Insight by ForgeRock

Next generation of identity management coming into clearer focus for DoD

Identity credentialing and access management and the Defense Department have gone hand-in-hand for much of the last 20 years.

The Pentagon was first to roll out the identity smart cards and the first to move to derived credentials on a smartphone.

This is why the Defense Manpower Data Center’s plan to issue a call for the next generation of ICAM technologies should be viewed with great interest by the federal community.

DMDC's ICAM Strategy

Other federal agencies, other mission partners have achieved other capabilities and industry has created some opportunities that open the door to move toward the newer model, a dynamic model of identity credentialing and access management (ICAM), which will really be based on real time, data management and real time access for those authorization decisions to be to be truly based on a risk profile that is continuously authenticating individuals on a real time basis.

DMDC issued a request for information in 2018 for remote identity proofing, and Mike Sorrento, the director of the agency, said another RFI could be on tap for 2021 as the changes in identity management technologies are happening fast and furious.

“As we learn more about what industry capabilities are out there, I think we probably would be interested in even putting another RFI out to see what else is what else is coming online because the dynamics in this space continue to mature almost at warp speed,” Sorrento said on Ask the CIO sponsored by ForgeRock. “We think we’re in good shape for the next year. But we are still looking for even better and better ideas from the technology standpoint, from the capabilities for the identity-as-a-service.”

Sorrento said DMDC wants to work toward creating a digital identity for all 8 million of its customers—servicemembers, their families, contractors and civilian employees.

“We want to have a continuous identity-as-a-service connected to those pieces so we can continue to extend our the benefit platforms to our customers who are demanding in a way so they can pull out their iPhone or Android and they can Google pay or Apple pay,” he said. “They will be able to show their credentials and can get services. We need to be that agile in the Department of Defense, but with strong authentication modes and strong ability to continue to proof people for their identity-as-a-service.”

The Future of ICAM

Where we're moving to is a stronger model of that authentication as opposed to just like challenge questions. We're sort of in this continual assessment, using multiple data sources that are publicly available, or, in some cases, you pay for them to be able to assure the identity of individuals coming in, improving the security and increasing the multi-factor authentication, in this case, a two-factor authentication approach that is currently in play now with Defense Self Service (DS) login, which is really a great improvement over the previous single-authentication factor. Then the ability to maintain that credential through a constant or continuous evaluation like process.

This longer term desire for a new, continuous approach to ICAM means Sorrento also has to get back-end infrastructure set up to handle the new technologies.

He said this is why DMDC is intertwined with DoD’s new ICAM strategy. The Pentagon released the document in March outlining seven strategic goals. DMDC had a role in six of the objectives under the strategic goals, including defining “syntax and semantics for exchanging attributes, both within the DoD, and with mission partners,” and deploying “ICAM capabilities to support cloud services.”

Sorrento said the ICAM strategy is part of how DMDC, and DoD more broadly, are looking to the future of identity authentication and verification.

“Other federal agencies, other mission partners have achieved other capabilities and industry has created some opportunities that open the door to move toward the newer model, a dynamic model of identity credentialing and access management (ICAM), which will really be based on real time, data management and real time access for those authorization decisions to be to be truly based on a risk profile that is continuously authenticating individuals on a real time basis,” he said. “Where we’re moving to is a stronger model of that authentication as opposed to just like challenge questions. We’re sort of in this continual assessment, using multiple data sources that are publicly available, or, in some cases, you pay for them to be able to assure the identity of individuals coming in, improving the security and increasing the multi-factor authentication, in this case, a two-factor authentication approach that is currently in play now with Defense Self Service (DS) login, which is really a great improvement over the previous single-authentication factor. Then the ability to maintain that credential through a constant or continuous evaluation like process.”

Among DMDC’s first steps is to build a mission partner registry, which will allow DoD to share and accept credentials from other key mission areas across federal government, partners, allies and other and other important mission partners.

Sorrento said DMDC also is building something that’s called the back-end attribute exchange that will support a lot of the interoperability components.

“As we modernize, we’re really want to leverage existing services that industry and others have that we can promote as a department standard,” he said.

The Role of Cloud in Identity Management

Part of it is breaking them into micro-services and breaking some of these transactions and capabilities into consumable bites, using mobility platforms, and being able to allow individuals or their proxies, in some cases, get access to make meaningful either updates changes or just access to information. It's pretty critical and sometimes it’s access to physical locations to because that's a key component as we've implemented the new credential for the CAC. So that so that part of the answer to this is we're making improvements on the on the services side of it. But we're also breaking down the back-end operations to be able to more efficiently process billions of transactions a year.

To ensure these new capabilities work well, Sorrento said DMDC is moving to modern infrastructures and modern platforms.

“Part of it is breaking them into micro-services and breaking some of these transactions and capabilities into consumable bites, using mobility platforms, and being able to allow individuals or their proxies, in some cases, get access to make meaningful either updates changes or just access to information. It’s pretty critical and sometimes it’s access to physical locations to because that’s a key component as we’ve implemented the new credential for the CAC,” he said. “So that so that part of the answer to this is we’re making improvements on the on the services side of it. But we’re also breaking down the back-end operations to be able to more efficiently process billions of transactions a year.”

To that end, DMDC is trying to share data more easily and securely.

Sorrento said DMDC is working with the Veterans Affairs Department’s chief data officer on an initiative to create a joint DoD/VA data and analytic strategy.

“We’re tying together all the personnel and readiness equities, so we can unify those environments and the data sharing within PNR, but also with the VA,” he said. “We’ve published an architecture guide that really has a big section on data management and data initiatives. Because we really need to improve our data, right from the source and how we, at the back end operation, manage data, and be able to create real time access.”

DMDC's Data Efforts

What I am driving is the ability to share data more seamlessly, number one, but also a lot of this is sensitive and personal identifiable information (PII). So we've got some privacy issues to deal with, and we're working very hard on that. We are working across the health space, working across the readiness, space, education and training, and being able to drive toward common solutions, that the Undersecretary for personnel and readiness is really looking for maximizing investments. But, most importantly, moving at the speed of relevance that we need to be able to bring the data mesh that we'd like to introduce as our concept that there's different cylinders of excellence that are happening in different mission spaces, but the power the real power is sort of a force multiplier, where you can bring those datasets together to do advanced analytics and machine learning.

Sorrento said the VA and DoD joint executive committee wanted to find a cohesive and unified to share data.

“One of the focus areas that we think is going to be extremely invaluable from a visualization standpoint is creating service member to veteran journey maps, so that we document those moments that matter. As we build them out, any event that occurs through a servicemember’s career, when they go through education, training or other health issues, we want to have a very mature way of managing these events. These are the moments that matter and that ultimately lead to analytics and other opportunities,” he said. “We’ve got this continuum of opportunity to have data managed in a way and provided in such a way that can be used for providing better benefits, as well as providing a robust set of research opportunities. And getting after what we think is perhaps some of our more troubling issues such as suicide prevention and traumatic brain injury and other types of issues that are costing the department and the country a tremendous amount of money, whereas if we can get more predictive, and have predictive models that help us lead toward better outcomes.”

Sorrento said getting control of the data and modernizing the infrastructure opens the door for machine learning and advanced analytics to create more value for war fighters and decision makers.

Industry Analysis

There's traditionally been this thought process that quality digital experience and secure digital experience were mutually exclusive. You either had to be easy to use or secure. The two things didn't go together. And we argue that that's no longer the case. You're no longer defying the laws of physics by providing a good user experience that is also secure.

 

Listen to the full show:

Featured speakers

  • Mike Sorrento

    Director, Defense Manpower Data Center, Department of Defense

  • Ben Goodman

    Senior Vice President, Global Business and Corporate Development, ForgeRock

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts