Enterprise ICAM Implementation for CISA ZTMM Conditional Access Requirements Under OMB M-22-09

Enterprise ICAM Is Where Conditional Access Either Works or Stalls

Most civilian agencies do not fail conditional access because they lack tools. They stall because identity is fragmented. One bureau uses one identity provider. Another relies on a separate MFA stack. Privileged access is managed outside the main ICAM environment. Application teams maintain static roles that no longer match the workforce. Then the CISO is asked to report progress against OMB M-22-09 and CISA ZTMM with no clean enterprise view.

That is the real implementation pain. Conditional user access is not an MFA project. It is an enterprise ICAM operating model tied to attributes, privileged access, policy enforcement, monitoring, and ATO boundaries. Agencies are trying to build that while operating under continuing resolution uncertainty, lean IT staffing, FedRAMP procurement constraints, and production systems that cannot be taken offline for identity redesign.

What OMB M-22-09 and CISA ZTMM Actually Require

OMB M-22-09 Section III.B makes identity central to federal zero trust implementation. Agencies are expected to use centralized identity systems, phishing-resistant MFA, strong authorization controls, and enterprise-wide conditional access policies. The point is not more login friction. The point is consistent access decisions based on who the user is, what attributes are known, what device and session context exists, and what level of access is being requested.

CISA Zero Trust Maturity Model version 2.0 puts this work inside the Identity Pillar. At lower maturity, agencies may have basic identity services and MFA coverage. At Advanced and Optimal maturity, the model expects deeper integration: enterprise ICAM, privileged access management, self-service provisioning, dynamic attributes, and real-time policy enforcement across applications and services. CISA reinforced this direction in updated zero trust guidance emphasizing enterprise ICAM integration for conditional access.

FISMA and FedRAMP add the operating discipline. Conditional access mechanisms have to be documented, monitored, assessed, and included in authorization boundaries when they support enterprise systems or cloud services. A point solution may solve one access problem, but if it cannot produce evidence for continuous monitoring, authorization, and reporting, it creates another burden for the security team.

The Diagnostic Question: Is ICAM Enterprise-Wide or Just Widely Deployed?

The anchor question for this capability is direct: is the organization using an enterprise-wide ICAM solution? Not an identity tool in the largest component. Not MFA for the highest-risk users. Not a directory service that exists next to five exceptions. Enterprise-wide means the ICAM platform is the control point for user identity, attributes, authentication, authorization, provisioning, privileged access integration, and policy decisions across the agency environment.

From there, the practical diagnostic becomes straightforward. Can users and managers update approved identity attributes through self-service workflows without opening tickets for routine changes? If attributes drive access decisions, they have to be accurate and current. Static attributes maintained manually will not support CISA ZTMM progression.

Privileged access is the next fault line. If PAM is not integrated with the primary ICAM system for provisioning and deprovisioning, privileged accounts sit outside the conditional access model. That is where agencies lose visibility. JIT access should be available for privileged users so standing access is reduced. JEA should define and restrict what an administrator can do once access is granted. Those are not optional refinements. They are how least privilege becomes operational instead of policy language.

The final test is whether application and service permissions are dynamically adjusted based on enterprise attributes. If access is still driven mainly by static roles created years ago, the agency has not reached the level of conditional access expected in the Advanced direction of CISA ZTMM. Dynamic does not mean uncontrolled. It means policy decisions are based on current identity data, approved attributes, risk context, and mission need.

What AISE Scores Mean for Conditional User Access

AISE, Zephon's Zero Trust Maturity & Governance Platform, assesses this capability once and produces separate maturity scores for CISA ZTMM and DoD ZTA CoA. For civilian agencies, the lead output is the CISA ZTMM maturity score mapped to OMB M-22-09 requirements. The DoD ZTA CoA score is additional context for agencies that work with defense partners, shared services, or mixed federal environments.

For Conditional User Access, a Level 1 result usually means identity controls exist but are fragmented. MFA may be deployed. Some applications may use centralized login. PAM may exist as a separate tool. But there is no enterprise policy fabric tying user attributes, privileged access, and application authorization together. Reporting to leadership becomes manual, and FISMA evidence collection becomes repetitive.

A Level 3 result means the agency has moved into a managed model. Enterprise ICAM is established for a meaningful portion of the environment. PAM is integrated for priority privileged roles. Self-service workflows exist for selected attributes or access requests. Conditional access policies are documented and enforced for higher-value applications.

This is where agencies can build credible milestones instead of broad zero trust narratives.

A Level 5 result means conditional access is treated as an enterprise control. ICAM is the authoritative access decision point. PAM is integrated with provisioning and deprovisioning. JIT and JEA are operating for privileged access. User attributes are maintained through governed workflows. Applications and services consume policy decisions dynamically. Monitoring and reporting support FISMA oversight, FedRAMP authorization boundaries, and OMB progress reporting without rebuilding evidence from scratch every quarter.

Turning Maturity Scores Into Fundable Milestones

A score is useful only if it converts into work that can be funded, staffed, and reported. Civilian agencies rarely have the budget flexibility to replace identity infrastructure in one move. The practical approach is sequencing.

• First, confirm the authoritative ICAM architecture and identify where identity providers, directories, MFA services, PAM tools, and application access models are disconnected.

• Second, prioritize privileged access integration. PAM outside ICAM is one of the fastest ways to weaken conditional access and complicate FISMA reporting.

• Third, define the enterprise attribute model. Conditional access depends on reliable attributes, not assumptions buried in application roles.

• Fourth, move high-value applications to dynamic policy enforcement before expanding to long-tail systems.

• Fifth, align evidence collection with ATO, continuous monitoring, OMB reporting, and FedRAMP package expectations.

This is where procurement officers matter. Buying another standalone identity tool may satisfy a local need and still move the agency sideways. FedRAMP can be an effective procurement path when the solution fits the enterprise ICAM architecture and supports the agency authorization strategy. The acquisition question should be: does this purchase strengthen the enterprise access decision model, or does it create another exception?

ROM Timelines for Moving the Capability Forward

Realistic timelines depend on application complexity, legacy dependencies, contract vehicles, and how much of the current ICAM estate is shared across components. For planning purposes, I use ranges that account for civilian agency constraints.

Moving from Level 1 to Level 2 typically takes 90 to 180 days when the work is focused on discovery, architecture decisions, policy mapping, and initial consolidation of identity data. The deliverable is not a full transformation. It is a defensible baseline: current identity systems, application dependencies, privileged account inventory, attribute gaps, and conditional access policy coverage.

Moving from Level 2 to Level 3 commonly takes 6 to 12 months. This is where agencies integrate PAM with ICAM for priority systems, establish self-service workflows for selected attributes, enforce conditional access for high-value applications, and align documentation with ATO and FISMA reporting cycles. This phase is where measurable progress becomes visible to leadership.

Moving from Level 3 to Level 4 or 5 can take 12 to 24 months. The work shifts from projects to operating model: broad application onboarding, mature attribute governance, JIT and JEA expansion, continuous monitoring integration, and repeatable evidence production for oversight and authorization activities. The timeline is longer because mission systems, shared services, and legacy applications have to be addressed without disrupting operations.

Anonymized Federal Scenario

A civilian agency we supported had three identity providers, two MFA implementations, a PAM tool managed by infrastructure operations, and application teams maintaining separate access roles. Leadership believed conditional access was mostly complete because MFA coverage was high. The assessment showed a different picture: privileged access was not consistently tied to ICAM, user attributes were manually updated, and several high-value applications made authorization decisions from local roles instead of enterprise identity data.

The agency did not start by replacing everything. We established an enterprise ICAM reference architecture, mapped conditional access requirements to OMB M-22-09 and CISA ZTMM, and identified where FedRAMP-authorized services could support the target operating model. PAM integration came first for the highest-risk administrative groups. Then the team defined attribute ownership, added self-service updates for approved fields, and moved selected applications to centralized policy enforcement.

The outcome was practical: fewer identity exceptions, cleaner leadership reporting, stronger ATO evidence, and a maturity path the agency could defend during budget reviews. The important shift was moving from tool deployment to enterprise control design.

Get a Clean Baseline Before the Next Reporting Cycle

Conditional user access is one of the clearest indicators of whether zero trust is becoming operational inside a civilian agency. If ICAM, PAM, attributes, and application permissions are disconnected, OMB M-22-09 reporting will stay difficult and CISA ZTMM maturity will plateau.

AISE gives agencies one assessment and two scorecards: a CISA ZTMM maturity score mapped to OMB M-22-09 requirements, plus a separate DoD ZTA CoA score for additional context. For civilian leadership, that means a clean view of the CISA maturity baseline, the OMB implementation gap, and the next milestones to fund and execute.

Get your agency's AISE maturity baseline for conditional access capabilities at zephon.tech/zt.