Standards and Policies
Review the federal policies and standards that impact and shape the implementations of ICAM programs and systems.
Each section of this page lists documents in reverse chronological order, with the most recent documents first.
The Privacy Act of 1974 (September 2015)
This Act protects certain federal government records pertaining to individuals. In particular, the Act covers systems of records that an agency maintains and retrieves by an individual’s name or other personal identifier, such as a Social Security Number.
Federal Information Security Modernization Act (FISMA) of 2014 (December 2014)
This Act provides a framework for measuring the effectiveness of federal information systems, and it calls for the development and implementation of continuous monitoring oversight mechanisms. It also acknowledges federal agencies should take advantage of commercially available security products (including software, hardware, etc.) that often provide robust information security solutions.
E-Government Act of 2002 (December 2002)
This Act enhances the management and promotion of electronic federal services and processes by establishing a Federal CIO within the Office of Management and Budget (OMB) and by establishing a broad framework of measures that require using Internet-based information technology (IT) to enhance citizen access to government information and services and for other purposes.
This Act facilitates the use of electronic records and electronic signatures in interstate and foreign commerce by ensuring the validity and legal effect of electronic contracts.
Government Paperwork Elimination Act of 1998 (GPEA) (October 1998)
This Act requires federal agencies to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically when possible and to maintain records electronically when possible. This Act specifically states that electronic records and their related electronic signatures cannot be denied legal effect, validity, or enforceability just because they are in electronic form. This Act also encourages federal government use of a range of electronic signature alternatives.
Temporary. This memorandum sets forth temporary procedures for the vetting and appointment of federal personnel, collection of biometrics for federal employment, and employment authorization and eligibility.
M 20-19: Harnessing Technology to Support Mission Continuity (PDF, March 2020)
Temporary. This memorandum directs that agencies utilize technology to the greatest extent practicable to support mission continuity during the national emergency. By aggressively embracing technology to support business processes, the federal government is better positioned to maintain the safety and well-being of the federal workforce and the American public while supporting the continued delivery of vital mission services. The set of frequently asked questions are intended to provide additional guidance and further assist the IT workforce as it addresses impacts.
This memorandum sets forth the federal government’s ICAM policy. To ensure secure and efficient operations, agencies of the federal government must be able to identify, credential, monitor, and manage subjects that access federal resources. This includes information, information systems, facilities, and secured areas across their respective enterprises. In particular, how agencies conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of their services as well as individuals’ privacy.
With the creation of the HVA initiative in 2015, the federal government’s CFO Act agencies took a pivotal step toward the identification of its most critical assets. DHS, in coordination with OMB, established a capability to assess agency HVAs, resulting in the identification of critical areas of weakness and plans to remediate those areas of weakness. It established three possible categories for designating federal information or a federal information system as an HVA: Informational Value, Mission Essential, or Federal Civilian Enterprise Essential (FCEE). It also updates the required approach for agencies to report, assess, and remediate HVAs to protect against cyberattacks.
This executive order authorizes federal agency CIOs to ensure that agency IT systems are as modern, secure, and well-managed as possible to reduce costs, mitigate cybersecurity risks, and deliver improved services to the American people.
This executive order places an emphasis on modernizing and securing federal networks and critical infrastructure from the ever-growing threat of cyberattacks.
This circular describes agency responsibilities for implementing the review, reporting, and publication requirements of the Privacy Act of 1974 and related OMB policies.
Circular A-130: Managing Federal Information as a Strategic Resource (PDF, July 2016)
Information and IT resources are critical to the U.S. social, political, and economic well-being. They enable the federal government to provide quality services to citizens, generate and disseminate knowledge, and facilitate greater productivity and advancement as a nation. It is important for the federal government to maximize the quality and security of federal information systems and to develop and implement uniform and consistent information resources management policies in order to inform the public and improve the productivity, efficiency, and effectiveness of agency programs. Additionally, as technology evolves, it is important that agencies manage information systems in a way that addresses and mitigates security and privacy risks associated with new IT resources and new information processing capabilities.
The policy changes in this circular modernize existing efforts by requiring agencies to implement an ERM capability coordinated with the strategic planning and strategic review process established by the Government Performance and Results Act Modernization Act (GPRAMA) and the internal control processes required by the Federal Managers’ Financial Integrity Act (FMFIA) and the Government Accountability Office (GAO)’s Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus corrective actions toward key risks.
OMB M-15-13 calls for “all publicly accessible Federal websites and web services” to only provide service through a secure connection (Hypertext Transfer Protocol Secure; HTTPS) and to use HTTP Strict Transport Security (HSTS) to ensure this. The requirement applies to all public domains and subdomains operated by the federal government, regardless of the domain suffix, as long as they are reachable over HTTP/HTTPS on the public internet. The Compliance Guide: HTTPS-Only Standard provides implementation guidance from the White House Office of Management and Budget for agencies as they manage their transition to HTTPS.
Executive Order 13681: Improving the Security of Consumer Financial Transactions (PDF, October 2014)
This executive order requires agencies to strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.
This memorandum provides final government-wide credentialing standards to be used by all federal departments and agencies in determining whether to issue or revoke PIV credentials to their employees and contractor personnel, including those who are non-United States citizens.
This memorandum provides implementation instructions for HSPD-12 and Federal Information Processing Standards (FIPS) 201.
HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and employees of federal contractors for access to federally controlled facilities and networks.
NIST SP 800-205: Attribute Considerations for Access Control Systems (PDF, June 2019)
This guideline provides federal agencies with information for implementing attributes in access control systems. Attributes enable a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document outlines factors which influence attributes that an authoritative body must address when standardizing an attribute system and proposes some notional implementation suggestions for consideration.
This guideline provides resources for using PIV credentials in facility access, enabling federal agencies to operate as government-wide interoperable enterprises. This guideline covers the risk-based strategy to select appropriate PIV authentication mechanisms as expressed within FIPS 201.
NIST SP 800-63-3: Digital Identity Guidelines (June 2017)
Agencies use these guidelines as part of the risk assessment and implementation of their digital service(s). These guidelines provide mitigations for an authentication error’s negative impacts by separating the individual elements of identity assurance into its component parts.
This guideline focuses on the enrollment and verification of an identity for use in digital services. Central to this is a process known as identity proofing in which an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert that identification at an Identity Assurance Level (IAL). This document defines technical requirements for each of the three IALs.
These guidelines focus on the authentication of subjects interacting with government systems over open networks, establishing that a given claimant is a subscriber who has been previously authenticated. The result of the authentication process may be used locally by the system performing the authentication or may be asserted elsewhere in a federated identity system. This document defines technical requirements for each of the three Authentication Assurance Levels (AALs).
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the use of federated identity and the use of assertions to implement identity federations. Federation allows a given CSP to provide authentication and (optionally) subscriber attributes to a number of separately-administered relying parties. Similarly, relying parties may use more than one CSP.
NIST SP 800-73-4: Interfaces for PIV (PDF, February 2016)
This guideline specifies the PIV data model, command interface, client application programming interface (API), and references to transitional interface specifications.
The guideline specifies the assessment for the reliability of issuers of PIV credentials and Derived PIV credentials. The reliability of an issuer is of utmost importance when a federal agency is required to trust the identity credentials of individuals that were created and issued by another federal agency.
This guideline provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations, assets, individuals, other organizations, and the Nation from a diverse set of threats.
This guideline provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development lifecycle, are consistent with the security and privacy controls in NIST SP 800-53, Revision 4.
NIST SP 800-157: Guidelines for Derived PIV Credentials (PDF, December 2014)
This guideline provides technical instructions for the implementation of standards-based, secure, reliable, interoperable public key infrastructure (PKI) based identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV credential.
This guideline provides federal agencies with a definition of ABAC. ABAC is a logical access control methodology in which authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.
FIPS 201-2: PIV of Federal Employees and Contractors (PDF, August 2013)
This standard specifies the architecture and technical requirements for a common identification standard for federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to federally controlled government facilities and electronic access to government information systems.
NIST SP 800-76-2: Biometric Data Specification for PIV (PDF, July 2013)
This guideline contains technical specifications for biometric data mandated in FIPS. These specifications reflect the design goals of interoperability and performance of the PIV credential. This specification addresses image acquisition to support the background check, fingerprint template creation, retention, and authentication. The biometric data specification in this document is the mandatory format for biometric data carried in the PIV Data Model (SP 800-73-1, Appendix A). Biometric data used only outside the PIV Data Model is not within the scope of this standard.
This guideline assists federal agencies in protecting the confidentiality of a specific category of data commonly known as PII. This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for breaches involving PII.
The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk (that is, the risk to the organization or to individuals associated with the operation of a system). The management of organizational risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for a system (the security controls necessary to protect individuals and the operations and assets of the organization).
NIST SP 800-63 Frequently Asked Questions (FAQs) (July 2020)
The Frequently Asked Questions for NIST SP 800-63-3: Digital Identity Guidelines answers recurring questions to provide additional clarification.
NIST SP 800-63-3 Implementation Resources (PDF, July 2020)
These resources are intended as informative implementation guidance for NIST SP 800-63-3. These implementation resources provide guidance for SP 800-63-3 in three parts: Part A addresses SP 800-63A, Part B addresses SP 800-63B, and Part C addresses SP 800-63C.
NIST: Privacy Framework (PDF, January 2020)
The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. The Privacy Framework approach to privacy risk is to consider privacy events as potential problems individuals could experience arising from system, product, or service operations with data, whether in digital or non-digital form, through a complete lifecycle from data collection through disposal.
NIST White Paper: Best Practices for Privileged User PIV Authentication (PDF, April 2016)
This white paper was developed in response to the Cybersecurity Strategy and Implementation Plan to explain the need for multifactor PIV-based user authentication for privileged users. It provides best practices for agencies implementing PIV authentication for privileged users.
The Continuous Diagnostics and Mitigation (CDM) Program is an approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to support them in improving their respective security posture. The CDM approach focuses on five areas for the federal enterprise: Data Protection Management, Network Security Management, Identity and Access Management, Asset Management, and Monitoring and Dashboards.
Application Rationalization Playbook (PDF, June 2019)
This playbook is a practical guide for application rationalization and IT portfolio management under the federal government’s Cloud Smart initiatives. Application rationalization will help federal agencies mature IT portfolio management capabilities, empower leaders to make informed decisions, and improve the delivery of key mission and business services. It requires buy-in from stakeholders across the enterprise, including senior leaders, technology staff members, cybersecurity experts, business leads, financial practitioners, acquisition and procurement experts, and end user communities. Rationalization efforts rely on leadership support and continual engagement with stakeholders to deliver sustainable change.