When planning to acquire Identity, Credential, and Access Management (ICAM) products and services, your agency must comply with specified regulations and policies.
Review the Approved Products Lists
The FIPS 201 Evaluation Program was developed to organize and define a standard approval process for Physical Access Control Systems and PIV credential card stockthese products and services. All required NIST validation and GSA testing must be met to be an approved product or service for Physical Access Control Systems and PIV credential card stock. You can find approved products, which have been demonstrated to meet NIST validation and GSA testing and have been qualified, on the FIPS 201 Approved Products List.
You can use multiple GSA Schedules to purchase a resource that’s included on the FIPS 201 APL. When you purchase these products, you must follow OMB Memorandum M-19-17 and use the FIPS 201 APL. It’s your responsibility to stay current on these changes and incorporate them into your planning during regular technology refresh cycles as part of the capital planning and budget process.
The Continuous Diagnostics and Mitigiation (CDM) Program also has an Approved Products List for the federal enterprise that includes additional ICAM capabilities. Section II of CDM encompasses tools and professional services implementation support for identity lifecycle management, identity governance tools, provisioning of accounts, privileged user access management, and enterprise authentication services (such as single sign on solutions).
Continuous Diagnostics and Mitigation tools and professional services can be purchased from GSA Schedules under IT Schedule 70, SIN 132-44.
Identify Contract Vehicles for ICAM Products and Services
In addition to the requirements governing federal acquisitions, there are other resources to support ICAM program acquisition include GSA Schedules and the PACS Customer Ordering Guide.
GSA Schedules are purchasing vehicles for a broad range of products and services. The resources available on the GSA Schedules have pre-approved vendors and pre-negotiated rates. You are not required to use GSA Schedules for acquisition, but they provide quick, flexible, and cost-effective procurement solutions and assist in compliance by including approved products. Here are some examples of common GSA Schedules:
IT Schedule 70
IT Schedule 70 is part of the Multiple Award Schedule (MAS) program and gives agencies direct access to commercial experts who can address the needs of the government IT community through a series of Special Item Numbers (SINs). These SINs cover most of the general-purpose commercial IT hardware, software, and services.
IT Schedule 84
IT Schedule 84 offers PACS-related security solutions for law enforcement, security, facility management, fire, rescue, clothing, marine craft, and emergency and disaster response.
You can purchase resources from both schedules to meet your ICAM implementation needs. For example, you could buy new credential readers for physical access control points from Schedule 84 and services from a system integrator from Schedule 70.
Using GSA Schedules provides the following benefits:
- More competitive rates and potentially lower costs. Regardless of the method used to access Schedules 70 and 84, GSA has already negotiated fair and reasonable prices for these products and services.
- Shorter procurement time. GSA Schedules offer streamlined procurement, as opposed to agency-negotiated contracts, which can be cumbersome and costly. Tools such as eBuy and GSA Advantage are available to assist in ordering from both Schedules.
- Reduced complexity and effort required to perform due diligence. If you purchase products not included on the FIPS-201 approved products list for PIV card stock and physical access control systems (PACS), you are responsible for ensuring that the products meet all applicable federal standards and requirements, ensuring the products conform to applicable federal standards, and maintaining a written plan to ensure ongoing conformance for the life cycle of the components.