This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.

Edit this page

Credential Management

A green box with the list of Credential Management services defined later in the body text of this page.

Credential Management is how an agency issues, manages, and revokes credentials bound to enterprise identities.

A credential is a data structure that authoritatively binds an authenticator to an existing identity using one or more identifiers. An employee or contractor uses an authenticator with a password or cryptographic module to assert their identity.

The following are types of authenticators:

  • Something you know, like a password or PIN.
  • Something you have, like a private key or One-Time Password (OTP) generator.
  • Something you are, like a fingerprint or iris.

The Authenticator Assurance Level (AAL) determines the authenticators associated with a credential. Federal government-wide policy requires a minimum Authenticator Assurance Level 2 for employees and contractors.

The following are some examples of credentials:

  • You might use a PIV credential that includes a picture, the issuing agency logo, and cryptographic key pairs to assert your identity at a federal facility.
  • You might use a combination of credentials, like a username/password with a one-time password generated by a mobile application, to assert your identity to a federal web application.

Unlike identities, credentials can expire. If an enterprise identity continues past a credential’s expiration date, the issuing agency can issue a new credential.

Credential Management Services

The Credential Management services in the Federal ICAM architecture include Sponsorship, Registration, Issuance, Maintenance, and Revocation.

A green box with the Credential Management service definitions, which are listed in the following body text.

Sponsorship

Formally establish that a person or entity requires a credential.

Keywords: Sponsor, Authorizing Official, Affiliation, Request

Registration

Collect the information needed from a person or entity to issue them a credential.

Keyword: Enrollment

Issuance

Assign a credential to a person or entity.

Keywords: Activation, Token

Maintenance

Maintain a credential throughout its lifecycle.

Keywords: Renewal, Reset, Suspension, Reissuance

Revocation

Withdraw a credential from a person or entity, or deactivate an authenticator.

Keywords: Termination