Standards and Policies
This page identifies the regulations, standards, and policies that have impacted and shaped the development of today’s ICAM programs.
ICAM Policies
Document Title | Description |
Streamlining Authentication and Identity Management within the Federal Government (July 3, 2003) | This document provides agency Chief Information Officers (CIOs) with guidance regarding next steps for the E-Authentication Initiative and specific actions that agencies should undertake to support that plan by coordinating and consolidating investments related to authentication and identity management. |
M-04-04: E-Authentication Guidance for Federal Agencies | This guidance requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Assurance levels also provide a basis for assessing CSPs on behalf of Federal agencies. This document will assist agencies in determining their E-Government authentication needs. |
M-05-24: Implementation of Homeland Security Presidential Directive (HSPD) 12- Policy for a Common Identification Standard for Federal Employees and Contractors | This memorandum provides implementing instructions for Homeland Security Presidential Directive 12 (HSPD-12) and FIPS 201. |
M-06-18: Acquisition of Products and Services for Implementation of HSPD-12 | This memorandum provides updated direction for the acquisition of products and services for the implementation of HSPD-12 “Policy for a Common Identification Standard for Federal Employees and Contractors” and also provides status of implementation efforts. |
M-07-06: Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials | This memorandum discusses validation and monitoring agency issuance of Personal Identity Verification (PIV) compliant identity credentials. |
M-08-01: Update of Statistical Area Definitions and Guidance on Their Uses | This memorandum serves as a reminder for agencies to complete background investigations and issue credentials as required for the implementation of HSPD-12. |
Guidance for Homeland Security Presidential Directive (HSPD) 12 Implementation (May 23, 2008) | This document provides guidelines to agencies around planning for the use of Personal Identity Verification (PIV) credentials with physical and logical access control systems. The guideline is to be used to assist in the planning efforts and status of these activities and the HSPD-12 plans that should be available to the OMB, Government Accountability Office (GAO), and the agency’s Inspector General (IG). |
M-11-11: Continued Implementation of Homeland Security Presidential Directive (HSPD) 12- Policy for a Common Identification Standard for Federal Employees and Contractors | Policy for the continued implementation of HSPD-12; requires agencies to designate a lead official and issue an implementation policy. |
HSPD-12: Homeland Security Presidential 12: Policy for a Common Identification Standard for Federal Employees and Contractors | HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of identification (ID) issued by the Federal Government to its employees and employees of federal contractors for access to federally-controlled facilities and networks. |
HSPD-24: Biometrics for Identification and Screening to Enhance National Security | “This directive establishes a framework to ensure that Federal executive departments and agencies use mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric and associated biographic and contextual information of individuals in a lawful and appropriate manner, while respecting their information privacy and other legal rights under United States law.” |
The Privacy Act of 1974 | This act protects certain Federal Government records pertaining to individuals. In particular, the Act covers systems of records that an agency maintains and retrieves by an individual’s name or other personal identifier (e.g., Social Security Number [SSN]). |
REAL ID Act of 2005 | This statute requires minimum performance standards to improve the integrity and security of state-issued driver’s licenses and identification cards. (Regulations were promulgated by DHS). |
Final Credentialing Standards | Formally titled Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12, this memorandum provides final government-wide credentialing standards to be used by all Federal departments and agencies in determining whether to issue or revoke Personal Identity Verification (PIV) cards to their employees and contractor personnel, including those who are non-United States citizens. |
VanRoekel Memo: Requirements for Accepting Externally-Issued Identity Credentials | This memo requires Federal agencies to begin leveraging externally-issued credentials in addition to offering federally-issued credentials. |
Executive Order 13681: Improving the Security of Consumer Financial Transactions | This executive order requires agencies to “strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.” |
M-16-04: Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government | “The CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.” |
ICAM Standards and Guidance
Document Title | Description |
HSPD-12 Shared Component Infrastructure Interface Specification Common Elements | This document provides Extensible Markup Language (XML) elements common to [Agency-SIP] and [ESP-SIP]. |
HSPD-12 Shared Component Infrastructure Metadata Management | This document describes SCI metadata management. It captures assumptions the AWG has made about the full life cycle of SCI metadata (definition, distribution, configuration, use, and maintenance). |
System infrastructure Provider to Federal PKI Shared Service Provider Interface Specification | This document provides the interface specification for Systems Infrastructure Provider (SIP) and Federal Public Key Infrastructure (PKI) Shared Service Provider (SSP) data exchange. It is a standard, re-usable shared service specification for Federal Government-wide use, per [SCI Architecture]. Therefore, one should read [SCI Architecture] before reading this specification. |
SP 800-53-4: Security and Privacy Controls for Federal Information Systems and Organizations | This document provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations, assets, individuals, other organizations, and the Nation from a diverse set of threats. |
SP 800-63-2: Electronic Authentication Guidance | This document provides technical guidelines for federal agencies implementing electronic authentication and covers remote authentication of users interacting with government IT systems over open networks. It defines technical requirements for the four levels of assurance for identity proofing, registration, tokens, management processes, authentication protocols, and related assertions. |
SP 800-73-4: Interfaces for Personal Identity Verification | This document specifies the PIV data model, command interface, client application programming interface (API), and references to transitional interface specifications. |
SP 800-76-2: Biometric Data Specification for Personal Identity Verification | This document contains technical specifications for biometric data mandated in [FIPS]. These specifications reflect the design goals of interoperability and performance of the PIV card. This specification addresses image acquisition to support the background check, fingerprint template creation, retention, and authentication. The biometric data specification in this document is the mandatory format for biometric data carried in the PIV Data Model (Appendix A of SP 800-73-1). Biometric data used only outside the PIV Data Model is not within the scope of this standard. |
SP 800-79-2: Guidelines for the Accreditation of Personal Identity Verification Card Issuers | This document provides guidelines for accrediting the reliability of issuers of Personal Identity Verification (PIV) cards that are established to collect, store, and disseminate personal identity credentials and issue smart cards, based on the standards published in response to HSPD-12. |
SP 800-87: Codes for Identification of Federal and Federally-Assisted Organizations | This document provides the organizational codes for federal agencies to establish the FASC-N that is required to be included in the FIPS 201 Card Holder Unique Identifier. SP 800-87 is a companion document to FIPS 201. |
SP 800-103: An Ontology of Identity Credentials, Part 1: Background and Formulation | This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. |
SP 800-157: Guidelines for Derived PIV Credentials | This document provides technical guidelines for the implementation of standards-based, secure, reliable, interoperable public key infrastructure (PKI) based identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV Card. |
SP 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations | This document provides federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. |
FIPS 201-2: Personal Identity Verification (PIV) of Federal Employees and Contractors | This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems. |
Technical Implementation Guidance Smart Card Enabled Physical Access Control Systems | The purpose of this guidance is to define specifications and standards required to enable agencies to procure and implement hardware and software for PACS, such that these systems will: Operate with the Federal Agency Smart Credential (FASC), such as NIST standards based Personal Identity Verification (PIV) cards; Facilitate cross-agency, federal enterprise interoperability; Allow existing legacy PACS to operate with FASC compatible card readers until the time comes for its upgrade. |
Other Useful Documentation
Document Title | Description |
Federal Investigative Standards: Investigative Standards for Background Investigations for Access to Classified Information | This document provides standards to align suitability and national security investigations under consistent criteria. Applies to investigations performed in support of determinations of eligibility for access to classified information, eligibility to hold a sensitive position, suitability for government employment, and eligibility for physical and logical access. |
M-00-10: OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act | This document provides Executive agencies with the guidance required under Sections 1703 and 1705 of the GPEA, P. L. 105-277, Title XVII. GPEA requires agencies, by October 21, 2003, to provide for the (1) option of electronic maintenance, submission, or disclosure of information, when practicable as a substitute for paper; and (2) use and acceptance of electronic signatures, when practicable. GPEA specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form. |
M-05-22: Transition Planning for Internet Protocol Version 6 (IPv6) | This memorandum and its attachments provide guidance to the agencies to ensure an orderly and secure transition from Internet Protocol Version 4 (IPv4) to Version 6 (IPv6). |
M-06-06: Sample Privacy Documents for Agency Implementation of Homeland Security Presidential Directive (HSPD) 12 | This memorandum includes sample Privacy Act Systems of Records Notices, Privacy Act statements, and a privacy impact assessment developed by a working group of privacy experts. |
M-05-05: Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services | This memo requires the use of an SSP to mitigate the risk of commercial managed services for public key infrastructure (PKI) and electronic signatures. |
M-06-16: Protection of Sensitive Agency Information | The memorandum directs all Federal Agencies and departments to “encrypt all sensitive data on their mobile computers/devices.” |
M-07-16 (esp. Attachment 1): Safeguarding Against and Responding to the Breach of Personally Identifiable Information | As part of the work of the Identity Theft Task Force, this memorandum requires agencies to develop and implement a breach notification policy within 120 days. |
M-07-20: FY 2007 E-Government Act Reporting Instructions | This memorandum provides instructions for completing your agency’s annual E-Government Act report as required by the E-Government Act of 2002 (Pub. L. No. 107-347) (Act). |
HSPD-8: National Preparedness | The purpose of this directive is to “establish policies to strengthen the preparedness of the United States to prevent and respond to threatened or actual domestic terrorist attacks, major disasters, and other emergencies by requiring a national domestic all-hazards preparedness goal, establishing mechanisms for improved delivery of Federal preparedness assistance to State and local governments, and outlining actions to strengthen preparedness capabilities of Federal, State, and local entities.” |
HSPD-5: Management of Domestic Incidents | The purpose of this directive is to enhance the ability of the United States to manage domestic incidents by establishing a single, comprehensive national incident management system. |
HSPD-7: Critical Infrastructure Identification, Prioritization, and Protection | This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks. |
Health Insurance Portability and Accountability Act of 1996 (HIPAA) | HIPAA protects the privacy of individually identifiable health information. The Act also provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. |
Electronic Signatures In Global and National (ESIGN) Commerce Act of 2000 | This act was intended to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically. |
Federal Information Security Management Act (FISMA) of 2002 | This act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. |
E-Government Act of 2002 | This act is intended to enhance the management and promotion of electronic Government services and processes by establishing a Federal CIO within the Office of Management and Budget (OMB), and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes. |
Federal Government Intelligence Reform and Terrorism Prevention Act of 2004 | This act contains a variety of measures designed to reform the intelligence community and the intelligence and intelligence-related activities of the United States Government. |
Public Law No: 110-53, The Implementing the 9/11 Commission Recommendations Act of 2007 | This law provides for the implementation of the recommendations of the National Commission on Terrorist Attacks Upon the United States. |
Government Paperwork Elimination Act of 1998 (GPEA) | GPEA requires Federal agencies, by October 21, 2003, to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically, when practicable, and to maintain records electronically, when practicable. The Act specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form, and encourages Federal Government use of a range of electronic signature alternatives. |
Executive Order (E.O.) 12958: Classified National Security Information | Established to have a uniform system for classifying, safeguarding, and declassifying national security information. Changes to the national security threats provide greater opportunity to emphasize the commitment to open Government. |
E.O.12977: Access to Classified Information | Established the ISC to develop standards, policies and best practices for enhancing the quality and effectiveness of physical security in, and the protection of, nonmilitary federal facilities in the United States. |
E.O.13467: Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information | Established to ensure an efficient, practical, reciprocal, and aligned system for investigating and determining suitability for Government employment, contractor employee fitness, and eligibility for access to classified information. |
SP 800-122: Guide for Protecting the Confidentiality of Personally Identifiable Information (PII) | The purpose of this document is to assist Federal agencies in protecting the confidentiality of a specific category of data commonly known as Personally Identifiable Information (PII). This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for breaches involving PII. |
FIPS 199: Standards for Security Categorization of Federal Information and Information Systems | FIPS Publication 199 develops standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the Federal Government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. |
UCore | Universal Core (UCore) is a federal initiative that supports the National Information Sharing Strategy and all associated Departmental/Agency strategies. UCore enables information sharing by defining an implementable specification (XML Schema) containing agreed upon representations for the most commonly shared and universally understood concepts of Who, What, When, and Where. |
NIEM | NIEM, the National Information Exchange Model, is a partnership of the Department of Justice and the Department of Homeland Security (DHS). It is designed to develop, disseminate and support enterprise-wide information exchange standards and processes that can enable jurisdictions to effectively share critical information in emergency situations, as well as support the day-to-day operations of agencies throughout the nation. |