The Pentagon’s IT agency wants to simplify the digital tools used for identity verification and systems access on unclassified networks across the military this year, starting with the Army—which is on track to wrap up next month.
Whether it’s from a cubicle or the battlefield, defense organizations generally use different tools to log in or access certain networks, systems, or digital environments. The Defense Information Systems Agency, or DISA, wants to collapse everything into one solution.
“DISA’s role in ICAM for the Department of Defense is that we provide the enterprise identity and credentialing and access management function, which means it’s something that everybody across the Department of Defense can use,” Brian Hermann, who leads DISA’s program executive officer for cyber, told reporters Friday. “In some cases, especially in tactical cases, the military components themselves need to have a solution to meet their needs”.
Identity, credentialing, and access management solutions help ensure users only have access to the data and systems they’re permitted to see. They’re also a vital part of the Pentagon’s zero trust cybersecurity efforts, which are based on the assumption that hackers are already in the networks.
“It gives us the total picture…all the way across the department, and it is also the basis for how we have to connect with our allies and coalition partners,” Hermann said. “We expect by the end of this fiscal year to have completed the federation activities with all of the military departments.”
DISA started linking the Army’s ICAM solutions with the agency’s own, a unifying process called federation, in October, with plans to ultimately do that across the Defense Department. The agency also plans to expand the solution to classified networks as necessary.
“We expect to be done with the Army by the end of next month, actually by the end of March, and then roughly about three months later, be done with the Navy, followed by the Air Force, by the end of the fiscal year,” Hermann said, noting that ICAM federation for all military departments should be done by October. After the military departments are done, DISA will work with the Defense Manpower Data Center and other DOD components, he said.
DISA is also using tools from the National Security Agency that allow data owners to tag “attributes” like location and clearance level to govern access.
“Attribute-based access control allows the owner of that data to say, ‘let’s build a policy enforcement point that says anybody with a secret clearance can access this data,’ or ‘anybody that is a U.S. citizen and a Department of Defense employee that’s on a machine that we trust’ can be allowed to have access,” Hermann said. “So then now we’re taking not just identity information, we’re also taking information about the location of and then the patching status of a device that is owned by the Department of Defense, and saying that is also required for you to be granted access.”
But that data tagging process is laborious and varies depending on the environment.
“It’s a tremendous challenge across the unclassified network, especially. And there are some modern tools that allow you to do that in environments like SharePoint and Office365, but it’s a little bit harder in some different data environments that exist across the department,” Hermann said.
“It’s a challenge that we’re working through in terms of providing the ability to enforce that access, and we’re running some pilots more broadly, across zero trust, to see what technologies work best for establishing those those access control rules,” including the potential use of automation to sift through data and recommend access control rules.
Read the full article here
