This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system conforms to FICAM-issued profiles.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange). Related control: SA-4.
References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Special Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Related Controls: None.
38North Guidance:
Meets Minimum Requirement:
Conforms to FICAM-issued profiles
Best Practice:
Implement the capability to only allow approved FICAM approved third-party credentials such as CAC/PIV for customers accessing the system/application being offered in the FedRAMP environment.
U.S. Government FICAM Solution guidance.
U.S. General Services Administration guidance.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of system/application configurations that demonstrate the capability that customers can support FICAM credentials.
CSP Implementation Tips: TBD