Edit this page

Standards and Policies

This page identifies the regulations, standards, and policies that have impacted and shaped the development of today’s ICAM programs.

ICAM Policies

Document Title Description
M-04-04: E-Authentication Guidance for Federal Agencies This guidance requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Assurance levels also provide a basis for assessing CSPs on behalf of Federal agencies. This document will assist agencies in determining their E-Government authentication needs.
M-05-24: Implementation of Homeland Security Presidential Directive (HSPD) 12- Policy for a Common Identification Standard for Federal Employees and Contractors This memorandum provides implementing instructions for Homeland Security Presidential Directive 12 (HSPD-12) and FIPS 201.
M-06-18: Acquisition of Products and Services for Implementation of HSPD-12 This memorandum provides updated direction for the acquisition of products and services for the implementation of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors” and also provides status of implementation efforts.
M-11-11: Continued Implementation of Homeland Security Presidential Directive (HSPD) 12- Policy for a Common Identification Standard for Federal Employees and Contractors Policy for the continued implementation of HSPD-12; requires agencies to designate a lead official and issue an implementation policy.
HSPD-12: Homeland Security Presidential 12: Policy for a Common Identification Standard for Federal Employees and Contractors HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of identification (ID) issued by the Federal Government to its employees and employees of federal contractors for access to federally-controlled facilities and networks.
The Privacy Act of 1974 This act protects certain Federal Government records pertaining to individuals. In particular, the Act covers systems of records that an agency maintains and retrieves by an individual’s name or other personal identifier (e.g., Social Security Number [SSN]).
Final Credentialing Standards Formally titled Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12, this memorandum provides final government-wide credentialing standards to be used by all Federal departments and agencies in determining whether to issue or revoke Personal Identity Verification (PIV) cards to their employees and contractor personnel, including those who are non-United States citizens.
Executive Order 13681: Improving the Security of Consumer Financial Transactions This executive order requires agencies to “strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.”
M-16-04: Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government “The CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.”

ICAM Standards and Guidance

Document Title Description
SP 800-53-4: Security and Privacy Controls for Federal Information Systems and Organizations This document provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations, assets, individuals, other organizations, and the Nation from a diverse set of threats.
SP 800-63-2: Electronic Authentication Guidance This document provides technical guidelines for federal agencies implementing electronic authentication and covers remote authentication of users interacting with government IT systems over open networks. It defines technical requirements for the four levels of assurance for identity proofing, registration, tokens, management processes, authentication protocols, and related assertions.
SP 800-73-4: Interfaces for Personal Identity Verification This document specifies the PIV data model, command interface, client application programming interface (API), and references to transitional interface specifications.
SP 800-76-2: Biometric Data Specification for Personal Identity Verification This document contains technical specifications for biometric data mandated in [FIPS]. These specifications reflect the design goals of interoperability and performance of the PIV card. This specification addresses image acquisition to support the background check, fingerprint template creation, retention, and authentication. The biometric data specification in this document is the mandatory format for biometric data carried in the PIV Data Model (Appendix A of SP 800-73-1). Biometric data used only outside the PIV Data Model is not within the scope of this standard.
SP 800-79-2: Guidelines for the Accreditation of Personal Identity Verification Card Issuers This document provides guidelines for accrediting the reliability of issuers of Personal Identity Verification (PIV) cards that are established to collect, store, and disseminate personal identity credentials and issue smart cards, based on the standards published in response to HSPD-12.
SP 800-87: Codes for Identification of Federal and Federally-Assisted Organizations This document provides the organizational codes for federal agencies to establish the FASC-N that is required to be included in the FIPS 201 Card Holder Unique Identifier. SP 800-87 is a companion document to FIPS 201.
SP 800-122: Guide for Protecting the Confidentiality of Personally Identifiable Information (PII) The purpose of this document is to assist Federal agencies in protecting the confidentiality of a specific category of data commonly known as Personally Identifiable Information (PII). This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for breaches involving PII.
SP 800-157: Guidelines for Derived PIV Credentials This document provides technical guidelines for the implementation of standards-based, secure, reliable, interoperable public key infrastructure (PKI) based identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV Card.
SP 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations This document provides federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.
FIPS 201-2: Personal Identity Verification (PIV) of Federal Employees and Contractors This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems.
Technical Implementation Guidance Smart Card Enabled Physical Access Control Systems The purpose of this guidance is to define specifications and standards required to enable agencies to procure and implement hardware and software for PACS, such that these systems will: Operate with the Federal Agency Smart Credential (FASC), such as NIST standards based Personal Identity Verification (PIV) cards; Facilitate cross-agency, federal enterprise interoperability; Allow existing legacy PACS to operate with FASC compatible card readers until the time comes for its upgrade.

Other Useful Documentation

Document Title Description
Federal Investigative Standards: Investigative Standards for Background Investigations for Access to Classified Information This document provides standards to align suitability and national security investigations under consistent criteria. Applies to investigations performed in support of determinations of eligibility for access to classified information, eligibility to hold a sensitive position, suitability for government employment, and eligibility for physical and logical access.
M-05-05: Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services This memo requires the use of an SSP to mitigate the risk of commercial managed services for public key infrastructure (PKI) and electronic signatures.
Electronic Signatures In Global and National (ESIGN) Commerce Act of 2000 This act was intended to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically.
E-Government Act of 2002 This act is intended to enhance the management and promotion of electronic Government services and processes by establishing a Federal CIO within the Office of Management and Budget (OMB), and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.
Government Paperwork Elimination Act of 1998 (GPEA) GPEA requires Federal agencies, by October 21, 2003, to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically, when practicable, and to maintain records electronically, when practicable. The Act specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form, and encourages Federal Government use of a range of electronic signature alternatives.
E.O.13467: Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information Established to ensure an efficient, practical, reciprocal, and aligned system for investigating and determining suitability for Government employment, contractor employee fitness, and eligibility for access to classified information.
UCore Universal Core (UCore) is a federal initiative that supports the National Information Sharing Strategy and all associated Departmental/Agency strategies. UCore enables information sharing by defining an implementable specification (XML Schema) containing agreed upon representations for the most commonly shared and universally understood concepts of Who, What, When, and Where.
NIEM NIEM, the National Information Exchange Model, is a partnership of the Department of Justice and the Department of Homeland Security (DHS). It is designed to develop, disseminate and support enterprise-wide information exchange standards and processes that can enable jurisdictions to effectively share critical information in emergency situations, as well as support the day-to-day operations of agencies throughout the nation.