Identity management beyond the CAC card

A U.S. Air Force airman unlocks a dormitory door with a Common Access Card.

A U.S. Air Force airman unlocks a dormitory door with a Common Access Card. U.S. Space Force photo by Airman 1st Class Brooke Wise

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Lauren C. Williams By Lauren C. Williams,
Senior Editor

By Lauren C. Williams

|

The Defense Information Systems Agency previewed plans to improve identity management, which includes expanding multi-factor authentication.

BALTIMORE – Defense agencies could see a slew of new capabilities designed to ease identity and access management this year, according to defense IT officials. Chief among them is an expansion of multi-factor authentication across new user groups and applications. 

Brandon Iske, the chief engineer for the security enablers portfolio in DISA's Cyber Development Directorate and Development and Business Center, said the Defense Department's goal is to evolve from a yes/no framework to one where there's conditional access that can evaluate whether users are on a managed device, a trusted network and consider other risk factors that could affect access to certain applications. 

"We have a workforce, or people...people have security factors and attributes about them. And they also have devices," Iske said during a panel session on April 27 at AFCEA's TechNet Cyber conference in Baltimore. "And so what we're trying to do from an [identity, credentialing, and access management] perspective, is really bring in all those additional attributes and context to better control access."

Iske said the challenge with the public key infrastructure and Common Access Card "being standard" is that it has decentralized access management—something that has to be corrected to achieve zero trust. 

"With PKI and CAC being standard…that has driven access management to be very decentralized. And so across the department, much of that is enforced directly at the application," Iske said. "We can't achieve zero trust if we have to touch every single application and to do the kind of complex integrations that will come in the future." 

Managing identity and access across the department is complex and involves multiple partnerships with organizations that are enterprise service providers, such as the Defense Manpower Data Center and the National Security Agency. 

W. Chandler Grice, DISA's program manager for identity, credentialing, and access management, said during the event that the end goal is to have account automation, centralized and continuous authentication, data and attribute sharing, plus new platforms and multi-factor authentication as part of its shift to zero trust. 

Right now, DISA has a CAC authentication service available for DOD 365 tenants and customer applications alongside multi-factor authentication for CAC owners as part of the "bring your own approved device" pilots. Those capabilities are housed within DISA's global federated user directory, which acts as an identity provider, and serves more than 1 million authentication requests everyday, Grice said. 

"We've also successfully on-boarded five 365 tenants, with two more projected over the summertime. And then we've also on-boarded 20 customer applications," Grice said. "We want to make it easy, intuitive and fast for customers to on-board to our service offerings."

Related articles

DISA plans CAC replacement prototypes for summer

DISA looks to walk the walk on multi-factor authentication

Telework, BYOD and DEOS

DISA awards Thunderdome zero trust prototype

The multi-factor authentication pilot currently has more than 33,000 users across five customers. DISA also delivered a self-service portal for the authentication service in March, Grice said. 

In the next six months, DISA is looking to develop an initial automated system authorization which is expected in May alongside intra-application segregation of duties. Both capabilities were developed with DOD's financial management community across eight pilot applications, Grice said, but the aim is to expand the offerings to a broader user base. 

DISA's push to reform identity management has been years in the making and the updates come as the agency awarded several significant contracts it needs to implement zero trust, which hinges on optimized identity solutions. 

GDIT landed one of them: a $162 million contract with DISA in February and is moving into production. 

Jim Matney, GDIT's vice president and general manager who handles DISA and enterprise services, told FCW that identity management used to mean that "everybody was managing their own identities for their specific organization" and the contract effort "brings it up a level" so users can collaborate and work across organizations with a single identity.

"We're creating a master user record, which then takes inputs from other metadata -- your security clearance information and the like....and then you have the ability to automatically provision and deprovision accounts as necessary, when their need [for] access to certain resources aren't needed anymore."

Within the first six months following the contract award, GDIT will build out production of its ICAM capabilities by integrating DISA's global directory, as the identity provider, to create a single solution. 

"You have to have the infrastructure, the underlying solution in place that can enable it," Matney said. He added that organizations will be able to continue to use CACs but a shift to other multi-factor authentication protocols will also be available. "We're one step closer to being able to enable…the phase out of the CACs," he said.

"So this is a really great opportunity. It's a great step forward. Getting us one step closer to…zero trust," Matney said. 

NEXT STORY: As satellite images reshape conflict, security worries mount

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.