The Defense Department wants to stand up a system for managing the digital identities of every one of its personnel, and it’s looking to the security community for help.
On Friday, officials at the Defense Information Systems Agency announced it was looking to create a system that would let the Pentagon oversee the digital credentials and online activity of the people who use its IT infrastructure. The tech, called the Enterprise Identity Service, would store the usernames and passwords for employees, vendors and other authorized users in a single record, which they could then use to access the networks and platforms they need for their jobs.
The system would also allow the Pentagon “to centrally monitor, manage, secure, and audit identity, access and authorization seamlessly across [components] and their dynamic and disjointed computing environments,” DISA officials wrote in a call for white papers. Though individual components are exploring their own strategies for managing digital identity, the department’s disparate IT ecosystem prevents that sort of enterprisewide control, they said.
Identity, credential and access management, or ICAM, tools are essential for cybersecurity—even the strongest digital defenses are worthless if organizations can’t control who has access to the system they’re protecting. While the government has historically relied on physical credentials like common access cards to manage that access, those old strategies aren’t as conducive for new technologies like cloud, artificial intelligence and mobile platforms.
By creating a universally applicable system for verifying identity online, the Enterprise Identity Service would allow users to more efficiently and securely move through the Pentagon’s IT environment, according to DISA officials. It would also let the department quickly audit users’ digital activity and revoke access to any systems outside their purview, they said.
According to the solicitation, the Enterprise Identity Service must provide a handful of specific capabilities, including an access management shared service, which would authenticate users before they can enter a specific network, and automated account provisioning, which would let the Pentagon easily turn users access to certain systems on and off. The tech must also create a so-called Master User Record, which logs each person’s activity across the department’s networks.
After reviewing white papers from interested vendors, DISA plans to award the two or three most promising vendors contracts to build prototypes of their proposals. Vendors will then demonstrate their tech before department officials and DISA will award the top candidate a larger prototype contract to further refine their system. All awards will be made using other transaction authority, officials said in the solicitation.
Interested vendors must submit their white papers by Nov. 5.
The program comes as DISA and U.S. Cyber Command explore new zero-trust architectures, a security protocol that requires users and devices to constantly verify their identities before they can access a given network. Zero-trust architectures are intended to protect IT systems from unauthorized access, and the Pentagon intends to expand its use of such measures under its five-year digital modernization strategy.