Although the Defense Department has long sought the ability to give its information technology users a single method for signing onto its computer systems, department IT leaders say they now are taking a more coordinated and more centralized approach to the problem.
A new identity and access management task force, led jointly by the DoD chief information officer and the Defense Information Systems Agency (DISA), is bringing together the department’s various identity and access control capabilities, and approaching the topic as a DoDwide enterprise capability, said Jack Wilmer, the technical director in DISA’s program executive office for Global Information Grid Enterprise Services.
“This task force is trying to focus on what are the things that we have in the near term, that are ready, that we can put out there, sign out as DoD policy, and provide capabilities to help people implement them,” Wilmer said.
He said while implementing Common Access Cards, DoD’s version of HSPD-12 smart cards, was a success story, the next challenge was to use single digital identity cards created for each user and leverage it into access management across DoD’s IT systems.
“We’ve done a lot of work on your digital identity. We haven’t done as much on access control,” Wilmer said at an AFCEA breakfast event Thursday. “We find in a lot of cases, systems decide that since you have a CAC card you should be able to have access to everything. That may or may not be true.”
Similarly, the department’s secret-level network, SIPRnet, includes many IT systems that assume anyone with access to the network should therefore have access to the system, Wilmer said. DoD soon will reach initial operating capability for a new system of smart cards for authentication on SIPRnet, which now relies on usernames and passwords.
One possible way forward is a new identity synchronization system that DISA created to support the Army’s move to DISA’s cloud-based enterprise email service. The system consolidates disparate digital identities into a single new one based on an individual’s authoritative record at the Defense Manpower Data Center (DMDC). Each Defense employee now has such an identity, but Wilmer said they are only active for Army users, whose enterprise email accounts rely on them.
“As soon as you join DoD, you get a CAC card and you get a record (at DMDC),” he said. “That information will be automatically provisioned into our system, and that whole process is something we want to stand up as an enterprise service so that no matter what enterprise service you’re using, as soon as you join DoD you’ll automatically have an account for that.”
Wilmer said another goal is to automate the process of granting access to the systems each user needs to do his or her job.
“Right now, when you want to get access to a new system, you fill out a form, you put down your need to know, the person looks at that need to know and says ‘yeah, that seems reasonable, I’ll grant you access,'” he said in an interview after the event. “We’re trying to get this much more well defined so that instead of it being a judgment call by the system owner, we can trace back to some kind of policy, regulation or law that governs who should be able to access the system and translate that into a machine executable format.”
Wilmer said that while many DoD websites now let users log-in using the secure public key infrastructure (PKI) credentials on their CAC cards, they were trying to make sure not to develop an IT structure that relies exclusively on PKI and requires it across the network. Doing so, he said, would hamper information sharing with members of the intelligence community and others who need access to DoD’s systems but do not have CAC cards.
“So one of the things we’re looking at is actually allowing you to log in however you can log in,” he said. “If it means supporting username and password, great, but then we would tailor the access to the information based on how strongly authenticated you were. That is a big shift, and right now the DoD policies do not support that. But we can either wait five or 10 years and maybe the rest of the government and our coalition partners will get on board, or we can tailor access to information.”
(Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.)