DISA To Federate ICAM Instances Across the DoD and Military
The Defense Information Systems Agency (DISA) is innovating and modernizing the U.S. Department of Defense’s (DoD’s) identity, credential and access management (ICAM) with the goal of federating all instances of ICAM across the DoD and military services by the end of 2025.
DISA is advancing its efforts by creating a single identity provider point, allowing users to access several department applications without complex authentication processes.
Brian G. Hermann, director and program executive officer for DISA’s Program Executive Office Cyber, said the agency is federating existing ICAM systems first, starting with the U.S. Army, then moving on to other branches of the military. He said DISA hopes to have the Army’s ICAM federated to the enterprise ICAM by the end of March, expecting each service federation process to take about a month. So far, according to Hermann, DISA hasn't run into any technical issues with the transition.
“[ICAM is] something that everybody across the Department of Defense can use in some cases,” Hermann said. “Especially in tactical cases, the military components themselves need to have a solution to meet their needs.”
If a tactical location were to get disconnected from the enterprise ICAM, Hermann said military services would still have the most recent synchronization of data between the local identity provider function and the enterprise. However, he said he recognizes that “federation doesn’t always survive the tactical challenge.”
After federating within the unclassified network, the goal is to expand federation to the classified network and include close allies and coalitions, Hermann shared in a meeting with reporters.
“ICAM is how we work across the department, as well as how we work with our mission partners,” Hermann said. “So, enabling our work with allied and coalition partners means we have to have some connectivity and understanding of who we're working with in that coalition, make sure that we have an understanding of their access rights and grant them access to DoD resources, as well as grant DoD users access to things that we have to share with those mission partners.”
DISA has already implemented automated account provisioning, which has replaced manual processes for granting users access to systems, and a master user record that can track user access and activity and remove access when necessary, according to Hermann.
Currently, a small number of individuals with clearances have access to the master user record, and Hermann said eventually they could use their access to monitor and detect insider threats. For now, he said activity monitoring is best evaluated separately by organizations who know their missions and can easily detect disparities as opposed to broadly across the enterprise.
While the goal is to have one federation point, Hermann said DISA recognizes that not all components will work efficiently with the enterprise ICAM, and really, it’s about finding the right number of ICAM instances.
For example, DISA owns between 200 and 300 applications that need to adopt ICAM, and across the DoD, there could be almost 10,000 different applications, Hermann estimated. Deciding which applications should be federated to the enterprise ICAM has also helped weed out the outdated applications that can be let go.
“We are working with some components across the department to determine whether or not the enterprise solution can meet their needs and avoid having a separate instance of ICAM for them,” Herman said. “. . . We really want to prove that there's no way that it could be supported by an existing ICAM before we create new ones because it's not cheap to do this.”
