The Senate Armed Services Committee wants the Pentagon to establish identity, credential and access management (ICAM) — a key part of zero-trust cybersecurity initiatives — as an official program of record within the department.
A provision in the committee’s version of the fiscal 2024 National Defense Authorization Act would require the Defense Department to transition its existing ICAM initiative into a program of record “subject to milestone reviews, compliance with requirements, and operational testing” within 120 days after Congress passes the defense spending bill, according to the legislation, which was approved by SASC in June and released Tuesday.
ICAM generally comprises a set of information technology policies and systems that verifies users have the right credentials to access certain parts of a network. As such, it is a critical part of the department’s journey to embracing zero-trust cybersecurity, which requires all users and data to be continuously authenticated and authorized as they move around the network.
An enterprisewide ICAM solution could also be beneficial to the department’s user experience as DOD personnel look to log in to digital systems from across the globe in a quick and easy fashion.
The Defense Information Systems Agency (DISA) tapped General Dynamics Information Technologies to deliver an ICAM capability throughout the department, although SASC lawmakers noted in a report released alongside their NDAA bill that there are current limitations in the technology’s scalability and interoperability.
“An enterprise-wide ICAM capability is a critical and pressing need for the Department of Defense (DOD) not only for cybersecurity, but also for managing complex multi-domain military operations involving information and systems classified at multiple levels,” the report said.
Senators are requiring the Pentagon to fix deficiencies in ICAM’s authentication and credentialing security capabilities that were outlined in a report submitted to Congress in April, the bill text states. That includes the department’s Public Key Infrastructure program, which facilitates secure data exchanges between users on potentially unsafe networks.
The department must also implement “improved authentication technologies, such as biometric and behavioral authentication techniques and other non-password-based solutions,” according to the provision.
Per the legislation’s accompanying report, the Pentagon will be required to replace the current enterprise ICAM’s core identity provider component with a cloud-based capability that better enables the technology to scale and integrate throughout the department.
“The committee further notes that the military services are left with the responsibility for fielding ICAM solutions for operational forces out to the tactical edge that must work seamlessly with the enterprise ICAM solution,” the report read. “Similarly, the enterprise and tactical edge ICAM systems must seamlessly operate across multiple classification levels and networks, including at the special access program level, and with multiple enterprise cloud solutions under the Joint Warfighting Cloud Capability program.”
Committee members are asking the Secretary of Defense for a brief on the enterprise-wide ICAM program of record no later than 150 after the legislation is passed.
A reconciled version of the NDAA must be passed by the Senate and House and signed by the president before becoming law.