Program leadership and stakeholders need tools to monitor progress, determine program effectiveness, and identify areas of improvement. To accomplish this, assign performance measurements to your agency’s Identity, Credential, and Access Management (ICAM) program.
OMB Memorandum M-19-17 identifies two key performance measurements that help agencies establish effective ICAM governance:
1) Outline enterprise-level performance expectations for cybersecurity and risk management through each user’s lifecycle, including changes in the user’ s access privileges. 2) Streamline and automate enterprise-level performance reporting, aligned with existing and planned reporting and analytics structures and tools, such as the Continuous Diagnostics and Mitigation (CDM) dashboards and Federal Information Security Management Act (FISMA) reporting.
We also recommend that you follow governmentwide ICAM metrics, such as Cross-Agency Priority (CAP) Goals and CIO FISMA metrics. These metrics are an existing foundation for reporting requirements and performance measurement and accomplish the following goals:
- Reduce the time needed to prepare external reports.
- Provide synchronized data points for governmentwide leadership, agency leadership, and program managers.
- Represent comprehensive measurements that cover transactions between the federal government and its employees, contractors, business partners, and citizens.
Incorporate relevant metrics in your Exhibit 300 for any ICAM investment to track investment results and communicate value to your agency.
Tie your agency’s ICAM program accomplishments directly to the responsible individual’s yearly performance plan. This helps leadership and management feel ownership and accountability for the ICAM program’s success.