Program Management Playbook

Edit this page

Step 9 - Conduct Capital Planning for ICAM


Capital Planning and Investment Control (CPIC) supports alignment of investments to your agency’s mission and supports business needs while reducing risks and increasing returns throughout the investment’s life cycle. The CPIC process as whole integrates strategic planning, enterprise architecture (EA), privacy, security, budgeting, portfolio management, procurement, and acquisition management of capital assets.

The primary product of the CPIC process is the Exhibit 300. Exhibit 300s are constructed and reviewed on an annual basis for both new and existing capital investments.

Checklist

 Update Agency Approach to ICAM Investment. Traditionally, some agencies have submitted separate Exhibit 300 investment requests for various ICAM activities (e.g., HSPD-12, E-authentication). However, in future budget submissions, you should consider coordinating your capital planning efforts closely across individual ICAM projects and Exhibit 300 business cases. This coordination effort will help ensure alignment throughout the organization to reduce or eliminate redundant ICAM investments across agency components/bureaus.

 Include ICAM Requirements into CPIC processes. To include ICAM requirements into CPIC and investment request processes, you must identify key criteria for an investment to be considered aligned with FICAM. Be sure to communicate any changes to the relevant stakeholders and CPIC process participants.

The following list highlights several of the key ICAM considerations relevant to each phase of the standard CPIC process.

  • Preselect. Assess the business needs and resource requirements for the investment. Investment business plans should state use of the PIV card or authentication within the security planning and the Educate Investment Review Board on ICAM requirements.
  • Select. Ensure the selection of investments that best supports the mission and approach. Review your ICAM investment for alignment with the FICAM architecture relative to accounts, authentication, access control, and auditing capabilities. Remember, investment data architecture should be evaluated to prevent the redundant collection of identify data.
  • Control. Take actions to ensure your ICAM investments will deliver the projected benefits through quality control and executive review. You should make sure your agency’s investment is properly integrated and aligned with your agency’s ICAM infrastructure. You should also oversee the development of investment and integration with enterprise ICAM services.
  • Evaluate. Evaluate and analyze if the investments have delivered what was expected, while remaining cost effective. Remember, investments should document and demonstrate return on investment (ROI) realized through the use of ICAM infrastructure security services. You should also determine opportunities to improve efficiency and update investment as enterprise ICAM capabilities mature.

You should include planning for PIV-enablement and alignment with the FICAM architecture while completing capital planning activities and preparing your budget submissions. As part of its adoption into the Federal Enterprise Architecture (FEA), the FICAM architecture was added and assigned a code in the Enterprise Architecture Segment Report (EASR). Your agency must code relevant ICAM costs to the FICAM code and report them as part of your budget submissions via the Exhibit 53.

The table below gives a summary of common ICAM-related cost categories that you can use to help determine and report your agency’s ICAM costs in an organized manner.

Cost Category
Description
New User Identity Proofing Costs associated with proofing the identity of new users at the necessary level of assurance
Integration Integration costs from contractor services and additional software/hardware required for integration and testing
Software Cost of software including licenses and maintenance fees that could be decommissioned or redeployed across all environments for development, testing, and production
PKI Software Licensing costs for PKI software as well as vendor maintenance fees to support all environments for development, testing, and production.
Help Desk Calls Costs associated with the number of password related calls received by an agency
IT Operations Services Costs of backups, monitoring, new development, enhancements, etc. across all environments for development, testing, and productions
Training Costs associated with training and creating/acquiring materials for new software and services installation, integration, maintenance, business processes, and end users support
Policy Compliance Costs associated with bringing the system into compliance with applicable ICAM policies