ICAMXperts — Federal ICAM & Zero Trust Consulting

ICAM · IAM · FICAM · CIAM

Years federal ICAM

Active clearances

Audit findings, 38 programs

NHIs under governance

ICAMXperts designs, implements, and sustains ICAM programs for federal agencies and regulated enterprises. SailPoint IdentityIQ, Okta, Oracle IDM, CyberArk — deployed by the same team that assessed you.

View capabilities

Zero Trust ICAM Modernization

We advance federal agencies and regulated enterprises from Initial to Advanced across the CISA ZTMM identity pillar - on schedule, with a defensible evidence package that holds up on first review. Every week we are deploying phishing-resistant MFA, hardening privileged access, and building the continuous access evaluation architecture that EO 14028 and OMB M-22-09 require.

CISA ZTMM 2.0NIST SP 800-207DOW ZT StrategyEO 14028OMB M-22-09

AI Agent Identity & Governance

We govern the identities your AI agents run as - because ungoverned agents are the fastest-growing attack surface in production systems today. We are in these environments now: discovering shadow agents, eliminating secret sprawl, enforcing JIT provisioning, and building the delegation chain accountability that NIST AI RMF 1.0 and the OWASP Top 10 for Agentic Applications require.

NIST AI RMF 1.0OWASP Agentic AINIST SP 800-207CSA MAESTRO

CMMC & FedRAMP Readiness

Control-by-control gap analysis against NIST SP 800-171, SSP and POA&M development to C3PAO standard, and FedRAMP authorization support.

CMMC 2.0NIST SP 800-171FedRAMP

Identity Governance & Compliance

Audit-ready IGA programs that scale - role lifecycle management, access certifications, SoD enforcement, and continuous ATO sustainment across FISMA, HIPAA, and SOX-regulated environments.

FISMANIST SP 800-53HIPAASOX

The identity shift

“

Non-human identities now outnumber humans in your environment. Traditional IAM was never built for this.

ICAMXperts AI Security Practice Brief · 2026

12,000+

NHIs discovered in a single Fortune 100 engagement

94%

Of those had no inventory entry, no owner, no expiry

Existing IAM platforms with native agentic AI governance

The result, not the process.

Zero Trust ICAM

14 mo.

ZTMM Initial to Advanced

0 failed ATO reviews 100% phishing-resistant MFA

Cabinet-level civilian agency · Identity pillar lead under EO 14028 and OMB M-22-09.

FIDO2 phishing-resistant MFA, Okta SSO, and continuous access evaluation - shipped on schedule and defensible on first ATO review. No remediation cycle. No re-scoping after delivery.

CISA ZTMM 2.0 NIST SP 800-207 EO 14028 OMB M-22-09

AI Agent Governance

12k+

Ungoverned NHIs discovered

90 days to eliminate secret sprawl 0 standing privileges remaining

Fortune 100 enterprise · No inventory, no owners, no expiry on any credential.

JIT provisioning enforced across all agent identities. Delegation chain governance built. LLM workflow identities brought under continuous monitoring - before any breach, not after.

NIST AI RMF 1.0 CSA Agentic AI OWASP Top 10 LLM

IGA / Compliance

14→0

SOX access findings

38 source systems connected 0 audit findings since go-live

Global financial services firm · SOX-regulated, multi-source SailPoint IIQ deployment.

Role lifecycle, quarterly access certifications, and SoD enforcement - built to survive the next audit without a remediation cycle. Same team through implementation, sustainment, and every reauthorization.

SOX FISMA SailPoint IIQ NIST SP 800-53

Past engagements shown as representative examples. Results vary by environment and scope.

Four phases, one team, start to finish.

Phase 01 2–4 weeks · Principal-led

Assess

Control-by-control evaluation against NIST SP 800-171, SP 800-53, or CISA ZTMM. We deliver a defensible findings report — not a heat map. Every finding maps to a remediation owner and timeline before we leave the assessment phase.

Output

— Findings report with control-level gap mapping

— Prioritized remediation roadmap with owners and timelines

— Scoped to your authorization boundary from day one

NIST SP 800-53 NIST SP 800-171 CISA ZTMM 2.0

Phase 02 3–6 weeks · Architects + GRC

Architect

Target-state design with documented decisions, control mappings, SSP and POA&M drafted to C3PAO standard from day one. Every architectural decision has a compliance citation. No roadmap that gets rewritten after political review.

Output

— Target-state architecture with documented design decisions

— SSP and POA&M drafted to C3PAO standard

— Compliance citation for every architectural decision

NIST SP 800-207 FedRAMP C3PAO

Phase 03 12–24 weeks · Embedded engineering

Implement

Hands-on deployment on SailPoint, Okta, Oracle IDM, or CyberArk. Evidence package built continuously — not assembled after the fact. The same architect who designed the solution is on the implementation team. No handoff. No knowledge loss.

Output

— Production deployment with continuous evidence capture

— Same architect on the implementation team — no handoff

— ATO-ready evidence package at delivery, not during remediation

SailPoint IIQ Okta CyberArk Oracle IDM

Phase 04 Ongoing · Named team

Support

Continuous monitoring, control upkeep, and named team through every reauthorization and audit cycle. Median bench tenure is eleven years in regulated environments. We know your environment better than any incoming team could — and we stay.

What this means

— Named support bench — not a ticketing queue

— Median tenure: 11 years in regulated environments

— We know your environment better than any incoming team

FISMA Sustainment Continuous ATO POA&M Management

Platforms we deploy and sustain.

Platform Products Core capabilities Relevant to

SailPoint IGA

IdentityIQIdentityNow

Role lifecycle managementAccess certificationsSoD enforcementIdentity analytics

FISMASOXFedRAMP

Okta SSO · CIAM

Workforce IdentityCustomer Identity

Phishing-resistant MFAFIDO2 / PIV / CACAdaptive access policiesContinuous access evaluation

EO 14028CISA ZTMMFICAM

CyberArk PAM · Secrets

Privileged Access Mgr.Secrets Manager

Zero standing privilegeJIT access workflowsMachine identity secretsAI agent credential governance

CMMC 2.0SP 800-207NIST AI RMF

Oracle IDM Legacy · Modernization

OIG · OAM · OUDIdentity Cloud

Provisioning workflowsDelegated administrationLegacy stack modernizationDirectory consolidation

Federal CivilianFISMAATO Sustainment

Practitioner-grade reading. No sales copy.

BRIEFING DECK

Featured

Zero Trust ICAM Modernization: A Federal Agency Briefing

How to advance your agency from CISA ZTMM Initial to Advanced across the identity pillar - sequenced, evidence-ready, and scoped to your authorization boundary.

CISA ZTMM 2.0NIST SP 800-207EO 14028

Schedule a Briefing

POINT-OF-VIEW

AI Agent Identity: The Governance Gap No One Has Closed Yet

AI agents operate as identities. Most organizations have no inventory of them, no provisioning policy, and no accountability chain. This paper explains what closing that gap actually requires.

NIST AI RMF 1.0OWASP Agentic AI

Download

REFERENCE SHEET

NIST SP 800-207 Control Mapping for Federal ICAM Programs

A working reference that maps Zero Trust Architecture tenets to the specific ICAM controls your SSP and POA&M need to cover. Formatted for C3PAO and ATO package use.

NIST SP 800-207NIST SP 800-53 r5

Download

CAPABILITY STATEMENT

ICAMXperts Federal Capability Statement

Core competencies, contract vehicles, NAICS codes, UEI, and engagement model. Formatted for federal procurement officers and prime contractor teaming packages.

NAICS 541512 / 541519GSA MAS - SEWP V

Download PDF

Evidence, not assertion.

Cleared engagements and regulated environments across federal civilian, DOW, and private sector.

Sector Scope Frameworks

01 Dept. of War

Primes and the war industrial base preparing for CMMC Level 2 and Level 3 certification.

CMMC 2.0SP 800-171DFARS 7012

02 Federal Civilian

Zero Trust modernization under EO 14028 and OMB M-22-09. Identity pillar lead across cabinet-level agencies.

EO 14028CISA ZTMMFISMA

03 Intelligence Community

Cleared engagements including PIV/CAC modernization, privileged access management, and continuous monitoring.

ICD 503PIV/CACPAM

04 Healthcare & Life Sciences

HIPAA-aligned identity governance and customer identity portals for regulated health data environments.

HIPAAHITRUSTIAL2/3

05 Financial Services

SOX-aligned access certifications, SoD enforcement, and continuous monitoring across trading and banking environments.

SOXFFIECSailPoint IIQ

06 Higher Education

Federated identity for research consortia, InCommon federation, and federal grant compliance environments.

InCommonSP 800-171Shibboleth

Framework / Mandate Coverage area Our practice Status

NIST SP 800-207 Zero Trust Architecture - all tenets Zero Trust ICAM Active

CISA ZTMM 2.0 Zero Trust maturity across 5 pillars Zero Trust ICAM Active

EO 14028 · M-22-09 Federal Zero Trust mandate and timelines Zero Trust ICAM Active

CMMC 2.0 (L1-L3) DOW contractor cybersecurity - 110+ controls CMMC Readiness Active

NIST SP 800-171 r3 CUI protection - 110 controls CMMC Readiness Active

NIST AI RMF 1.0 AI risk management and governance AI Agent Governance Active

FISMA · FedRAMP · HIPAA · SOX Sector-specific compliance regimes IGA / Governance Active

Bring us a hard compliance problem.

Thirty-minute scoping call with a principal - not a sales engineer. We'll tell you whether the engagement is right for us before you tell us your budget.

info@icamxperts.com +1 844-GO-ICAM1 23207 Wrathall Dr, Ashburn, VA 20148