DISA aims to connect DOD services to federated ICAM solution by end of 2025

DISA will start with the Army and then continue to federate the remaining services before the end of fiscal 2025.

February 21, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

A student at the U.S. Army John F. Kennedy Special Warfare Center and School in the Technical Exploitation Course processes a laptop computer during training at Fort Bragg, North Carolina October 22, 2019. (U.S. Army photo illustration by K. Kassens)

The Defense Information Systems Agency intends to consolidate identity, credential and access management (ICAM) instances used by the military services on unclassified networks into a single federated solution before the end of the year, according to an agency official.

Brian Hermann, director and program executive officer for DISA’s PEO Cyber, told a small group of reporters Friday that the agency expects to complete all ICAM federation activities with the services by the end of fiscal 2025.

The plan is to build off ongoing work with the Army and federate its ICAM solutions in March. DISA will then work with the Navy and Marine Corps to federate their instances by the end of June, and finally complete federation with the Air and Space Forces before the end of September, Hermann said.

ICAM generally comprises a set of IT policies, systems and security tools that verifies users have the right credentials to access certain parts of a network — in this case the Pentagon’s. While various Defense Department components have worked to develop their own ICAM capabilities, the larger department has sought to create and implement an enterprise solution to streamline information sharing across the Department of Defense Information Network, as well as with international allies and partners.

“ICAM is how we work across the department, as well as how we work with our mission partners,” Hermann said. “Enabling our work with allied and coalition partners means we have to have some connectivity and understanding of who we’re working with in that coalition, make sure that we have an understanding of their access rights and grant them access to DOD resources — as well as grant DOD users access to things that we have to share with those mission partners.”

Overall, ICAM is a key part of the Defense Department’s journey to operating under a zero-trust cybersecurity framework, which requires all users and devices connected to a network to be continually authorized as they move through it. Hermann emphasized that DISA’s federation activity is crucial in the department’s goal of achieving “target levels” of zero trust by the end of fiscal 2027.

“We’re leading that effort for the department,” he said. “Any other ICAM implementations that may exist are going to depend on us getting this federation activity done.”

At the end of 2024, DISA stood up a federation hub to begin work consolidating the Pentagon’s existing ICAM instances, beginning with the Army’s, Hermann noted. The hub gives DISA a “total picture” of all the information users can access and ensures the agency can deconflict roles they might have in other systems across the department, he said.

Once the federation is complete with the military services, Hermann said DISA plans to connect with the Defense Manpower Data Centers — a repository of information on the Pentagon’s personnel and manpower. The agency plans to pick up ICAM federation efforts on classified networks in the future as well, he added.

While Hermann couldn’t provide an exact number of applications that will need to be federated across the Pentagon, he said it is more than first expected. He noted that federation work has also given different components insights on what systems they can modernize and others that have to be replaced in the future.

“This helps the exercise of determining whether something needs to get modernized and moved to ICAM, or it needs to potentially go away and cease to exist,” Hermann said. “I think there’s a lot of application rationalization that goes on across the department in this process, and that’s probably a good house-cleaning exercise.”

As it goes through the federation process, DISA is working with Pentagon components to determine whether an enterprise ICAM solution will meet their specific needs and avoid having too many instances across the department, Hermann said.

“We really want to prove that there’s no way that [something] could be supported by an existing ICAM before we create new ones because it’s not cheap to do this. There ought to be a real strong impetus for why we would have more of these,” he said. “I strongly believe in enterprise, and I want to try and make it work as much as possible. When we do that, then we have less requirements for federation because more users are being served by the enterprise solution.

Still, Hermann emphasized the importance of finding the right balance of ICAM solutions available, as having too few available would create bottlenecks for the Defense Department. To that end, allowing the military services to have their own ICAM solutions is helping DISA move faster with adoption, he said.

“My sincere hope is that at some point in the future, we can consolidate somewhat, but getting everybody to ICAM implementation and adoption quickly is served well by having some separate instances of ICAM,” Hermann said. “That, right now, is the longest pole in the tent of adopting ICAM — making sure that the application owners are able to work with their ICAM providers and get their applications connected.”