Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Pardon our Dust.

Welcome to the new site for Federal Identity, Credential, and Access Management (FICAM) Playbooks! We are consolidating all existing FICAM and Federal Public Key Infrastructure (FPKI) playbooks to this new page to help you find answers and content faster. Please bookmark this URL for future reference.

Credential Management

A green box with the list of Credential Management services defined later in the body text of this page.

Credential Management is how an agency issues, manages, and revokes credentials bound to enterprise identities.

A credential is a data structure that authoritatively binds an authenticator to an existing identity using one or more identifiers.

The following are types of authenticators:

  • Something you know, like a password or PIN.
  • Something you have, like a private key or One-Time Password (OTP) generator.
  • Something you are, like a fingerprint or iris.

The Authenticator Assurance Level (AAL) determines the authenticators associated with a credential. Federal government-wide policy requires a minimum Authenticator Assurance Level 2 for employees and contractors.

The following are some examples of credentials:

  • You might use an agency-issued smart card, such as a PIV or CAC, that includes a picture and cryptographic key pairs to assert your identity at a federal facility.
  • You might use a combination of credentials, like a username/password with a one-time password generated by a mobile application, to assert your identity to a federal web application.

Unlike identities, credentials can expire. If an enterprise identity continues past a credential’s expiration date, the issuing agency can issue a new credential.

Credential Management Services

The Credential Management services in the Federal ICAM architecture include Sponsorship, Registration, Generation & Issuance, Maintenance, and Revocation.

A green box with the Credential Management service definitions, which are listed in the following body text.

Sponsorship

Formally establish that a person or entity requires a credential.

Keywords: Sponsor, Authorizing Official, Affiliation, Request

Registration

Collect the information needed from a person or entity to issue them a credential.

Keyword: Enrollment

Generation & Issuance

Assign a credential to a person or entity.

Keywords: Activation, Token, Authenticator

Maintenance

Maintain a credential throughout its lifecycle.

Keywords: Renewal, Reset, Suspension, Reissuance

Revocation

Revoke a credential from a person or entity, or deactivate an authenticator.

Keyword: Termination