Enterprise Identity, Credential, and Access Management (ICAM) Policy

Purpose

In accordance with Office of Management and Budget (OMB) Memorandum M-19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management, Federal Information Technology Acquisition Reform Act (FITARA), and the Federal Information Security Modernization Act (FISMA) this order sets forth the General Services Administration’s (GSA) enterprise-wide ICAM policy, process, and provides a framework for a GSA enterprise ICAM technology solution roadmap and strategy. This order is consistent with agency authorities and operational mission needs. This order incorporates applicable Federal policies, standards, playbooks, and guidelines, and includes roles and responsibilities. New challenges have emerged along with these advances. Identity and access management has become even more critical to GSA’s successful delivery of services.

Background

The Enterprise ICAM Policy provides a single source for identifying applicable ICAM policies and processes. It consolidates existing ICAM guidance and provides a framework for an enterprise-wide ICAM strategy. Advances in technology enable more digital and business transactions, and provide the opportunity to improve service delivery. GSA continues to modernize and consolidate Information Technology (IT) infrastructure and services to save costs, improve efficiency, effectiveness, security, and customer experience. 

To ensure secure and efficient operations, GSA must identify, credential, monitor, and manage identities that access federal resources. These resources include data, information systems, and facilities. GSA must establish enterprise-wide digital identities, and adopt sound processes for authentication and access control. This significantly affects the security, privacy, and delivery of the GSA mission; and enhances the trust and safety of digital transactions with the American public. The Enterprise ICAM Policy is part of larger government-wide mandates to implement identity, authentication, and access control security disciplines. This will enable the right identity to access the right resources, at the right time, for the right reasons. ICAM requires an enterprise-wide approach; to harmonize governance, technology, and acquisition; and to ensure efficient and effective execution in support of our mission and business objectives.

Applicability

1. This policy applies to all GSA Federal employees, contractors, and vendors of GSA, who manage, maintain, operate, or protect GSA systems or data, all GSA IT systems, and any GSA data contained on or processed by IT systems owned and operated by or on the behalf of any of the Services or Staff Offices. In addition, it also applies to physical access to GSA owned or leased facilities for GSA Federal employees, contractors, and vendors of GSA.
2. The provisions of this Order shall not be construed to interfere with, or impede, the legal authorities or independence of the Office of Inspector General or the CBCA.
3. This Order refers to “identity” in two contexts:

• Federal Enterprise Identity (or simply Enterprise Identity). Refers to the unique, GSA-managed representation of: GSA personnel as an enterprise user; a device; or a technology. In the context of the federal enterprise, federal enterprise identity may refer to other federal executive branch agency civilian or defense personnel that are managed by the other federal agency, and
• Public Identity. Refers to the unique representation of: a person as a member of the populace; or persons affiliated with businesses and acting on behalf of the business entity and / or on the legal authority for the business entity.

Cancellation

This Order supersedes CIO 2183.1, Enterprise Identity, Credential, and Access Management (ICAM) Policy

Summary of Changes

1. Updated format to comply with OAS 1832.1C, Internal Directives Management.
2. Updated the Policy section to account for use of Artificial Intelligence.
3. Removed references to outdated material.

Roles and Responsibilities

ICAM roles and responsibilities are distributed across GSA as follows:

1. The ICAM Shared Services Portfolio. The ICAM Shared Services Portfolio (ICAM Portfolio), led by the Chief Information Security Officer (CISO), collaborates across IT and business lines to:
   • Develop ICAM strategies to define requirements, eliminate duplicative efforts, identify technology standards, and align ICAM shared service capabilities across the agency.
   • Implement ICAM strategies across GSA organizations.
   • Review the existing ICAM environment to understand capability gaps and recommend improvement opportunities for Chief Information Officer (CIO) and Chief Information Security Officer (CISO) consideration
   • Evaluate business requirements to chart the future enterprise-wide ICAM environment of GSA.
   • Develop and maintain a GSA enterprise-wide ICAM technology solution roadmap.
   • Collaborate with the Identity, Credentialing and Access Management Sub-Committee (ICAMSC) of the Federal CISO Council to ensure Federal mandates and policies are reviewed and implemented.
2. Director, ICAM Shared Services Division, Office of the CISO (OCISO). Establish and manages an ICAM Program for service to GSA IT for:
   • ICAM governance via a Program Management Office (PMO), including to develop the policy and program frameworks needed. The ICAM PMO provides dotted line support to solutions and enterprise shared ICAM services that are managed outside of the OCISO.
   • Research and identify solutions for inclusion in an enterprise-wide ICAM technology solution roadmap from a technical perspective.
3. Chief Technology Officer (CTO). Manages the GSA IT Standards function. ICAM responsibilities include approving requests for new or updated software solutions (including ICAM) to be added to the GSA IT Standards.
4. Senior Agency Official for Privacy (SAOP). Responsible for the privacy program at GSA. ICAM responsibilities to include:
   • Decide when it is appropriate to notify potentially affected persons of a breach of personally identifiable information (PII).
   • Develop or revise documentation such as Systems of Record Notices (SORN), Privacy Impact Assessments (PIA), or privacy policies (e.g. Privacy Act Statements, agreements, policies).
   • Evaluate the existing ICAM environment for existing information collections and recommend procedural and technological improvements that align with relevant NIST guidelines and the Fair Information Practice Principles (FIPPS) (e.g. data minimization).
   • Evaluate GSA’s PII inventory to chart the future ICAM environment of GSA.
5. Director, Infrastructure Management Division, Office of Digital Infrastructure Technologies (IDTO). Responsibilities include: Operate and maintain enterprise solutions supporting digital infrastructure including GSA enterprise IT accounts.
6. Personnel Security Division, Office of Chief Security Officer, Office Mission Assurance (OMA). The Personnel Security Division responsibilities include:
   • Manage GSA Access Card issuance, usage and lifecycle maintenance for GSA personnel.
   • Establish and implement the background investigation process for federal employees and contractors; managing background investigations; and determining suitability for employment for public trust positions in accordance with executive orders and Federal laws, as well as Office of Personnel Management (OPM) and Agency regulations, policies, and procedures.
7. Physical Security Division, Office of Chief Security Officer, Office of Mission Assurance (OMA). The Physical Security Division responsibilities include:
   • Assist with the development of contracting documents (Statement of Work and Independent Government Cost Estimate) for compliant implementation of Physical Access Control Systems.
   • Coordinate security matters in GSA facilities with the Federal Protective Service Headquarters to minimize physical access control issues.