Office of the Chief Information Officer

United States Department of Agriculture

Identity, Credential, and Access Management Services - ICAM

Identity, Credential, and Access Management Services Section picture of the ICAM Icon



Service Description

ICAM (Identity, Credential, and Access Management) provides enterprise-class services for managing digital identities, credentials, and access to systems and applications. These services include centralized identity lifecycle management, role management for access control, automated account and access provisioning and de-provisioning, and electronic identification of employees, partners, and customers, for access to applications and system.

What Is Included

ICAM Base Services


The USDA eAuthentication service protects web application, and web application programming interface (API) resources through centralized credentialing, multi-factor authentication, single sign-on, and authorization services.

The eAuthentication service supports both internal employee-facing applications as well as external citizen-facing applications that service USDA customers and partners. For external customers, the service supports a range of credential types tailored to application risk profiles, from simple username\password credentials to strong multi-factor authentication with identity verification. For internal users, the service enables strong PIV (LincPass) based credentials. The eAuthentication service meets NIST and OMB standards for identity and access management.

USDA eAuthentication also supports federated authentication, enabling external trusted partners and non-USDA federal agencies to access authorized USDA resources using existing credentials..

  • User Authentication:
    • Securely authenticate users to web-based applications as well as web services and application program interfaces (APIs) and using secure department-approved credentials.
    • Single Sign-On (SSO) to any participating web application, eliminating the need for users to remember multiple user names and passwords for each application they access.
    • Provide secure access to applications and APIs for both USDA employees and contractors, as well as external USDA customers and partners.
  • User Authorization:
    • Role-based access control (RBAC) and attribute-based access control (ABAC) providing course-grained authorization tailored to each application’s unique business requirements.
  • Account Registration and Management:
    • Automatic account creation for USDA employees and contractors, improving “time to productivity”.
    • Self-registration for external customers and partners for Assurance Level 1 and 2 public-facing applications.
    • Identity proofing (verification) services for public citizens, both remote/online and in-person providing a higher assurance in user identity.

Back to Top

Enterprise Entitlements Management Service (EEMS)

The USDA Identity, Credential and Access Management (ICAM) Program provides a common, standardized, and trusted solution for digital identity and access management across the USDA enterprise.

The ICAM Enterprise Entitlements Management Service (EEMS) is an enterprise-wide solution that centrally manages the identity, entitlements, and roles of all USDA “persons” (including employees, contractors, partners, affiliates, and customers). EEMS manages access control policies and provides automated provisioning, management, and de-provisioning of both identities and access entitlements across USDA enterprise and agency IT systems.

EEMS benefits identity lifecycle management by providing a repository of identity data, roles, and entitlements to make access decisions accurately and consistently 24x7x365 monitoring and incident resolution will improve management of user identities and entitlements including the automation of provisioning and de-provisioning. EEMS also provides crucial A-123 and FISMA auditing, reporting, and regulatory compliance.

By improving the speed, efficiency, and accuracy of identity management, EEMS provides cost savings of unneeded manual processes; EEMS reduces the business risk exposure of USDA networks and data.

  • Identity Lifecycle Management (ILM):
    • Workflow engine to manage the on-boarding, off-boarding, transfer, access requests, and security events for USDA employees and contractors.
    • Flexible business rule engine to streamline and automate access management.
    • Integration with authoritative identity sources for accurate and timely information.
  • Authoritative Attribute Exchange (AAX):
    • Automated provisioning and de-provisioning of accounts based on customized business rules.
    • Synchronization of attributes and access permissions from authoritative data sources.
    • Web service API for customized integration with agency applications.
  • Role and Entitlement Management:
    • Role based access control (RBAC) enables dynamic authorizations based on the presence of predefined attributes.
    • Workflow-based approvals and notifications for granting access.
    • Automated access revocation based on agency business rules.
    • Integrated with the eAuthentication Service for authorization to web and mobile applications.

Enterprise Public Key Infrastructure

The USDA Enterprise Public Key Infrastructure (EPKI) enables a department-wide trust model of internally issued PKI certificates for secure websites, web services authentication, code signing, or other uses. EPKI enables LincPass (PIV) authentication to USDA Windows Active Directory domains and supports issuance of PKI-based user credentials.

  • Secure key storage in dedicated cryptographic hardware security modules (HSM).
  • Issuance of customer-specific certificate authorities with private keys protected by redundant HSM appliances.
  • Centralized and highly available certificate revocation list (CRL) distribution point.
  • A highly redundant infrastructure providing automated failover and redundancy across multiple geographically separated enterprise data centers.

For All Services a Highly Available & Reliable Environment

  • Highly available and scalable architecture.
  • Automated load balancing and fail-over capacities across multiple data centers (select services).
  • 24x7x365 monitoring and incident response.

eAuthentication Integration Services

  • Work with agency customers to integrate endpoint systems and applications with eAuthentication capabilities for authentication and authorization services.
  • Includes services time to analyze customer requirements, complete integration design, and implement eAuthentication security policies, and deploy eAuthentication software in the customer environment, when needed.
  • Ongoing support and maintenance of agency integrations, including eAuthentication software update\refresh, updates to application eAuthentication security policies, and 24x7 monitoring and technical support.

Back to Top

Other Services

EEMS Integration Services

  • Work with agency customers to integrate endpoint systems and applications with EEMS capabilities for identity lifecycle management, authoritative attribute exchange, and role\entitlement management. Includes services time to analyze customer requirements, complete integration design, and development\deploy agency specific configuration and policies.
  • Ongoing support and maintenance of agency integrations

eAuthentication API Security (APISEC)
APIs (application programming interfaces) have become essential to USDA’s digital transformation by enabling applications to talk to each other and share data with other authorized applications. As the “connective tissue” between applications, unsecured APIs present a significant risk to USDA systems and data.

The eAuth API Security service is an additional capability providing security and management of API’s and web services to internal, SaaS, and internet based consumers and applications. By combining policy based API security with ICAM policy enforcement, role based access and strong authentication, the API security service enables agencies to better manage and secure their APIs and enables greater collaboration between systems, business units, and customers.

  • API Authentication & Authorization:
    • Control access to APIs with SSO and identity management.
    • Strong authentication options for users or service accounts processing web service or API transactions.
    • Logging and auditing of all authentication events.
    • Flexible role and rule based access control to APIs and web services.
  • API Management and Security:
    • Protocol transformation (e.g. SOAP to REST, XML to JSON, etc.).
    • API rate limiting and denial of service protection (throttling).
    • Message schema validation for threat detection, content filtering, and protection against OWASP vulnerabilities.
    • Complex API orchestration and aggregation across both structured and unstructured data sources.
    • API traffic management, caching, and compression.
  • Highly Available Secure Infrastructure
    •  Redundant and load balanced clustered appliances.
    • Internal and external facing clusters.
    • FIPS 140-2, PCI, DISA STIG certified appliances.
  • Flexible Administration & Management Options
    • Choice of agency administered “tenant” or a fully managed service.

Professional Services
Also available are Professional Services to support agencies in custom development or implementations not specifically listed above.

How We Charge

  • For ICAM base services, a per-seat cost will be charged for all USDA staff (e.g., employees, contractors, volunteers, interns). This cost is based on an aggregate of all USDA staff who have an active employment relationship with USDA at any time (and for any length of time) during the invoice sampling period.
  • For eAuthentication integration services, a per-application subscription cost will be charged for each application integrated in the production environment. Charges are effective the fiscal year following the integration completion. There is no upfront cost to integrate with eAuthentication.
  • For other services not specifically listed above, integration and support charges will be assessed based on the complexity\scope of the integration or project.

Service Level Metrics

Identity, Credential, and Access Management Services Performance Measures

Performance Performance Measure Performance Target
ICAM eAuthentication Availability Actual # of Operating Minutes that Core Production eAuthentication is running and available to customer agency users ÷ Total Scheduled Operating Minutes. (Planned outages excluded.) 99.9%
ICAM EEMS Availability Actual # of Operating Minutes that Core Production EEMS is running and available to customer agency users ÷ Total Scheduled Operating Minutes. (*Planned outages excluded.) 99.5%
ICAM Enterprise PKI Availability Actual # of Operating Minutes that Core Production EPKI is running and available to customer agency users ÷ Total Scheduled Operating Minutes. (*Planned outages excluded) 99.9%

Measurement Tool - ICAM AlertSite

NOTE: ICAM services utilize the USDA Universal Telecommunication Network (UTN) for Wide Area Network services. The UTN is contractually guaranteed to be 99.9% available but has historically delivered 99.997% availability.

Cost Saving Tips

  • Use of a centralized credentialing and authentication system like USDA eAuthentication provides considerable resource, infrastructure, and development cost savings while simplifying compliance.
  • Include eAuthentication integration requirements early in the application design process or in the definition of acquisition requirements to ensure a smooth and cost effective integration.
  • Share licensed applications across agencies to leverage the cost of the license across many users.
  • Engage CTS early in the scoping phase of a new project to identify volume, geography, security requirements, etc.
  • Early planning with the ICAM Program Office will reduce project length, development costs, and rework.

Additional Information

For general eAuthentication information:

For eAuthentication integration information:

For LincPass general information:

Visit the ICAM Community on USDA Connect (login required)

For ICAM service information, please contact: