ICAM for Defense Digital Learning Systems
How many different usernames and passwords do you keep track of?
Data-driven services like banking, social media, mobile apps, and online subscriptions have become ubiquitous in our everyday lives. Since the dawn of computing, our usernames have been our “identities,” and passwords our method for authentication. But in the last two decades, the internet’s phenomenal growth has changed the way organizations think about usernames and passwords. Interoperable systems have begun using single sign-on to consolidate user access, and new tools are taking this capability further.
Identity, Credentialing, and Access Management (ICAM) comprises a set of processes that help organizations authenticate, authorize, and federate users on their networks. Through ICAM, organizations can ensure the right person is accessing the right information at the right time for the right reasons. Specifically, identity management allows an organization to establish, maintain, and terminate identities. Credential management allows an organization to issue, track, update, and revoke credentials for identities. And access management involves authorizing access to documents or applications within an organization, so that only approved individuals can read or interact with those files or systems.
The ICAM life cycle begins by binding a credential to a specific individual in an auditable and consistent way. This centralizes identity and credential management, including attribute management and credential issuance/revocation. In practice, this means someone is able to access and produce data from any (permitted) source across the entire system, and any data produced by a person becomes auditable enterprise wide.
ICAM across the DoD Enterprise
While many different ICAM capabilities already exist, they’re often implemented by developers or system owners to meet local objectives without alignment to, or consideration of the needs of, the larger enterprise. Hence, the DoD Digital Modernization Strategy (Goal 3 Objective 2) emphasizes the need for DoD-wide ICAM, stating that it will “create a secure and trusted environment where any user can access all authorized resources (including [services, information systems], and data) to have a successful mission, while also letting DoD know who is on the network at any given time.”
There are significant advantages to providing ICAM services at the enterprise level, including consistency in how those services are implemented, improved security, cost savings, and convenience. Common ICAM standards for authentication and authorization also offer an added benefit: they allow US Cyber Command to monitor individuals’ system access patterns, helping to uncover potential insider threats or identities compromised by malicious actors.
Wait! Don’t we already do this?
ICAM isn’t a new concept, and these capabilities are already pervasive throughout DoD. In 1998, the Department recognized that people needed a standardized mechanism to access a rapidly expanding digital landscape. In response, the DoD CIO established the Public Key Infrastructure (PKI) program. Twenty years later, that program has become one of the largest organizational identity credentialing services in the world, supporting approximately 4.5 million DoD users and multitudes of devices.
Identity information for the DoD community is managed through the Defense Manpower Data Center (DMDC). It operates the Defense Enrollment Eligibility Reporting System (DEERS), which includes the Person Data Repository (PDR). PDR is the primary identity attribute repository for PKI certificates for all DoD persons, including military, civilian, and contractors.
DoD’s Common Access Card (CAC) combines PKI with a physical ID card, and CACs have become the cornerstone of trust for identifying and authorizing access to DoD personnel. Through its PDR program, DMDC issues PKI credentials to individuals via their CACs for NIPRNet. For SIPRNet, DoD access credentials are issued by the National Security System PKI. Other organizations may issue additional access credentials for use in specialized environments, such as mobile computing and other nontraditional systems.
Pursuant to Homeland Security Presidential Directive 12 (HSPD-12), DoD has recently transitioned from using CACs with DoD-specific credentials to using CACs with Personal Identity Verification (PIV) credentials. This maintains DoD’s legacy authentication mechanisms while also allowing the Department to use products designed to read the more modern, HSPD-12 compliant PKI credentials.
Although DoD has determined that CACs (with their new PIV digital credentials) should be the primary authentication technology, not all DoD users have or can easily obtain those certificates, and not all software applications can use them for access credentials. To address this gap, the DoD CIO has established a series of ICAM-related strategic objectives, defined in the DoD ICAM Strategy 2020 and the DoD Enterprise Identity, Credential, and Access Management (ICAM) Reference Design published earlier this year.
Zero Trust Architecture
ICAM is also a foundational element of DoD’s migration to a Zero Trust Architecture. Like ICAM, the concept of Zero Trust has been a cybersecurity best practice for years. Zero Trust is a digital strategy that limits access to resources, such as data or software applications, to explicitly authorized personnel. It also involves the continual reauthentication and reauthorization of the identity and security posture for each access request.
In August 2020, the National Institute of Standards and Technology (NIST) published the final draft of its Zero Trust Architecture Special Publication. The Defense Information Systems Agency (DISA) has been working with NIST, the National Security Agency, and DoD CIO to finalize an initial reference architecture for implementing Zero Trust across the DoD.
How does this impact education and training?
From a digital learning perspective, ICAM enhances DoD’s ability to track, manage, and optimize lifelong learning. ICAM, coupled with the Total Learning Architecture (TLA) standards, enables DoD to link an individual’s unique identity to education and training records created and stored across various DoD schools and training sites. So, all of the learner records associated with someone can be tied to their DoD identity throughout their career. This, in turn, can be used to improve the quality and efficiency of how the DoD trains and educates its workforce. Enterprise ICAM policies will also help learners by giving them seamless access the diverse systems (single sign-on) as well as ensuring that authorized users (and only authorized users) can access relevant learning experiences.
To date, the intersection between the TLA and ICAM has mainly involved using the DoD Identification Number as the “learner ID.” Formerly, the DoD ID Number was synonymous with the Electronic Interchange Personal Identifier (EDIPI), a unique 10-digit number assigned to each person registered in DEERS. Now, with the shift to PIV credentials, the DoD ID Number has become a 16-digit number that better supports joint interoperability across the government. This number is permanently assigned and doesn’t change regardless of status (e.g., government civilian, active duty military, dependents, reservists, retirees, and contractors).
The DoD ID Number was historically used by DoD information systems to facilitate machine-to-machine communications and to authenticate digital signatures. However, the DoD ID Number doesn’t constitute any level of authority to act on that individual’s behalf. In other words, as detailed in DoD Instruction 1000.30 (“Reduction of Social Security Number Use Within DoD”), exposure of the DoD ID Number shall not be considered a breach when used as a part of a DoD business function.
Within the TLA, the DoD ID Number is used to define the “actor” in a learning activity. The “actor” is a field within the xAPI standard as well as a necessary component in other TLA subsystems, such as the Enterprise Learner Record Repository. By populating the “actor” field with the DoD ID Number, learners’ performance can be safely and securely stored locally, for instance, in local learner record stores, readily combined with data stored in other systems, and, eventually, rolled into an enterprise-level record that includes an individual’s complete list of competencies, credentials, and learning history.
Unfortunately, while the DoD ID Number works well to manage lifelong learning for personnel internal to DoD, it doesn’t fully support learners or learning activities outside of the Department. This affects mission partners and personnel from other government agencies. There are also challenges exchanging credentials with learning technologies outside of DoD control, such as certificates from public universities. So, even though DoD ICAM processes are maturing, more is needed to meet the full spirit of enterprise ICAM.
Another step forward in that pursuit is the CIO Council’s Federal ICAM (FICAM) initiative. Developed more than a decade ago, FICAM has recently gained new traction when the Office of Management and Budget released M-19-17 (“Identity, Credentialing, and Access Management”). That memo revised outdated FICAM policies dating back to 2004, and it spurred development of the government’s FICAM Architecture.
What’s next for ICAM and DoD digital learning systems?
The ADL Initiative is working to update DoD Instruction 1322.26 (via its fungible references) to ensure key characteristics of (F)ICAM and Zero Trust are incorporated. Initially, learning technologies acquired by DoD organizations will need to use the DoD ID Number as a learner’s identifier. In the future, guidance may address ICAM interoperability with organizations outside of DoD, migration from legacy DoD EDIPI numbers to the new PIV credentials, and authentication processes for approved third-party systems. Continue to monitor this website, as well as DoDI 1322.26, for the latest instructions on (F)ICAM, Zero Trust, and DoD digital learning technologies.