One identity. One source of truth.

Identity is the new perimeter — federal edition

Federal identity engineering is its own discipline. It is not commercial SSO with a government skin. It is the binding of a vetted human or non-person entity to a credential rooted in HSPD-12, governed by OMB M-19-17, gated by NIST SP 800-63 assurance levels, federated through SAML 2.0 or OpenID Connect to mission applications running in FedRAMP-authorized environments, and audited through a continuous lifecycle from onboarding to separation. Get any layer wrong and the entire Zero Trust architecture downstream is built on sand.

Precision Delivery Federal builds federal Identity, Credential, and Access Management programs that align to the FICAM Architecture, the FICAM Playbook 4.x, OMB M-19-17 enterprise identity services, NIST SP 800-63-3/-4 assurance levels, FIPS 201-3 PIV requirements, and the identity pillars of OMB M-22-09 and the DoD Zero Trust Reference Architecture. Every component traces back to a published federal control or guidance document.

The FICAM service model, engineered

The Federal Identity, Credential, and Access Management Architecture defines five service categories. We deliver against each with named components, not slideware:

• Identity Management. Authoritative source of record integration with HR systems (NFC, DCPDS, FPPS, USA Staffing), enterprise person registry, identity proofing workflows, sponsor and registrar processes, identity lifecycle automation, and birthright vs request-based access modeling. We build the master person index, not just an identity store.
• Credential Management. PIV credential issuance integration with the agency's PCI (PIV Card Issuer), Derived PIV credential lifecycle per NIST SP 800-157, FIDO2 security key fleet management, certificate authority integration with the Federal Common Policy CA and DoD PKI, and revocation propagation through OCSP and CRL.
• Access Management. Centralized authentication via Okta Identity Cloud for Government or Entra ID GCC High, attribute-based and policy-based access control, just-in-time privilege elevation through CyberArk or BeyondTrust, session brokering to infrastructure through HashiCorp Boundary or Teleport, and continuous session evaluation.
• Federation. SAML 2.0 and OpenID Connect federation to mission applications, cross-agency federation through MAX.gov, Login.gov, and the GSA Single Sign-On services, B2B federation with industry partners, and the federation policy and trust framework that makes any of it auditable.
• Governance. Identity governance and administration through SailPoint IdentityIQ or Saviynt, periodic access certification, segregation of duties enforcement, role mining, and the audit trail that turns ICAM from operations into a compliance asset.

PIV, CAC, and derived credentials

HSPD-12 from August 2004 is the parent directive. FIPS 201-3 from January 2022 is the current technical specification. NIST SP 800-73-5 covers the card interface, 800-76-2 covers biometric data, 800-78-5 covers cryptographic algorithms, and 800-157 covers Derived PIV Credentials for mobile devices. We build to all of them.

For civilian agencies we integrate the agency's PIV card issuance with Okta or Entra ID for primary authentication, with smart card login to Windows endpoints via the Microsoft PIV/CAC middleware, with macOS via SmartCardServices, and with Linux via OpenSC and PAM. For DoD environments we deliver the same patterns against CAC and the DoD PKI. For mobile and BYOAD users we deploy Derived PIV credentials into Microsoft Authenticator, Entrust IdentityGuard Mobile Smart Credential, or YubiKey 5 FIPS hardware tokens — bound to the user's PIV identity per 800-157, with the credential management lifecycle wired into the agency's existing PCI processes.

Where agencies want to layer phishing-resistant MFA alongside PIV — for example, to give external partners a path to AAL3 without issuing them PIV — we deploy FIDO2/WebAuthn with hardware security keys (YubiKey 5 FIPS series, Feitian ePass FIDO NFC K9, Google Titan) and map authenticator references into the access policy so risk-adaptive step-up always picks the strongest available authenticator.

NIST SP 800-63 assurance levels

Federal digital identity guidance lives in three companion documents: 800-63A on identity proofing, 800-63B on authenticators, and 800-63C on federation. We implement to the published Revision 3 today and are tracking the Revision 4 draft (currently in second public draft) for changes to syncable authenticators, fraud detection signals, and remote identity proofing methods.

• IAL1, IAL2, IAL3. Identity assurance from self-asserted to in-person or supervised remote proofing with biometric capture. IAL2 supports remote proofing with verified credential and biometric. IAL3 requires in-person or supervised remote with strong evidence and biometric.
• AAL1, AAL2, AAL3. Authenticator strength from single-factor to multi-factor cryptographic hardware. PIV, CAC, and FIDO2 hardware tokens reach AAL3. Software-only TOTP is AAL2 at best and is being deprecated in 800-63-4 for many federal use cases.
• FAL1, FAL2, FAL3. Federation assurance from bearer assertions to holder-of-key bound assertions. We deploy FAL2 with audience-restricted, signed, encrypted assertions and FAL3 with proof-of-possession bound to a hardware key for the highest sensitivity federations.

Okta Identity Cloud for U.S. Government

Okta IC4G operates in a FedRAMP High authorized boundary and is DoD IL4 authorized. We deploy Okta IC4G for civilian agency workforce identity with: PIV/CAC primary authentication via Okta's smart card support, FIDO2 secondary, Okta Identity Governance for joiner-mover-leaver automation, Okta Privileged Access for session-brokered server and database access, Okta Workflows for orchestration of approvals and provisioning, and Okta FastPass for phishing-resistant device-bound authenticators on managed endpoints.

Microsoft Entra ID in GCC High and DoD tenants

For agencies on Microsoft 365 GCC High or DoD, we deliver Entra ID with: certificate-based authentication for PIV/CAC, Conditional Access policies tied to device compliance from Intune, Privileged Identity Management for time-bound elevation, Entra ID Governance for access reviews and lifecycle workflows, Entra Verified ID for cross-agency credential exchange, and Entra Permissions Management for cloud infrastructure entitlement governance across Azure Government, AWS GovCloud, and Google Cloud Assured Workloads.

Federation, partner identity, and Login.gov

For public-facing services we integrate Login.gov as the citizen identity provider at IAL2/AAL2, with the option to step up to IAL3 through Login.gov's evolving in-person proofing partnerships. For cross-agency workforce we use MAX.gov federation and the GSA federation broker. For industry partner access we deploy SAML 2.0 or OIDC trust with strong assertion signing, encryption, audience restriction, and short token lifetimes, plus continuous monitoring of partner posture per the FICAM Trust Framework Solutions criteria.

Privileged access and non-person entity identity

Privileged human identity is governed through CyberArk Privileged Access Manager, BeyondTrust Privileged Remote Access, or Delinea Secret Server — depending on the agency's incumbent stack — with vault-based secrets, session recording, and just-in-time elevation. Non-person entity identity (services, workloads, scripts, machine accounts) moves to SPIFFE/SPIRE workload identity, HashiCorp Vault for secrets, and AWS IAM Roles Anywhere or Azure Workload Identity Federation so secrets are never long-lived and never hardcoded.

How ICAM feeds Zero Trust

Under OMB M-22-09 and the DoD Zero Trust Reference Architecture, identity is pillar one. Every other ZT pillar consumes identity attributes. Our ICAM designs publish a clean Policy Information Point feed of user identity, group membership, role assignment, device posture (joined to identity through certificate-based device authentication), behavioral signal, and risk score. The Policy Decision Point — Okta, Entra Conditional Access, or a custom OPA/Cedar engine — uses that feed to make per-session decisions enforced at the application gateway, the service mesh, or the data access layer. See our Zero Trust Architecture capability for the downstream picture.

How we build

1. Identity inventory. We catalog every identity store, every authenticator type in use, every federation, and every privileged account. We score against the FICAM Architecture and OMB M-19-17 enterprise services.
2. Target ICAM design. Reference architecture for the agency's specific mission systems, with named components for Identity Management, Credential Management, Access Management, Federation, and Governance.
3. Authoritative source consolidation. Wire HR systems of record, contractor management systems, and the Defense Manpower Data Center as needed into a single enterprise person registry.
4. Authenticator modernization. PIV/CAC where applicable, Derived PIV for mobile, FIDO2 for partners and edge cases, retirement of password-only and SMS-OTP authenticators on a published schedule.
5. Federation and SSO consolidation. Migrate mission applications off bespoke authentication onto the central SSO. Decommission shadow IdPs.
6. Governance. Stand up access certification campaigns, role mining, segregation-of-duties policy, and audit reporting feeding the agency CDM dashboard.

Federal context and past performance

Bo Peng holds Kaggle Top 200 global ranking and seven cloud certifications across AWS, Azure, and GCP. Precision Delivery Federal delivered production data engineering on SAMHSA platforms and is SAM.gov registered (UEI Y2JVCZXT9HP5, CAGE 1AYQ0). We pursue SBIR ICAM modernization topics across DoD, VA, and civilian agencies. Agency-specific playbooks live at DoD, VA, and CISA. See related insights in federal AI use cases by agency and our ICAM readiness checklist.

Tooling we work with

• Identity providers: Okta Identity Cloud for Government, Microsoft Entra ID GCC High and DoD, Ping Identity PingOne for Government, ForgeRock Identity Platform.
• Governance: SailPoint IdentityIQ, Saviynt Enterprise Identity Cloud, Microsoft Entra ID Governance.
• Privileged access: CyberArk PAM, BeyondTrust Privileged Remote Access, Delinea Secret Server, HashiCorp Boundary, Teleport.
• Smart card and PKI: Entrust IdentityGuard, DigiCert ONE Government, YubiKey 5 FIPS, Feitian ePass FIDO, HID ActivID.
• Workload identity: SPIFFE/SPIRE, HashiCorp Vault, AWS IAM Roles Anywhere, Azure Workload Identity Federation.
• Citizen identity: Login.gov, ID.me (where authorized), GSA federation broker.