This is the draft preview of version 3.1 for the Federal Identity, Credential, and Access Management architecture.
Credential Management is how an agency issues, manages, and revokes credentials bound to enterprise identities.
A credential is a data structure that authoritatively binds an authenticator to an existing identity using one or more identifiers. An employee or contractor uses an authenticator with a password or cryptographic module to assert their identity.
The following are types of authenticators:
- Something you know, like a password or PIN.
- Something you have, like a private key or One-Time Password (OTP) generator.
- Something you are, like a fingerprint or iris.
The Authenticator Assurance Level (AAL) determines the authenticators associated with a credential. Federal government-wide policy requires a minimum Authenticator Assurance Level 2 for employees and contractors.
The following are some examples of credentials:
- You might use a PIV credential that includes a picture, the issuing agency logo, and cryptographic key pairs to assert your identity at a federal facility.
- You might use a combination of credentials, like a username/password with a one-time password generated by a mobile application, to assert your identity to a federal web application.
Unlike identities, credentials can expire. If an enterprise identity continues past a credential’s expiration date, the issuing agency can issue a new credential.
Credential Management Services
The Credential Management services in the Federal ICAM architecture include Sponsorship, Registration, Issuance, Maintenance, and Revocation.
Formally establish that a person or entity requires a credential.
Keywords: Sponsor, Authorizing Official, Affiliation, Request
Collect the information needed from a person or entity to issue them a credential.
Assign a credential to a person or entity.
Keywords: Activation, Token
Maintain a credential throughout its lifecycle.
Keywords: Renewal, Reset, Suspension, Reissuance
Withdraw a credential from a person or entity, or deactivate an authenticator.