Comply with Requirements Quickly and Easily with RFI and RFP Templates

A challenge agencies face when putting out an RFI/RFP is in making sure that the intent of the policies and guidance they need to comply with comes through. From the perspective of the organizations that are responsible for policy and guidance, Agencies getting the language right in the RFI/RFP closes the loop by aligning acquisitions with standards and policy. When it comes to Federal Government Agency Identity, Credential and Access Management RFIs and RFPs, FICAM is working to make this easier for Agencies.

We have taken note of the increased RFIs and RFPs for ICAM components that are going out. At the same time, we also realize that the hard working folks who are putting these together face challenges when it comes to making sure that the language in the RFI/RFP reflect the required technical standards and policies.

Let me use language from a recent Agency RFI to discuss how we can help:

[...] requirement of integrating remote/on-line proofing functionality into the [Agency's Identity and Access Management Capability] Identity Proofing Services. To be capable of meeting this requirement, a vendor:
  • Must currently hold a Level 2 FICAM certification
  • Shall have the ability to achieve a Level 3 FICAM certification by [Future Date]
  • [More …]

The above sounds reasonable, but there is a problem; there currently is NO FICAM certification for a stand-alone identity proofing capability. FICAM certification, via our adopted Trust Framework Providers, currently applies only to a combined identity proofing and credential issuance solution. By using the language of FICAM certification above and associating it only with ID Proofing, the results end up being:

  • Confusion in the market about what exactly is being asked for
  • Limiting and/or eliminating qualified vendors who may be able to meet the actual intended requirements
Given that this is a Federal Government Agency who has to comply with OMB Levels of Assurance (LOA) requirements and the associated NIST technical implementation guidance for remote identity proofing, the solution to the above is a minor tweak to the language to convey the actual intent:
  • Must have an identity proofing service capable of implementing remote identity proofing process at LOA 2 per NIST 800-63-1
  • Shall have the ability to implement remote identity proofing processes at LOA 3 per NIST 800-63-1 by [Future Date]

So, in order to help the Agencies up-front to comply with OMB, NIST and FICAM guidance, we are currently working on standardized technical language/templates for specific ICAM capabilities (Identity Proofing, Identity Federation etc.). Agencies will be able to easily incorporate this standard language into their RFI/RPF going forward.

If you are an Agency looking for information on ICAM components or policy for an RFI/RFP you are putting together, please feel free to contact us at icam (at) gsa (dot) gov and we would be happy to answer your questions.


:- by Anil John