Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Program Governance and Leadership

In any Identity, Credential, and Access Management (ICAM) program, you’ll need someone to develop, manage, and enforce agency-specific policies, processes, and performance measures.

About Governance

Governance is the set of practices that help your agency ensure that ICAM operations are successful. Governance helps your agency make decisions, manage enterprise policies, and improve efficiency.

An enterprise governance body develops and implements policies, rules, and procedures to manage the program. They collect data to monitor, analyze, and report on how well your ICAM program conforms with these policies, rules, and procedures. They also serve an important security role to quickly remediate any problems or vulnerabilities within the program before a security or privacy breach occurs. You’ll need to establish a recovery plan to ensure continuity of service to prepare for such an occurrence.

The pages that follow explain how to establish a formal identity management governance structure within your agency.

You don’t have to start from scratch. Instead, model your agency’s ICAM governance structure after existing programs. See the Governance Examples and Guidance section for agency steering committee and PMO examples as well as other authorities to consider.

Governance Body vs. Program Management Office

Governance bodies provide top-down leadership support and guidance across the programs within an agency, while Program Management Offices provide operational support for the day-to-day execution of the tasks within the program.

Program Governance Body

You can create an ICAM program governance body (for example, an Executive Steering Committee) to oversee your ICAM projects and workstreams and align ICAM services and management with your agency’s mission. The agency’s executive leadership will charter the governance body.

An ICAM program governance body can include the following personnel:

  • Chief Information Officer (CIO)
  • Chief Financial Officer (CFO)
  • Chief Security Officer (CSO)
  • Chief Data Officer (CDO)
  • Human Resources (HR)
  • General Counsel
  • Chief Acquisition Officer (CAO)
  • Senior Agency Official for Privacy (SAOP)
  • Senior Agency Official for Physical Security (SAOPS)
  • Agency component organizations that manage ICAM programs and capabilities

The governance body specifies the group’s authority to enforce changes, when necessary, to align ICAM technology, policy, and execution with your agency’s overall mission.

Roles and Responsibilities

We recommend you create a charter to govern the roles and responsibilities of your governance body. A governance body typically performs the following functions:

  • Reviews and approves the program business architecture.
  • Ensures proper resource allocation to ICAM programs and projects.
  • Provides input for, or participates in, the critical development stages of the ICAM program.
  • Provides strategic guidance for cost, schedule, performance, and technical solutions to ensure program success.
  • Provides direction and counsel to the ICAM Program Management Office (PMO).
  • Establishes cross-team collaboration to provide guidance, identify common agency challenges, establish best practices, and share solutions.
  • Takes responsibility for overall stakeholder management, including stakeholders inside the agency, in other federal agencies, and outside the federal government.
  • Creates and approves a process to review ICAM program changes and resolve disputes between ICAM and individual program offices.
  • Reports on program status to oversight organizations, such as the Office of Management and Budget (OMB), Office of Inspector General (OIG), and Government Accountability Office (GAO).
  • Reviews post-implementation evaluations to ensure that ICAM services and programs meet forecasted benefits and outcomes.

Component Governance

A component agency’s interdisciplinary team usually comprises the agency’s ICAM-related program managers and information technology (IT) experts. This team’s purpose is to provide ICAM-related recommendations to the governance body to help drive the ICAM program’s success via a bottom-up approach.

These groups leverage their experience and business context to provide the governance body with strategies, insights, and lessons learned around the following subjects:

  • Risk management and mitigation.
  • Impact of decisions on program executors.
  • Improved buy-in across the agency.

Program Management Office

In addition to a program governance body, you can support the execution and operation of projects and workstreams with a Program Management Office (PMO).

An ICAM PMO complements the program governance body. Some agencies may not require both a program governance body and a PMO; however, larger agencies may need to separate governance and operational responsibility for effective ICAM operations. A PMO ensures individual components of the ICAM program operate efficiently and achieve the expected results within the defined budget and schedule.

For a PMO to be effective, it must:

  • Be chartered to perform the functions as needed.
  • Have the skills and expertise to implement the ICAM program.
  • Have the support of executive leadership.
  • Be allowed to use resources as required.

Organizationally, where should an ICAM PMO be located?

Since ICAM is technology and cybersecurity driven, an ICAM PMO should be structured under technology or cybersecurity leadership.

PMO Roles and Responsibilities

The PMO will typically be responsible for the following functions:

  • Coordinating implementation efforts across ICAM stakeholders and component agency programs. For example:
    • Identity management
    • Credentialing
    • Access management: physical access control systems (PACS)
    • Access management: application access
    • Personnel security
  • Maintaining an enterprise ICAM perspective to ensure all component agency programs align with organizational objectives.
  • Serving as a centralized point of contact for ICAM questions, issues, and concerns.
  • Planning for and securing program funding to execute ICAM capabilities.
  • Handling communications and outreach to both internal and external stakeholders.
  • Managing and resolving program risks and issues across agency office, component, or bureau boundaries.

If your agency separates physical and logical security into separate offices, consider forming an ICAM guidance body with representation from each office to serve the function of a PMO.

PMO Governance Structure

PMOs generally follow standardized project management policies, processes, and methods. Within ICAM, a PMO facilitates communication, including sharing lessons learned inside and outside the agency. It may also serve as an advisor to other agency offices or programs impacted by the ICAM program on addressing ICAM as appropriate within other agency-wide capabilities. An ICAM PMO acts as a central point of contact for the agency’s ICAM program. The PMO is the primary authority to perform acquisition planning tasks and make procurement decisions.

The figure below represents a sample ICAM PMO structure. An agency should design this structure in a way that fosters communication, coordinates efforts, and aligns appropriately with the agency’s overall organizational structure.

Sample ICAM PMO Structure.

Return to top

IDManagement.gov

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.

Edit this page