Capital Planning and Investment Control (CPIC)
Use the Capital Planning and Investment Control (CPIC) approach to align investments with your agency’s mission, support business needs, reduce risk, and increase returns. The CPIC process includes:
- Strategic planning.
- Enterprise architecture (EA).
- Privacy and security.
- Portfolio management.
- Procurement and acquisition management of capital assets.
The pages that follow describe the CPIC process as it applies to your agency’s Identity, Credential, and Access Management (ICAM) program.
The main product of the Capital Planning and Investment Control (CPIC) process is the Exhibit 300, a document explaining the capital asset plan and business case. Your agency will write and review Exhibit 300s annually for both new and existing capital investments. The following sections describe the areas your agency will need to consider to construct an Exhibit 300 for your Identity, Credential, and Access Management (ICAM) program.
Enterprise Approach for ICAM Investments
Traditionally, some agencies submit separate Exhibit 300 investment requests for various ICAM activities, such as PIV credentialing, Enterprise Single Sign On, physical access control systems (PACS) modernization, or enterprise identity management solutions. In budget submissions, you should coordinate your capital planning efforts across ICAM workstreams and Exhibit 300 business cases. This coordination helps reduce redundant ICAM investments across agency components or bureaus.
Enterprise ICAM Solutions in CPIC Processes
Identify key criteria that align investments with ICAM. Communicate any changes to the relevant stakeholders and CPIC process participants.
The following list includes things you should consider in each phase of the standard CPIC process.
- Preselect. Assess the business needs and resource requirements for the investment. Investment business plans should state use of the PIV credential or authentication within the security planning and educate the Investment Review Board on ICAM requirements.
- Select. Select investments that best support the mission and approach. Review your ICAM investment for alignment with the FICAM Architecture relative to accounts, authentication, access control, and auditing capabilities. You should evaluate investment data architecture to prevent redundancies in identity data collection.
- Control. Use quality control and executive review to ensure your ICAM investments will deliver the projected benefits. You should make sure your agency’s investment aligns with your agency’s ICAM infrastructure. You should also oversee integration with enterprise ICAM services.
- Evaluate. Analyze whether the investments have delivered expected results while remaining cost effective. Investments should demonstrate return on investment (ROI) through the use of ICAM infrastructure security services. You should also determine opportunities to improve efficiency and update investments as enterprise ICAM capabilities mature.
The following table includes common ICAM-related cost categories that you can use to help determine and report your agency’s ICAM costs in an organized manner.
|New User Identity Assurance||Costs associated with identity proofing new users at the necessary identity assurance levels for enterprise users and public users (for mission applications).|
|Integration||Integration costs from contractor services and additional software or hardware required for testing.|
|Software||Cost of software, including licenses and maintenance fees, that could be decommissioned or redeployed across all environments for development, testing, and production.|
|Service Desk||Costs associated with the number of password-related calls received by an agency.|
|IT Operations Services||Costs of backups, monitoring, new development, and enhancements across all environments for development, testing, and production.|
|Training||Costs associated with training and creating or acquiring materials for new software and services installation, integration, maintenance, business processes, and end-user support.|
|Policy Compliance||Costs associated with bringing the system into compliance with ICAM policies.|
Funding for ICAM Solutions
You may find challenges in funding and implementing the investment when equipment and services will likely be purchased centrally. Here are some approaches that other agencies have taken to fund their ICAM workstreams:
- Incorporate costs into existing investments. You don’t need a separate investment for an implementation like an enterprise Physical Access Control System (PACS) solution. You can include the costs for PACS modernization into an existing business case.
- Investment business case. Create a new investment request to fund an ICAM workstream implementation at the enterprise level. This business case should include details of how the proposed investment would support the agency’s mission.
- Working capital fund. Use a fund that can provide financing to agencies without annual appropriation by Congress for operations that generate receipts. This funding method works well for an agency that offers an enterprise PACS as a centralized service and has a cost recovery structure across the agency’s bureaus or components.
Evaluate Factors to Estimate Solution Cost
After you choose a solution, you can estimate costs. The following tables include common characteristics that you should examine not only to determine expenses but also to compare the potential cost savings of various solutions.
Physical Access Control Systems (PACS) Evaluation Factors
|Facility Size||The number of users requiring access to a facility impacts the level of administrative effort needed to provision user accounts and manage access privileges.|
|PACS Service Level||Determine whether you should explore enterprise-level solutions. For example, an agency hosting a server for its bureaus and components can provide cost savings and better efficiency.|
|Population Analysis||Examine user populations (for example, employees, contractors, and federal and non-federal facility tenants) to determine the types of groups requiring access. Consider complex user populations when you decide which PACS solution to implement. Also, consider the ability to scale as modernization continues, and your user base changes over time.|
|Number of PACS||The number of physical access control systems (PACS) within an agency often dictates implementation time and can significantly affect implementation cost, depending on the resources’ connection requirements.|
|Type of PACS||The type of PACS varies based on the vendors, platforms, operating systems, products, and databases that are in use across your organization. These variables impact the complexity of integrating resources with the PACS infrastructure and require different integration processes.|
|Existing PACS Investments||Your agency may have investments in place that can provide physical access services consistent with the modernized ICAM segment architecture. You should use those investments when possible, as they can help achieve a modernized PACS state without requiring significant investment from the organization.|
|Credentials Supported||Examine the types of credentials that the PACS must support (including PIV-I) and incorporate any costs associated with validating acceptable credentials.|
|Protection Areas||Consider the number or combination of protection areas (Limited, Exclusion, or Controlled) when determining program costs. For example, a high number of exclusion protection areas may increase costs due to the added level of access control required to protect those areas.|
LACS Evaluation Factors
Logical access control system (LACS) projects give your agency the potential for significant ROI in the form of cost avoidance, reallocation of resources, productivity gains, and reduced administrative burden. To realize these benefits, when you plan a new or modify an existing LACS investment, you should assess your agency’s organizational structure, identity stores, access control processes, and IT resources.
|Organizational Size||The number and type of users requiring access to agency IT resources, as well as the turnover rate of users, significantly impacts the level of administrative effort required to provision user accounts and manage access privileges.|
|Cost Effectiveness||Evaluate the ROI that your agency would gain compared to the upfront investment costs when planning for a LACS investment.|
|Complexity of User Population||Organizations with complex user and role management requirements should consider LACS solutions that offer services in these areas. You can take advantage of user management complexity to streamline existing processes or areas that could otherwise significantly increase implementation costs.
The availability of user repositories can also impact implementation costs.
|Number of IT Resources||The number of IT resources within an agency often dictates implementation time and can significantly affect implementation cost, depending on the resources’ connection requirements.|
|Type of IT Resources||The type of IT resources varies based on the platforms, operating systems, products, and databases that are in use across the organization. These variances impact the complexity of integrating resources with the LACS infrastructure and require different integration processes.|
|Complexity of Integrating with IT Resources||Resource integration complexity is a combination of several factors, including the age of the resource, underlying infrastructure, operating requirements, and user base. These factors indicate how complex it can be to integrate some resources into the modernized LACS infrastructure. Large numbers of complex resources (including mainframe applications) can rapidly increase overall implementation costs. At a high level, the complexity and cost associated with common application types can be grouped as follows:
• Web-based applications – low to moderate complexity
• Client/server applications – moderate to high complexity
• Distributed applications – varied complexity
• Mainframe/legacy applications – high to very high complexity
|Business Goals/Drivers||Internal agency policies, business needs, and required compliance with external federal policies and regulations drive requirements for LACS solutions. Some solutions, while inexpensive, may not always create long term cost savings and may prevent the organization from meeting certain business goals.|
|Workflow Requirements||Examine the complexity of manual and semi-manual workflows used to provision user accounts and access privileges to IT resources. The number and complexity of an agency’s workflows impact the schedule and labor costs associated with implementing some LACS solutions.|
|Organizational IT Infrastructure||Some platforms and operating environments, particularly ones that leverage legacy products, may require additional support or custom configuration to achieve the maximum benefit from LACS solutions. This includes potential costs associated with networking LACS components and high-availability components. Environments that use non-standard operating systems may require additional investment to integrate into a modernized LACS infrastructure.|
|Vendor Product Compatibility and Interoperability with Existing Infrastructure||If your agency is considering a commercial off-the-shelf (COTS) identity and access management (IAM) product suite, you should assess the integration approach of these products for interoperability, and find the best fit for your agency. You should also investigate the availability of enterprise software licenses, as these can significantly lower acquisition costs and influence your agency’s make or buy decision.|
When planning to acquire Identity, Credential, and Access Management (ICAM) products and services, your agency must comply with specified regulations and policies.
Review the Approved Products Lists
The FIPS 201 Evaluation Program was developed to organize and define a standard approval process for Physical Access Control Systems and PIV credential card stockthese products and services. All required NIST validation and GSA testing must be met to be an approved product or service for Physical Access Control Systems and PIV credential card stock. You can find approved products, which have been demonstrated to meet NIST validation and GSA testing and have been qualified, on the FIPS 201 Approved Products List.
You can use multiple GSA Schedules to purchase a resource that’s included on the FIPS 201 APL. When you purchase these products, you must follow OMB Memorandum M-19-17 and use the FIPS 201 APL. It’s your responsibility to stay current on these changes and incorporate them into your planning during regular technology refresh cycles as part of the capital planning and budget process.
The Continuous Diagnostics and Mitigiation (CDM) Program also has an Approved Products List for the federal enterprise that includes additional ICAM capabilities. Section II of CDM encompasses tools and professional services implementation support for identity lifecycle management, identity governance tools, provisioning of accounts, privileged user access management, and enterprise authentication services (such as single sign on solutions).
Continuous Diagnostics and Mitigation tools and professional services can be purchased from GSA Schedules under IT Schedule 70, SIN 132-44.
Identify Contract Vehicles for ICAM Products and Services
In addition to the requirements governing federal acquisitions, there are other resources to support ICAM program acquisition include GSA Schedules and the PACS Customer Ordering Guide.
GSA Schedules are purchasing vehicles for a broad range of products and services. The resources available on the GSA Schedules have pre-approved vendors and pre-negotiated rates. You are not required to use GSA Schedules for acquisition, but they provide quick, flexible, and cost-effective procurement solutions and assist in compliance by including approved products. Here are some examples of common GSA Schedules:
IT Schedule 70
IT Schedule 70 is part of the Multiple Award Schedule (MAS) program and gives agencies direct access to commercial experts who can address the needs of the government IT community through a series of Special Item Numbers (SINs). These SINs cover most of the general-purpose commercial IT hardware, software, and services.
IT Schedule 84
IT Schedule 84 offers PACS-related security solutions for law enforcement, security, facility management, fire, rescue, clothing, marine craft, and emergency and disaster response.
You can purchase resources from both schedules to meet your ICAM implementation needs. For example, you could buy new credential readers for physical access control points from Schedule 84 and services from a system integrator from Schedule 70.
Using GSA Schedules provides the following benefits:
- More competitive rates and potentially lower costs. Regardless of the method used to access Schedules 70 and 84, GSA has already negotiated fair and reasonable prices for these products and services.
- Shorter procurement time. GSA Schedules offer streamlined procurement, as opposed to agency-negotiated contracts, which can be cumbersome and costly. Tools such as eBuy and GSA Advantage are available to assist in ordering from both Schedules.
- Reduced complexity and effort required to perform due diligence. If you purchase products not included on the FIPS-201 approved products list for PIV card stock and physical access control systems (PACS), you are responsible for ensuring that the products meet all applicable federal standards and requirements, ensuring the products conform to applicable federal standards, and maintaining a written plan to ensure ongoing conformance for the life cycle of the components.