DISA’s Enterprise Identity Management Solution Targeted for Testing with Pilot Apps in January

The Defense Information Systems Agency is bringing a prototype of an enterprise identity, credential, and access management solution online in the coming months to be piloted with a subset of Defense Department applications in early 2021. 

DISA announced last year it would seek a system allowing the Pentagon to oversee the digital credentials and online activity of individuals accessing its IT infrastructure. The move is part of a governmentwide shift toward security practices focused on giving the right users access to the right resources at the right time. 

DISA officials provided an update on their progress developing an enterprise ICAM solution during a FedInsider webinar Tuesday sponsored by General Dynamics Information Technology, which was awarded an exclusive other transaction authority, or OTA, contract June 30 to develop a prototype.

Dr. Serena Chan, director of DISA’s Cyber Development Directorate, said the agency is currently implementing the prototype. After it’s implemented, it will undergo testing with a select subset of Defense Department applications in order to fine-tune the solution. 

“Then we will expect to bring aboard applications across the department by this time next year,” Chan said. 

The prototype is slated to reach initial operational capability status in late December, and the pilot will consist of 13 applications from across several Defense Department components, Chan said in an email to Nextgov. Testing with the pilot applications is set to begin in January 2021, Chan said. 

DISA selected the 13 applications in coordination with the Defense Department’s chief information officer, chief financial officer and chief management officer to represent a range of complexity, Chan said. Some applications are simple to integrate into the new solution while others will require some reengineering tasks in order for integration to work. 

Roger Greenwell, DISA’s chief information officer, said during the Tuesday webinar the ICAM project is meant to create a master user record to keep track of all permissions and access a person or non-person identity has. 

“A lot of the ICAM strategy and the piloting efforts are really to help us understand a little bit more what can we do, how can we bring a little bit more of a centralized view into this, but yet still make sure we can operate in a decentralized fashion recognizing the size and complexity of the department,” Greenwell said. 

The new enterprise system won’t fully eliminate common access cards, Chan said. But the ICAM project will play an important role in DISA’s effort to move to a zero trust architecture for cybersecurity. Vice Adm. Nancy Norton, DISA’s director, announced at the AFCEA Army Signal Conference in July DISA will release its zero trust reference architecture by the end of the year. 

“It's very important to note that ICAM is foundational to zero trust, I think the fidelity that the ICAM capabilities provide us will greatly help that,” Chan said.

Chan said DISA is currently working on implementing the core principles of zero trust: never trust and always verify, denial by default and verify explicitly. Working together, these principles should help DISA reduce the surface of attack on the Defense Department’s information network.

The Office of Management and Budget in 2019 released an updated ICAM policy outlining a future in which agencies manage identity continuously rather than with a point-in-time authorization. OMB shifted its policy because more work moves to the cloud and employees connect from ever more devices, security perimeters have become nebulous. 

This means granting access and authenticating users at a single point no longer makes sense. The updated OMB policy called on agencies to rely on identity as the basis for risk management.