Edit this page

Standards and Policies

Review the federal policies and standards that impact and shape the implementations of ICAM programs and systems.


Title Description
M-05-24: Implementation of Homeland Security Presidential Directive 12 (HSPD-12) Policy for a Common Identification Standard for Federal Employees and Contractors This memorandum provides implementing instructions for HSPD-12 and FIPS 201.
HSPD-12: Homeland Security Presidential 12: Policy for a Common Identification Standard for Federal Employees and Contractors HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of identification (ID) issued by the Federal Government to its employees and employees of federal contractors for access to federally-controlled facilities and networks.
The Privacy Act of 1974 This Act protects certain Federal Government records pertaining to individuals. In particular, the Act covers systems of records that an agency maintains and retrieves by an individual’s name or other personal identifier (e.g., Social Security Number [SSN]).
Final Credentialing Standards Formally titled “Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12,” this memorandum provides final government-wide credentialing standards to be used by all federal departments and agencies in determining whether to issue or revoke Personal Identity Verification (PIV) cards to their employees and contractor personnel, including those who are non-United States citizens.
Executive Order 13681: Improving the Security of Consumer Financial Transactions This executive order requires agencies to strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.
M-16-04: Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government The CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.
M-19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management This memorandum sets forth the Federal Government’s Identity, Credential, and Access Management (ICAM) policy.

Standards and Guidance

Title Description
SP 800-53-4: Security and Privacy Controls for Federal Information Systems and Organizations This document provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations, assets, individuals, other organizations, and the Nation from a diverse set of threats.
 SP 800-63-3: Digital Identity Guidelines These technical guidelines supersede NIST SP 800-63-2. Agencies use these guidelines as part of the risk assessment and implementation of their digital service(s). These guidelines provide mitigations for an authentication error’s negative impacts by separating the individual elements of identity assurance into discrete, component parts. For non-federated systems, agencies will select two components, referred to as Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL). For federated systems, agencies will select a third component, Federation Assurance Level (FAL).
SP 800-73-4: Interfaces for Personal Identity Verification This document specifies the PIV data model, command interface, client application programming interface (API), and references to transitional interface specifications.
SP 800-76-2: Biometric Data Specification for Personal Identity Verification This document contains technical specifications for biometric data mandated in [FIPS]. These specifications reflect the design goals of interoperability and performance of the PIV card. This specification addresses image acquisition to support the background check, fingerprint template creation, retention, and authentication. The biometric data specification in this document is the mandatory format for biometric data carried in the PIV Data Model (Appendix A of SP 800-73-1). Biometric data used only outside the PIV Data Model is not within the scope of this standard.
SP 800-79-2: Guidelines for the Accreditation of Personal Identity Verification Card Issuers This document provides guidelines for accrediting the reliability of issuers of PIV cards that are established to collect, store, and disseminate personal identity credentials and issue smart cards, based on the standards published in response to HSPD-12.
SP 800-87: Codes for Identification of Federal and Federally-Assisted Organizations This document provides the organizational codes for federal agencies to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique Identifier. SP 800-87 is a companion document to FIPS 201.
SP 800-122: Guide for Protecting the Confidentiality of Personally Identifiable Information (PII) The document assists federal agencies in protecting the confidentiality of a specific category of data commonly known as Personally Identifiable Information (PII). This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for breaches involving PII.
SP 800-157: Guidelines for Derived PIV Credentials This document provides technical guidelines for the implementation of standards-based, secure, reliable, interoperable public key infrastructure (PKI) based identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV Card.
SP 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations This document provides federal agencies with a definition of attribute-based access control (ABAC). ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.
FIPS 201-2: Personal Identity Verification (PIV) of Federal Employees and Contractors This document specifies the architecture and technical requirements for a common identification standard for federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to federally controlled government facilities and electronic access to government information systems.
Technical Implementation Guidance Smart Card Enabled Physical Access Control Systems This guidance defines specifications and standards required to enable agencies to procure and implement hardware and software for PACS, such that these systems will: operate with the Federal Agency Smart Credential (FASC), such as NIST-standards-based PIV cards; facilitate cross-agency, federal enterprise interoperability; and allow existing legacy PACS to operate with FASC-compatible card readers until the time comes for its upgrade.

Other References

Title Description
Electronic Signatures in Global and National (ESIGN) Commerce Act of 2000 This Act was intended to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically.
E-Government Act of 2002 This Act is intended to enhance the management and promotion of electronic Federal Government services and processes by establishing a Federal CIO within the Office of Management and Budget (OMB) and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to government information and services, and for other purposes.
Government Paperwork Elimination Act of 1998 (GPEA) GPEA requires federal agencies, by October 21, 2003, to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically, when practicable, and to maintain records electronically, when practicable. This Act specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form. This Act also encourages Federal Government use of a range of electronic signature alternatives.
E.O.13467: Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information This executive order was established to ensure an efficient, practical, reciprocal, and aligned system for investigating and determining suitability for Federal Government employment, contractor employee fitness, and eligibility for access to classified information.
NIEM The National Information Exchange Model (NIEM) is a partnership of the Department of Justice (DOJ) and the Department of Homeland Security (DHS). It is designed to develop, disseminate and support enterprise-wide information exchange standards and processes that can enable jurisdictions to effectively share critical information in emergency situations, as well as support the day-to-day operations of agencies throughout the Nation.