Army expands ICAM capabilities to the tactical edge

As the Army continues to expand identity, credential and access management (ICAM) capabilities across the force, it is preparing to deploy modernized automated account provisioning (AAP) and privileged access management (PAM) later this year. The service has already fielded PAM capabilities for some systems, but officials said onboarding additional systems is an ongoing process.

“We need to make sure we can automate account provisioning … make sure there are no orphaned accounts, and enforce segregation of duties across the financial systems. There’s been a [secretary of Defense] guidance out about making sure that we have successful audits. So that’s what we really want to focus on to help these systems,” Andre Townes, interim deputy product lead for Enterprise-Identity, Credential and Access Management (E-ICAM), told Federal News Network on Federal Monthly Insights — Strengthening DoD’s digital foundation. 

As the Defense Department is working to achieve a clean audit opinion by 2028, ICAM will play a crucial role in the department’s financial management systems’ modernization. Multiple inspector general reports pointed to weaknesses like segregation of duties and access controls during yearly audits.

The 2024 DoD IG report on understanding the results of the fiscal 2024 audit found that the Defense Department lacked “sufficient access controls over financial management systems to ensure proper user access and timely access removal. It also found that the DoD did not have proper segregation of duties for internal controls over its financial management systems.

“This lack of controls could result in unauthorized access to financial data and affect the confidentiality and integrity of financial management systems,” the report reads. 

A November 2024 DoD CIO memo mandated that all financial systems must support internal controls over financial reporting and onboard an identity provider by the end of fiscal 2025. In addition, automated account provisioning must be enabled by the end of 2026. 

The Army was also the first service to integrate with the Defense Department’s federation hub earlier this year — the Defense Information Systems Agency was tapped to lead the effort. The next step for the Army is extending those capabilities down to tactical units and giving commanders the flexibility to establish federation at their local levels.

“It’s more so about what level of risk the commander on the ground is willing to federate with their mission partners. We’re actively looking at what we’re doing with the DoD and when we push these ICAM services down to the lowest echelons, when we were talking about making sure each component is modular and can be deployed at the point of need, the commanders on the ground will have the flexibility to establish federation at their own local levels, because they’ll have the same capability and it’ll be done within the guise of their requirements and what level of risk they’re willing to accept so we all will have the enterprise ICAM capability to be deployed so it will be available at the tactical levels,” Townes said. 

Currently, the Army’s enterprise ICAM supports about 1,600 applications on the NIPRNet and more than 300 on the classified side. DISA has not yet set up a federation pilot on the SIPRNet. 

“DISA is currently not set up. They don’t have a federation pilot on the SIPRNet yet, so that will be dependent on DISA establishing the pilot on the SIPRNet. We are already up and running and ready to integrate on SIPRNet when that pilot becomes available,” Townes said. 

ICAM at the tactical edge

Jack Wilson, program manager for Interoperability, Integration and Services (I2S), said tactical ICAM is now in phase two demonstrations with an operational unit, where the technology is being tested during live field exercises.

“I’d rather not state which operational unit that we’re with but to actually demonstrate these capabilities in the field during exercises. It’s not just hypotheses. We are truly in the phase two demonstration for tactical ICAM, which does include the DDIL environment,” Wilson said.

“We have contractors that are on an OT that are working this. It was a competitive selection of phase one, and now it’s been down selected to a couple of vendors that are demonstrating this out of phase two. So it’s government and contractor working together, side by side with the warfighter in their environment to receive real time feedback in order to provide the right capability,” he added.

The tactical community poses unique challenges, since the connection can be jammed, disconnected or limited. Townes said the service needs to make sure it establishes software-based, programmable solutions that allow units to take the capability with them that does not put stress on available bandwidth, compute or storage. 

“What success looks like for me is truly bringing [ICAM] into the tactical environment. It’s critical to the warfighters that are out in the field utilizing a tactical network. We’re working towards a unified network, but going from the days of one of their systems, the username and password being taped to a screen to truly having an ICAM solution is a game changer, and that’s truly what our end state is, to be able to say what soldier is using what system at what time and for the right reason,” Wilson said.

“Because the status quo was before, Private Smith could walk into and essentially log into a system with a username and password. Now, with the ICAM solution, we will know who that soldier is, why they’re there, and why they’re logging onto that system, and how long and how often they’re logging onto that system,” he added

Assessing myAuth

Meanwhile, The Defense Department launched a new identity credentialing system, myAuth, which is set to replace DS Logon — the department expects to transition more than 20 million users by the end of fiscal 2026. 

Townes said they are currently evaluating MyAuth specifically for retirees and beneficiaries. 

“The jury’s still out on our evaluation. However, we need to make sure that we look at it, because the moment we hand off myAuth, our authentication to mission owners, we may lose visibility of those actual identities. Right now, within the Army E-ICAM program, we can manage access for all authorized DoD users, and we have a kill switch, because we are managing everything together. When you look at leveraging an external service provider, we’d have to look at what second-, third-level effects would have from someone else managing that user. It’s more of making sure that we can still adhere to zero trust principles using a third-party SSO. The analysis is still underway,” Townes said.

Leveraging AI and machine learning

Townes said they are currently exploring leveraging artificial intelligence to identify threats based on anomalous behavior from user access. The goal is to identify potential anomalous activity based on patterns of user behavior.

“Just because somebody’s logging in late at night, it doesn’t mean that they’re the insider threat or something, because people now work all different times of the day and all different times of the night. But what are they accessing? Where they accessing it from? And trying to use AI to pick up on those different patterns based off of their user behavior,” Townes said.

“We’re actively looking at anything that artificial intelligence, machine learning, or even [robotic process automation] can provide, from an ICAM perspective, how we can assist us with whether it’s further deploying this capability from the enterprise to the lowest echelon and using the capability to further understand user behavior patterns. So as new technologies come out, we want to make sure that we are agile and that we can look to integrate this capability where needed and at the point of need,” Wilson added.

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.