Examples and Guidance
We recommend leveraging existing resources to establish your Identity, Credential, and Access Management (ICAM) program and define roles and responsibilities across the enterprise.
On this page, you’ll find guidance to help you implement your ICAM program:
- Agency Examples
- Authorities to Consider
The figure below provides an example of an ICAM governance and program management structure implemented by the Department of Health and Human Services (HHS).
ICAM PMO Charter
For an example of an ICAM Program Management Office (PMO) charter, download the HHS ICAM PMO Governance Charter (MS Word, May 2019)
Authorities to Consider
Executive Order (EO) 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
EO 13800 provides requirements to strengthen the cybersecurity of federal networks, including holding agency heads accountable for managing cybersecurity risk to their enterprises.
“Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.” - EO 13800 - Section 1,b,v.
NIST Risk Management Framework
The NIST Risk Management Framework (RMF) provides an approach to managing organizational risk.
Federal Information Technology Acquisition Reform Act (FITARA) and OMB M-15-14
FITARA, a U.S. law passed in December 2014, gives federal agency CIOs significant roles in IT investments including:
- Annual and multi-year planning
- Oversight functions
OMB M-15-14 provides implementation guidance for FITARA and assists agencies in establishing effective governance.