The main product of the Capital Planning and Investment Control (CPIC) process is the Exhibit 300, a document explaining the capital asset plan and business case. Your agency will write and review Exhibit 300s annually for both new and existing capital investments. The following sections describe the areas your agency will need to consider to construct an Exhibit 300 for your Identity, Credential, and Access Management (ICAM) program.
Enterprise Approach for ICAM Investments
Traditionally, some agencies submit separate Exhibit 300 investment requests for various ICAM activities, such as PIV credentialing, Enterprise Single Sign On, physical access control systems (PACS) modernization, or enterprise identity management solutions. In budget submissions, you should coordinate your capital planning efforts across ICAM workstreams and Exhibit 300 business cases. This coordination helps reduce redundant ICAM investments across agency components or bureaus.
Enterprise ICAM Solutions in CPIC Processes
Identify key criteria that align investments with ICAM. Communicate any changes to the relevant stakeholders and CPIC process participants.
The following list includes things you should consider in each phase of the standard CPIC process.
- Preselect. Assess the business needs and resource requirements for the investment. Investment business plans should state use of the PIV credential or authentication within the security planning and educate the Investment Review Board on ICAM requirements.
- Select. Select investments that best support the mission and approach. Review your ICAM investment for alignment with the FICAM Architecture relative to accounts, authentication, access control, and auditing capabilities. You should evaluate investment data architecture to prevent redundancies in identity data collection.
- Control. Use quality control and executive review to ensure your ICAM investments will deliver the projected benefits. You should make sure your agency’s investment aligns with your agency’s ICAM infrastructure. You should also oversee integration with enterprise ICAM services.
- Evaluate. Analyze whether the investments have delivered expected results while remaining cost effective. Investments should demonstrate return on investment (ROI) through the use of ICAM infrastructure security services. You should also determine opportunities to improve efficiency and update investments as enterprise ICAM capabilities mature.
The following table includes common ICAM-related cost categories that you can use to help determine and report your agency’s ICAM costs in an organized manner.
|New User Identity Assurance||Costs associated with identity proofing new users at the necessary identity assurance levels for enterprise users and public users (for mission applications).|
|Integration||Integration costs from contractor services and additional software or hardware required for testing.|
|Software||Cost of software, including licenses and maintenance fees, that could be decommissioned or redeployed across all environments for development, testing, and production.|
|Service Desk||Costs associated with the number of password-related calls received by an agency.|
|IT Operations Services||Costs of backups, monitoring, new development, and enhancements across all environments for development, testing, and production.|
|Training||Costs associated with training and creating or acquiring materials for new software and services installation, integration, maintenance, business processes, and end-user support.|
|Policy Compliance||Costs associated with bringing the system into compliance with ICAM policies.|
Funding for ICAM Solutions
You may find challenges in funding and implementing the investment when equipment and services will likely be purchased centrally. Here are some approaches that other agencies have taken to fund their ICAM workstreams:
- Incorporate costs into existing investments. You don’t need a separate investment for an implementation like an enterprise Physical Access Control System (PACS) solution. You can include the costs for PACS modernization into an existing business case.
- Investment business case. Create a new investment request to fund an ICAM workstream implementation at the enterprise level. This business case should include details of how the proposed investment would support the agency’s mission.
- Working capital fund. Use a fund that can provide financing to agencies without annual appropriation by Congress for operations that generate receipts. This funding method works well for an agency that offers an enterprise PACS as a centralized service and has a cost recovery structure across the agency’s bureaus or components.
Evaluate Factors to Estimate Solution Cost
After you choose a solution, you can estimate costs. The following tables include common characteristics that you should examine not only to determine expenses but also to compare the potential cost savings of various solutions.
Physical Access Control Systems (PACS) Evaluation Factors
|Facility Size||The number of users requiring access to a facility impacts the level of administrative effort needed to provision user accounts and manage access privileges.|
|PACS Service Level||Determine whether you should explore enterprise-level solutions. For example, an agency hosting a server for its bureaus and components can provide cost savings and better efficiency.|
|Population Analysis||Examine user populations (for example, employees, contractors, and federal and non-federal facility tenants) to determine the types of groups requiring access. Consider complex user populations when you decide which PACS solution to implement. Also, consider the ability to scale as modernization continues, and your user base changes over time.|
|Number of PACS||The number of physical access control systems (PACS) within an agency often dictates implementation time and can significantly affect implementation cost, depending on the resources’ connection requirements.|
|Type of PACS||The type of PACS varies based on the vendors, platforms, operating systems, products, and databases that are in use across your organization. These variables impact the complexity of integrating resources with the PACS infrastructure and require different integration processes.|
|Existing PACS Investments||Your agency may have investments in place that can provide physical access services consistent with the modernized ICAM segment architecture. You should use those investments when possible, as they can help achieve a modernized PACS state without requiring significant investment from the organization.|
|Credentials Supported||Examine the types of credentials that the PACS must support (including PIV-I) and incorporate any costs associated with validating acceptable credentials.|
|Protection Areas||Consider the number or combination of protection areas (Limited, Exclusion, or Controlled) when determining program costs. For example, a high number of exclusion protection areas may increase costs due to the added level of access control required to protect those areas.|
LACS Evaluation Factors
Logical access control system (LACS) projects give your agency the potential for significant ROI in the form of cost avoidance, reallocation of resources, productivity gains, and reduced administrative burden. To realize these benefits, when you plan a new or modify an existing LACS investment, you should assess your agency’s organizational structure, identity stores, access control processes, and IT resources.
|Organizational Size||The number and type of users requiring access to agency IT resources, as well as the turnover rate of users, significantly impacts the level of administrative effort required to provision user accounts and manage access privileges.|
|Cost Effectiveness||Evaluate the ROI that your agency would gain compared to the upfront investment costs when planning for a LACS investment.|
|Complexity of User Population||Organizations with complex user and role management requirements should consider LACS solutions that offer services in these areas. You can take advantage of user management complexity to streamline existing processes or areas that could otherwise significantly increase implementation costs.
The availability of user repositories can also impact implementation costs.
|Number of IT Resources||The number of IT resources within an agency often dictates implementation time and can significantly affect implementation cost, depending on the resources’ connection requirements.|
|Type of IT Resources||The type of IT resources varies based on the platforms, operating systems, products, and databases that are in use across the organization. These variances impact the complexity of integrating resources with the LACS infrastructure and require different integration processes.|
|Complexity of Integrating with IT Resources||Resource integration complexity is a combination of several factors, including the age of the resource, underlying infrastructure, operating requirements, and user base. These factors indicate how complex it can be to integrate some resources into the modernized LACS infrastructure. Large numbers of complex resources (including mainframe applications) can rapidly increase overall implementation costs. At a high level, the complexity and cost associated with common application types can be grouped as follows:
• Web-based applications – low to moderate complexity
• Client/server applications – moderate to high complexity
• Distributed applications – varied complexity
• Mainframe/legacy applications – high to very high complexity
|Business Goals/Drivers||Internal agency policies, business needs, and required compliance with external federal policies and regulations drive requirements for LACS solutions. Some solutions, while inexpensive, may not always create long term cost savings and may prevent the organization from meeting certain business goals.|
|Workflow Requirements||Examine the complexity of manual and semi-manual workflows used to provision user accounts and access privileges to IT resources. The number and complexity of an agency’s workflows impact the schedule and labor costs associated with implementing some LACS solutions.|
|Organizational IT Infrastructure||Some platforms and operating environments, particularly ones that leverage legacy products, may require additional support or custom configuration to achieve the maximum benefit from LACS solutions. This includes potential costs associated with networking LACS components and high-availability components. Environments that use non-standard operating systems may require additional investment to integrate into a modernized LACS infrastructure.|
|Vendor Product Compatibility and Interoperability with Existing Infrastructure||If your agency is considering a commercial off-the-shelf (COTS) identity and access management (IAM) product suite, you should assess the integration approach of these products for interoperability, and find the best fit for your agency. You should also investigate the availability of enterprise software licenses, as these can significantly lower acquisition costs and influence your agency’s make or buy decision.|