Many Federal Agencies Are Struggling to Meet ICAM Requirements


In 2009, the federal government began development of the Identity, Credential, and Access Management (ICAM) architecture to address security weaknesses across agencies in the areas of user identification and authentication. Established by the Office of Management and Budget (OMB), the federal ICAM program provides guidance on IT policies, systems, and standards that help agencies monitor, manage, and secure access to protected IT resources. Agencies are also encouraged to place limits on privileged access and leverage multifactor authentication where possible.

The ICAM framework continues to evolve. On April 6, 2018, the OMB published a draft memorandum titled “Strengthening the Cybersecurity of Federal Agencies through Improved Identity, Credential, and Access Management.” The memo offers new guidance to agencies on implementing and strengthening their ICAM capabilities. It also directs agencies to follow the requirements defined in the National Institute of Standards and Technology (NIST) Digital Identity Guidelines (Special Publication 800-63-3) while continuing to follow Homeland Security Presidential Directive 12 (HSPD-12) requirements for verifying the identities of federal employees and contractors and managing their credentials

However, a recent survey of more than 200 federal IT security professionals found that many agencies have not implemented identity and access management (IAM) basics. The study, conducted by Dimensional Research, found that agency leaders recognize the importance of IAM, but few agencies have fully incorporated the recommended guidelines into their cybersecurity programs.

Nearly all respondents (99 percent) said the ICAM policy has had a positive impact on their IAM practices, while almost three out of five respondents (59 percent) consider it a major positive impact. However, 100 percent of respondents say their agencies have room for improvement. Asked which ICAM focus area requires the most improvement, participants said:

  • Monitoring users (42 percent)
  • Managing users (25 percent)
  • Identifying users (18 percent)
  • Credentialing users (15 percent)

The NIST Digital Identity Guidelines also lack widespread federal agency adoption. According to the study, only 41 percent of agencies said they have met the deadlines as outlined in the ICAM policy. While 49 percent of agencies think they are making progress, 10 percent have yet to act on the guidelines or don’t intend to.

Though the ICAM guidelines do not reference any particular technology, CyberArk’s Core Privileged Access Security platform can help federal agencies meet ICAM requirements. The Enterprise Password Vault secures privileged credentials and makes it possible to rotate those credentials regularly without impacting the production environment or IT productivity. Privileged Session Manager enables IT and security personnel to continuously monitor, record, and track privileged user activity, with a full audit trail and searchable logs.

Clango has extensive expertise in the CyberArk platform and can help federal agencies take advantage of this powerful tool. In addition, we have developed tools that enhance the capabilities of CyberArk, including our CyberArk Analytics Reporting Tool (CART), our CONFIDE password retrieval tool, and our EMBARK system onboarding tool.

We also have a proven track record of success helping federal agencies bolster their cybersecurity strategies. If your agency is struggling to meet ICAM requirements, we invite you to contact us for a no-obligation consultation.


For more information about meeting ICAM requirements, please send us an email at (

Comments Closed.