1.5. A CHANGE IN DIRECTION
Past events and changes in the DoD operational threat environment require the DoD to take a new
approach to sharing and safeguarding information. Two high-impact, back-to-back insider threat activities
coming from the DoD and private sector resulted in Executive Order 13587, Structural Reforms to Improve
the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified
Information, and supporting minimum standards addressing the identification, tracking, and detection of
insider threat activity with positive attribution of users to events. The recent OPM Data Breach exploited
re-playable credentials such as passwords. Moreover, DoD reliance on mission partners has resulted in
extending its network presence to external partners. These changes have led to further requirements for
increasing visibility of who is on the network and a greater emphasis on maturing DoD ICAM capabilities
to enable simultaneous, responsible information sharing and safeguarding.
The goal state for the ICAM life cycle begins with the binding of a credential to a specific individual in an
auditable and consistent way. The life cycle process then continues by providing a mechanism for systems
to authenticate users using managed credentials. If system owners then develop digital policy rules and
implement standards, system access control decisions can be automated by using attributes available
about the authenticated user. This will provide the system with an access control decision based on
system and resource specific policy. Performing authentication and authorization using common
standards can provide USCC with visibility into the decisions to facilitate identification of potential insider
threat and identities compromised by malicious actors. ICAM also provides a means to enable concepts
like “continuous vetting” which can make use of emerging capabilities to routinely re-verify suitability by
using automated systems to check for changes in a user’s behavior after the completion of the last routine
background investigation.
The DoD has been discussing this ICAM goal state, to include Automated Account Provisioning and
Dynamic Access. However, these discussions have not translated into adoption of core ICAM principles
and Dynamic Access for more than a handful of systems. Unlike the DoD PKI, which was an enterprise
service supported by policy and funding, DoD has attempted to use a bottom up approach for
authentication and authorization, relying on system owners to make risk-based decisions for how to
manage access to resources. DoD services and agencies continue to build systems in a distributed manner
and allow individual system owners to choose implementation approaches meeting local needs but may
not support enterprise objectives.
Authorization decisions via Dynamic Access enhance the speed of access and, as user attributes change,
can also automatically eliminate user access. However, Dynamic Access is not suitable for all system
accesses. Neither is current cumbersome authorization processes, which lead to delays in users obtaining
access and often resulting in the failure to de-provision a user when access is no longer authorized.
Automation of the account provisioning and de-provisioning processes would provide speedy access to
authorized users and ensure access is removed when it is no longer authorized.
Achieving the ICAM goal state to make ICAM an enabler of the three lines of effort from the 2018 National
Defense Strategy will require a more centralized approach to develop, acquire, implement, and sustain
enterprise ICAM shared services enhancing strategic and tactical missions. Moreover, stronger mandates
are required to adopt their use in DoD systems. As it implements changes to ICAM, DoD must also
integrate recognized and adopted commercial standards, architectures and related, compliant products.
Developing DoD specific requirements will require long term effort and significantly raise the costs of
implementing ICAM within DoD. Alternatively, using industry standards will minimize modernization costs
and facilitate interoperability. As DoD chooses technologies and standards, it must work with its partners
in other Federal Agencies, the Defense Industrial Base, and foreign governments to maximize
interoperability with ICAM technologies being adopted by those entities.
5