Edit this page

Examples and Guidance

We recommend leveraging existing resources to establish your Identity, Credential, and Access Management (ICAM) program and define roles and responsibilities across the enterprise.

On this page, you’ll find guidance to help you implement your ICAM program:

Agency Examples

Governance Structure

The figure below provides an example of an ICAM governance and program management structure implemented by the Department of Health and Human Services (HHS).

HHS ICAM Governance Structure

ICAM PMO Charter

For an example of an ICAM Program Management Office (PMO) charter, download the HHS ICAM PMO Governance Charter (MS Word, May 2019)

Authorities to Consider

Executive Order (EO) 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

EO 13800 provides requirements to strengthen the cybersecurity of federal networks, including holding agency heads accountable for managing cybersecurity risk to their enterprises.

“Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.” - EO 13800 - Section 1,b,v.

NIST Risk Management Framework

The NIST Risk Management Framework (RMF) provides an approach to managing organizational risk.

Federal Information Technology Acquisition Reform Act (FITARA) and OMB M-15-14

FITARA, a U.S. law passed in December 2014, gives federal agency CIOs significant roles in IT investments including:

  • Annual and multi-year planning
  • Budgeting
  • Reporting
  • Management
  • Governance
  • Oversight functions

M-15-14 provides implementation guidance for FITARA and assists agencies in establishing effective governance.