As cyber threats against federal systems continue to grow, the Department of Defense’s enterprise Identity Credential and Access Management initiative is emerging as a model for how federal agencies are moving from traditional security models to modern authentication frameworks to meet the current threats.
The need for changes from the traditional model stem from audits that exposed critical vulnerabilities in federal systems. Non-financial requirement audits identified five essential security components that ICAM systems would be able to address: secure authentication, access control, recertification, automated account provisioning, and separation of duties.
John Baase, program manager for Defense Department Enterprise Identity Credential and Access Management at the DISA PEO Cyber Office, explained the importance of modernizing authentication and anti-phishing security.
“Are we using a secure, non-phishing authentication method to validate that John is really John? The digital version of John that is coming in the system is backed by the human carbon fiber sitting behind it.” Baase said onFederal Insights: Federal Identity Management.“Could automation in the future be able to look it up in split seconds and say, yep, John is supposed to have access to that system?”
Along with authentication, modern ICAM systems maintain authoritative user records, conduct regular recertification of access privileges, implement automated account provisioning through APIs, and enforce separation of duties to prevent conflicts in financial functions.
Real-time Threat Detection
Modern authentication protocols represent a huge leap in cyber defense capabilities. These systems follow National Institute of Standards and Technology guidance and use REST API integration to provide automated security controls that can identify threats in real time. The technology enables “automation in the future to be able to look [credentials] up in split seconds and say, yep, John is supposed to have access to that system. That’s it. That’s a legitimate action. But why is John’s account accessing this other thing it’s not supposed to be having access to?” Baase said.
The shift from manual processes to system driven security enforcement allows federal agencies to detect and respond to anomalous behavior before it can cause damage, reacting to every issue from credential theft to insider threats.
One of the most important advances is the creation of the DoD ICAM Federation Hub, which allows identity systems across military branches. The Army has already been federated into the system, while the Navy and Air Force are currently in process. This initiative eliminates the multiple badges scenario that causes delays and connection issues for warfighters moving between different systems at different locations. The federation approach provides cross-system security enforcement.
“The ICAMs pull that in and say, ‘OK, we’ve got the record to make sure Fred doesn’t get this right anywhere else across the department that would create that conflict.’” Baase said. “DISA built and runs the DoD’s ICAM Federation Hub, so I wear two hats: running the Federation Hub and being the ICAM provider,” Baase told Federal News Network Executive Editor Jason Miller.
Future of Federated Partnerships
This capability extends beyond DoD to support coalition partnerships with allies and potential integration with other federal agencies. Moving forward, this federation will support foreign coalition mission partners as well. Partners will be able to connect but the data that is being shared won’t be classified or sensitive. The credentials will match each individual, and therefore, won’t have to be physically separated or separated by network.
The federated model approach changes the way government operates in an interconnected world. This seamless authentication enables joint operations while maintaining security controls. It’s a huge step forward for federal agencies’ efforts to counter evolving cyber threats without sacrificing collaborative capabilities necessary for the mission.
“We are working in the process of the department, Navy, Air Force, and so on down the line. Next fiscal year will be the Defense Health Agency and Defense Logistics Agency. At some point in time, Southern Command, each individual ICAM,” Baase said. “We all have to build what’s called the DoD reference design. So there’s no construct where the Army can completely go off in its own little thing and do something completely different from what the rest of us are doing. We can choose different material solutions, but we’re all standards based.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
