2025 was a fast-moving year for changes at every agency and contractor working with the federal government. From agency heads moving, department heads swapping jobs, and headcount changing, every tool and process may be up for review or renewal. Whenever there are reorganizations, retirements, or reductions in force, there are opportunities for attackers to take advantage of change. Having the right credential and privacy management tools in place can help minimize the negative effect of churn.
Far too many organizations have siloed knowledge, talents, or experience within the security system and identity protection structure within an agency. If the guru of the network gets promoted or finds a job in the private sector, there is always a scramble to identify all the documentation and assets that were managed by that position. Likewise, any department is at its most vulnerable when new workers are coming on board, and subject to phishing or other credential-based attacks.
This article provides a new, or even experienced project team, some descriptions and links on the rules and regulations behind credential lifecycle management, including issuance, renewal, and revocation. A Federal ICAM Program Manager will need to work fast to streamline the many moving parts to this program to reduce human error (and thus the potential for outside meddling), avoid bottlenecks in practice, and support all workforce types - running the gamut from temporary contractors and remote workers to on site FTE-type users, not to mention service accounts and systems.
What are the FICAM and FIPS 201 Rules?
The FICAM program documentation provides the overarching and high-level structure for federated identities, so let’s dig down into the steps they recommend for setting up process, procedures, tools, and techniques for managing identities within a fungible perimeter.
Top level: Governance. Governance is the group of individuals and policies that determine compliance activities, defining what is important, what is sanctioned, who is allowed to access it and how they are granted that access. Governance should be the overseer of all compliance activities – no matter the resource or nature of the individual or service account.
Second level: Technical and Security Requirements. Generally categorized under FIPS 201, these documents establish a standard for Personal Identity Verification (PIV) systems to meet the control and security objectives of the federal government. For a human agency member or contractor, this means the identity credentials issued by the government, and encompasses requirements for initial identity proofing, the back-end infrastructure to support interoperability of identity credentials, and (importantly!) the accreditation of organizations and processes issuing PIV and PIV-compatible credentials.
Third level: Recognition. There is a specific list of member and compliant services that are assured by federal policy requirements and FedRAMP services to be approved to build a greater FICAM program. Trust services encompass human identities (PIV) or Common Access Card (CAC) hardware credentials, as well as their counterparts, aka machine to machine or software service device identity certificates using a public key infrastructure (PKI). The issue and management of these is far too often siloed and specific to IT departments and largely opaque to many of the agency managers.
Fourth level: Compliance. Individual humans and services complete 2nd party (often related to the office of the inspector general (OIG)) or other 3rd party compliance activity serves as a reinforcement, monitoring, or verification to ensure the first three levels are met appropriately, effectively, and without adding additional risk at times of sign on or offboarding humans and services alike.
What processes, procedures, tools, and techniques support ICAM?
As a new or even experienced Federal FICAM Program Manager, the objective is to transition from traditional "castle-and-moat" security to an Identity-First architecture. In a fungible perimeter, where the "edge" shifts based on the user's location, device, and network - identity becomes the only constant.
Tools and Techniques
The first line of defense is establishing phishing-resistant Multi-Factor Authentication (MFA). Following NIST SP 800-63-4, you need to prioritize FIDO2-based authenticators and PIV cards to eliminate credential-based attacks.
To manage access in real-time, it is recommended to use attribute-based access control (ABAC). Unlike static roles, ABAC evaluates dynamic "tags" via machine learning to report on variables including:
- User Risk: Behavioral anomalies or recent travel.
- Device Posture: Patch levels and "Managed" status.
- Environmental Context: Time of day and GPS location.
Processes and Procedures
The core day to day process involves continuous monitoring and verification. Under the existing Zero Trust mandate (OMB M-22-09), we no longer grant "implicit trust" to a user just because they are on a VPN. Instead, you will need to review/implement just-in-time (JIT) provisioning, and privileged access management (PAM) technology to ensure credentials only have the necessary permissions for the duration of a specific task.
Governance and Federation
The procedure for external collaboration with agencies, commissions, other departments, and OMB, the system relies on identity federation. Using protocols like SAML 2.0 and OpenID Connect (OIDC), you establish trust with partner agencies and cloud service providers. This allows a user to "bring their own identity" (BYOID) perhaps issued by another agency or division while you maintain centralized control over your own departmental authorization.
Ultimately, managing identity in a fungible perimeter requires moving from a static "check-at-the-door" model to a dynamic, lifecycle-based approach where every access request is a fresh opportunity to verify trust.
What Human Events Drive ICAM Processes?
At the best of times, personnel movement and hiring/firing are challenging for the whole process of identity management. A clean onboarding combined with specific training for security awareness can go a long way to prevent breaches associated with a new user or a ghost certificate. Credential management should reflect permissions across all resources to keep eyes at the appropriate level to approved resources. This also goes for times of promotion, sideways movement, or cross-functional projects; ICAM managers need to document assurance that prior access has been changed, approved, or deleted.
Offboarding is its own set of steps in process and procedure, where the reverse needs to occur. Program Managers will need to work closely with Personnel and senior program leaders or executive sponsors to create a clear path to offboarding not just from official PIV and CAC revocation, but also revocation of permissions for online services, GovCloud information and datasets, as well as any local resources.
What Relocation Variables Impact ICAM?
Let’s say you are the program manager moving your organization from a Washington D.C. address to one out in Colorado or Utah. That is going to require new certificates, or updating all the previous ones, with new information.
Workers may at any time require additional devices such as phones, tablets, laptops, or other specialized devices that do not have a card reader that needs credentials. This is specifically where derived PIV credentials may be used through your federated identity management system. Human resources may be assigned to cross-functional projects needing additional access credentials added to existing ones. In parallel, a worker’s job functions may change quickly through promotion or sideways step into a new area, which requires a fast adjustment to credential permissions and privileges.
It is important to manage as much as you can from a single platform so that you can see, plan, and anticipate all the updates required with your vendors and services to ensure business continuity at the highest security levels.
What New Technologies will Impact ICAM in 2026 and Beyond?
Maybe today your team is running mostly on-prem servers and PC endpoints but increasingly you’re going to need to accommodate cloud-native services and mobile endpoints without card readers. Adding support for these items into your plan for cost-effective ICAM and PKI should be on your radar before the final decisions are made.
You may also need to review the BOM with all your identity vendors to update your ICAM and PKI to newer systems and algorithms as potentially required for upcoming post-quantum computing compliance. For reference, you can find a list of current Federal approved algorithm complexity detailed here.
Government ICAM managers have more options today than ever before. Your ability to modernize your program so your team can do more with less will make you indispensable. Knowing what your options are will help you manage your ICAM and PKI programs more efficiently, effectively, and affordably.
Speed and perception matter. Your agility and innovation will keep your department safe and secure as you move into 2026 and be ready for whatever happens next.
Get Help from Axiad Conductor
Axiad Conductor is a FedRAMP Moderate ATO SaaS credential management solution for PIV-compatible use cases with advanced authentication requirements and PKI. It provides automation and management of user and machine identities/service accounts in an easy-to-use cloud solution that integrates with all your existing ICAM and PKI systems to streamline operations. The goal is to automate processes, reduce costly dependency on on-premises hardware and software, and make it easy to modernize systems; whether that means migrating to new solutions, improving existing systems, or sunsetting legacy ones.
Human error is understandable - but Axiad Conductor reduces human error by eliminating manual processes through an easier path to unified credential management. That means that instead of multiple manual steps of onboarding and offboarding between various vendors and technologies handled by multiple individuals or (potentially) departments, the entire identity credential authentication governance and assurance process can be automated and handled through a single interface. Automating ICAM with a unified identity and PKI system for enrollment, verification, issuance, revocation, and compliance will save hours of effort and potential failure for incoming and outgoing credentials alike.
Use the Axiad Conductor solution to reduce your dependence on expensive on-premises ICAM and PKI for identity credentials and certificates. Whether your team is looking to the future for new ways to make do and function in a secure and compliant fashion with lower headcount, or just interested in how Axiad can help save your team time and money in 2026, feel free to reach out to us here to schedule a preliminary discussion.
To learn more about Axiad solutions for US Federal use cases , click here.