Edit this page

Risk Management

You’ll need to actively identify and mitigate threats to program operations, and involve the entire program management team in this process. Follow the recommendations below to learn how to develop an Identity, Credential, and Access Management (ICAM) risk management program.

Develop a Risk Management Program

First, identify your agency’s policies and practices surrounding risk management. You should also be proactive in threat assessment and avoidance to ensure the continued efficiency, profitability, and success of your agency’s ICAM program.

Characteristics of a Risk Management Program

  • Allows stakeholders at all levels of the project to identify risks.
  • Establishes processes to determine mitigation approaches for identified risks.
  • Assigns owner(s) of potential risk and defines responsibilities.
  • Documents an escalation path to flag and resolve risks, up to, and including, executive leadership.
  • Tracks risk mitigation effort and effectiveness.
  • Shares reports on risk status to organizational leadership.

Develop a Risk Management Plan

Develop a risk management plan that defines the way your agency’s ICAM program measures risk. This plan should provide a process to identify risk, respond appropriately, and assign roles and responsibilities for various stages in the process. Leverage your agency’s existing risk management tools or commercial solutions to manage and track risks.

Develop a Risk Registry

A leading practice in risk management is the use of a risk register, or risk log, which will help you manage, assign, and track risk events. The risk register usually includes:

  • A description of the risk event.
  • The date the event occurred.
  • How the event was resolved.
  • The effectiveness of the resolution.
  • The name of the event owner.

Regularly review and update the risk register.

Common Program Risks

The table below summarizes some common ICAM program risks and sample mitigation approaches.

Risk Descriptions
Migration Plan
Budget: If agency budgets don’t include ICAM activities, adequate funding may not be available for modernization efforts, and the agency won’t be able to meet requirements and deadlines for the FICAM Architecture. Develop a consolidated ICAM business case and funding request.

Communicate funding needs to the agency OCFO and explore existing funding sources within the agency.

Determine if internal funding, for example, working capital can be routed to ICAM efforts.
Governance: If the agency’s ICAM transition plan doesn’t gain support and adoption at the Assistant/Deputy Secretary level, including required compliance, the agency won’t receive coordination and support from the necessary stakeholders to move forward with implementation. Establish a governance structure for ICAM.

Develop a communications plan.
Transition Deadlines: If the agency doesn’t meet the scheduled transition activity milestone dates, there may be funding impacts for ICAM and other agency systems. Provide realistic completion targets to OMB for ICAM activities, based on an agency FICAM Architecture analysis, in the ICAM transition plan.
Implementation Deadlines: If the bureaus/components fail to adopt enterprise ICAM services in a timely manner, there will be delays to overall agency ICAM implementation and compliance. Dedicate ICAM program management resources and program funding to gain stakeholder buy-in and support implementation requirements and efforts.
Staffing: If the agency is unable to staff dedicated resources with the necessary technical knowledge, the agency will be unable to execute technical implementation successfully, and the program schedule will lag. Leverage cross-agency ICAM expertise via working groups and outreach to supplement staff knowledge.

Include a hiring plan in the ICAM acquisition plan to ensure you have staff with the necessary skills.
Outreach: If the user population doesn’t accept ICAM efforts, the agency won’t be able to meet FICAM requirements and deadlines. Dedicate additional ICAM program management resources and program funding to increase communication and promote awareness.
Supply Chain: If the ICAM solution vendor(s) goes out of business, the agency may experience program delays or additional costs to migrate to new solutions. Include supply chain risk management in the ICAM program acquisition plan and identify alternative solution providers.

Use approved vendors and products from established acquisition vehicles.

Include activities for compiled software escrow and source code escrow.

Perform a Security and Risk Management Assessment

A risk assessment helps you determine the security needed for information systems by assessing the risk level of each system. Your ICAM solution can support innovative approaches to IT risk management by using organization-wide services to support information system security controls. Using common services significantly streamlines the accreditation process.

Apply the Risk Management Framework

Your agency’s information systems must meet Federal Information Security Management Act (FISMA) requirements, including the IT Risk Management Framework (RMF) defined in NIST SP-800-37. The RMF helps you build information security capabilities into your agency’s information systems, so you can monitor the real-time security status of those systems and provide relevant information to agency leadership to make risk-based decisions.

Manage Accountability and Control

Management accountability is the expectation that managers are responsible for ensuring program performance quality and timeliness, increasing productivity, controlling costs, and mitigating threats to agency operations.

Use ICAM-Specific Evaluation Criteria

You should model your criteria after the FICAM Architecture for controlling ICAM program costs and increasing efficiency. The performance architecture defines clear areas for managing and evaluating program alignment with the FICAM Architecture by identifying quantitative measures for evaluating ICAM program success.

Use the following criteria as a starting point to evaluate your ICAM program:

  • Elimination of manual, paper-based processes to collect identity data.
  • Compliance with acquisition guidance for PIV credential products and services.
  • Adoption of standards-based, commercially available ICAM products and services.
  • Streamlining of provisioning and authentication services through enterprise capabilities.
  • Coordination of ICAM program management and investment across supporting projects.

OMB Memorandum M-16-17 includes, as a control, separation of duties for various functions. An enterprise Logical Access Control System (LACS) service can detect conflicts and recommend corrective actions. You can also use your LACS as an enterprise auditor, providing more visibility to control access to systems and sensitive information and to evaluate compliance with policy and applicable law across the enterprise.