Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

M3 Framework Introduction M3 Framework Overview M3 Phase 0 - Assessment M3 Phase 1 - Readiness M3 Phase 2 - Selection M3 Phase 3 - Engagement M3 Phase 4 - Migration M3 Phase 5 - Operations M3 Resources
M3 Playbook > Phase 4: Migration
4.12 Define Roles and User Access
4.11 Conduct Security and Privacy Reviews
4.13 Configure Systems
Image Map Phase 0: Assessment Phase 1: Readiness Phase 2: Selection Phase 3: Engagement Phase 4: Migration Phase 5: Operations
Objective: Define roles and user access according to user requirements.

Phase 4 GuidanceLegend - Customer, Provider, Shared
1. Document roles and access rights, segregation of duties, identification (ID) request and ID management processes based on Identity, Credentials, and Access Management Framework (ICAM) (S)
2. Finalize roles and responsibilities for granting user access in Operations and Maintenance (O&M) (S)
3. Implement Security Configuration for user roles and user access as documented in ICAM (P)
4. Assign user access rights to employees (S)
5. Load production user accounts (P)
6. Test production user accounts (P)
7. Provide credentials to end users for testing, training, and production (S)

• Requirements Traceability Matrix (RTM)
• Gap Analysis Report
• Target State Process Flows
• Target State Organization Structure
• Technical Strategy

• Baselined List of ID Credentials
• Program Manager (C, P)
• Functional Lead (C, P)
• Technical Lead/Solution Architect (C, P)
• Security Lead (C, P)
• ISSO (C, P)
• Network SME (C, P)
• PMO Lead (C, P)
• Change Management Lead (C,P)
• Training Lead (C, P)

Best Practice
• Have an ID management tool, ID request process, and contact center procedures to resolve access related issues in place before cutover
• Provide sufficient security access to the deployment team to perform their tasks effectively in advance of deployment
• Establish security roles and responsibilities well in advance of deployment to resolve issues while time allows