(a) Recommend policies and procedures to meet federal requirements;
(b) Develop a plan and budget to meet the global requirements of the Directive;
(c) Coordinate the full benefits of the PIV credentials through the purchase, deployment, and maintenance of ICAM compliant systems; and
(d) Participate with other government agencies in the planning and execution of PIV credentials.
5 FAM 165.3 Organizational Requirements
(CT:IM-316; 04-23-2024)
Department bureaus, entities, and business processes must use the Department’s ICAM technologies to the maximum extent possible, in accordance with this subchapter. Exceptions from using the enterprise ICAM solution are determined in accordance with 5 FAM 1064.1-2(B) Request for Exceptions and Deviations.
5 FAM 165.4 Exclusions to the SE-ICAM Program
(CT:IM-292; 04-28-2023)
The Department’s SE-ICAM identity access management solutions control access to on-premises systems and cloud applications, for both enterprise and non-enterprise users, providing SSO and MFA with the explicit exclusion of:
(1) The Bureau of Diplomatic Security (DS) Identity Management System (IdMS); and
(2) The Consumer Identity Access Management (CIAM) system.
5 FAM 166 SECURITY OF SE-ICAM SYSTEM
(CT:IM-316; 04-23-2024)
a. This policy is written in adherence with the Federal Information Security Modernization Act (FISMA) of 2014.
b. The SE-ICAM solution leverages products from the CDM Identity Access Management (IAM) program.
c. The SE-ICAM solution enforces zero trust architecture by:
(1) Identifying who is on the network;
(2) Ensuring that authorized users have the required credentials and privileges;
(3) Validating that users have completed security training in order to access a system, and
(4) Enforcing the use of MFA security.
d. The SE-ICAM solution implements the Master User Record (MUR). The MUR combines core personal data attributes from across the Department to meet TRUST, BEHAVE, CRED, and PRIV requirements. The MUR also serves as a repository of Personally Identifiable Information (PII) by compiling PII from multiple resources within the Department.
e. Due to the sensitivity of a system as a potential target, physical and logical access must both be isolated. The following isolation controls must be addressed:
(1) Only specifically authorized members of the SE-ICAM team have physical access to the system. The system is located in enclaves, which requires two-person access control within the datacenters; and
(2) The system has restricted communications through the firewall. The protocols are defined in the SE-ICAM System Security Plan (SSP).
5 FAM 167 State Global Identifier (SGID)
(CT:IM-316; 04-23-2024)
The State Global Identifier (SGID) is a Department created and assigned numeric identifier used to identify persons in perpetuity in lieu of using Social Security Numbers (SSN) or other personally identifiable information (PII):
(1) The purpose of the State Global Identifier (SGID) is to increase efficiency, reduce identity fraud, and protect privacy; and
(2) All SGIDs created must be linked to an individual’s biographical information, such as SSN or date of birth, and bound to a DS approved biometric factor.