Identity management beyond the CAC card

A U.S. Air Force airman unlocks a dormitory door with a Common Access Card.

A U.S. Air Force airman unlocks a dormitory door with a Common Access Card. U.S. Space Force photo by Airman 1st Class Brooke Wise

The Defense Information Systems Agency previewed plans to improve identity management, which includes expanding multi-factor authentication.

BALTIMORE – Defense agencies could see a slew of new capabilities designed to ease identity and access management this year, according to defense IT officials. Chief among them is an expansion of multi-factor authentication across new user groups and applications. 

Brandon Iske, the chief engineer for the security enablers portfolio in DISA's Cyber Development Directorate and Development and Business Center, said the Defense Department's goal is to evolve from a yes/no framework to one where there's conditional access that can evaluate whether users are on a managed device, a trusted network and consider other risk factors that could affect access to certain applications. 

"We have a workforce, or people...people have security factors and attributes about them. And they also have devices," Iske said during a panel session on April 27 at AFCEA's TechNet Cyber conference in Baltimore. "And so what we're trying to do from an [identity, credentialing, and access management] perspective, is really bring in all those additional attributes and context to better control access."

Iske said the challenge with the public key infrastructure and Common Access Card "being standard" is that it has decentralized access management—something that has to be corrected to achieve zero trust. 

"With PKI and CAC being standard…that has driven access management to be very decentralized. And so across the department, much of that is enforced directly at the application," Iske said. "We can't achieve zero trust if we have to touch every single application and to do the kind of complex integrations that will come in the future." 

Managing identity and access across the department is complex and involves multiple partnerships with organizations that are enterprise service providers, such as the Defense Manpower Data Center and the National Security Agency. 

W. Chandler Grice, DISA's program manager for identity, credentialing, and access management, said during the event that the end goal is to have account automation, centralized and continuous authentication, data and attribute sharing, plus new platforms and multi-factor authentication as part of its shift to zero trust. 

Right now, DISA has a CAC authentication service available for DOD 365 tenants and customer applications alongside multi-factor authentication for CAC owners as part of the "bring your own approved device" pilots. Those capabilities are housed within DISA's global federated user directory, which acts as an identity provider, and serves more than 1 million authentication requests everyday, Grice said. 

"We've also successfully on-boarded five 365 tenants, with two more projected over the summertime. And then we've also on-boarded 20 customer applications," Grice said. "We want to make it easy, intuitive and fast for customers to on-board to our service offerings."

The multi-factor authentication pilot currently has more than 33,000 users across five customers. DISA also delivered a self-service portal for the authentication service in March, Grice said. 

In the next six months, DISA is looking to develop an initial automated system authorization which is expected in May alongside intra-application segregation of duties. Both capabilities were developed with DOD's financial management community across eight pilot applications, Grice said, but the aim is to expand the offerings to a broader user base. 

DISA's push to reform identity management has been years in the making and the updates come as the agency awarded several significant contracts it needs to implement zero trust, which hinges on optimized identity solutions. 

GDIT landed one of them: a $162 million contract with DISA in February and is moving into production. 

Jim Matney, GDIT's vice president and general manager who handles DISA and enterprise services, told FCW that identity management used to mean that "everybody was managing their own identities for their specific organization" and the contract effort "brings it up a level" so users can collaborate and work across organizations with a single identity.

"We're creating a master user record, which then takes inputs from other metadata -- your security clearance information and the like....and then you have the ability to automatically provision and deprovision accounts as necessary, when their need [for] access to certain resources aren't needed anymore."

Within the first six months following the contract award, GDIT will build out production of its ICAM capabilities by integrating DISA's global directory, as the identity provider, to create a single solution. 

"You have to have the infrastructure, the underlying solution in place that can enable it," Matney said. He added that organizations will be able to continue to use CACs but a shift to other multi-factor authentication protocols will also be available. "We're one step closer to being able to enable…the phase out of the CACs," he said.

"So this is a really great opportunity. It's a great step forward. Getting us one step closer to…zero trust," Matney said.