This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.
Component examples include sample enterprise ICAM tools (e.g. solutions, applications, and software) aligned with ICAM service areas that illustrate ICAM functionality at an agency. The component examples are designed for enterprise architects, security engineers, and solution architects to facilitate discussions regarding the technology solutions to integrate with enterprise applications, and the business requirements.
The components are representative examples only. Some solutions chosen by your agency may span across more than one service area.
The following figure is an examples for a small selection of components only. You should modify the graphic and incorporate as-is and target state components for enterprise roadmap planning.
An authoritative source is a repository of identity attribute data. It’s possible to have multiple authoritative sources for attributes.
Authoritative source components may include:
- Human Resource systems such as payroll, time and attendance, and benefits administration
- Agency or government-wide Learning Management Systems
- Agency or government-wide Personnel Security systems for security and suitability
- Directory services including on-premise or cloud-based directory services
- Other external or internal sources
Identity Management Systems
Identity Management Systems are how an agency manages the identity lifecycle.
Identity management systems components may include:
- Identity lifecycle management services including provisioning and workflow
- Role management or role manager applications
- Identity correlation or aggregation
- Directory management
Access Control Systems
Access Control Systems are how an agency leverages credentials to authenticate individuals and authorize access to protected resources.
Access Control Systems components may include:
- Enterprise single sign-on (eSSO) applications
- Web access management applications
- Physical or facility access control systems
- Privileged access management applications
- Access policy and access rules repositories
- Policy enforcement points
- Policy decision points
- Virtual private networks
- Cloud access security brokers
- Network access management tools
Credential Management Systems
Credential Management Systems are how an agency manages an authentication token bound to an identity.
Credential Management System components may include:
- PIV credential service provider solutions
- Other, non-PKI, credential service provider solutions
- Federated certification authorities
- Private certification authorities
- Key management services
- Enterprise certificate manager
- Multi-factor authentication managers for software and hardware tokens
- Password managers
Governance is the set of components to centralize management, develop insights, and assist in managing ICAM areas and services. Applications across all service areas include auditing such as standard audit logs or configuration of auditable events. Governance includes the aggregation of individual auditing and reporting into centralized tools to perform real-time or near real-time analysis, identify anomalies, and trigger mitigations for anomalous authentication or authorization events. Tools are increasingly incorporating machine learning or adaptive algorithms.
Governance components may include:
- Identity governance solutions to perform access re-certifications
- IT Service Management (ITSM)
- Security information and event monitoring (SIEM)
Agency endpoints are any resource that an agency needs to protect, whether a physical resource or a digital resource.
Agency endpoints may include:
- On-premise applications
- Cloud-based applications and platforms
- Agency private networks
- Government cloud email services
- Government facilities