Initiatives

Stay Informed

Keep up-to-date on all the latest DISA news and events by subscribing to DISA's email subscription service.

Subscribe ▸

IDENTITY AND ACCESS MANAGEMENT (IDAM)

Overview

  • Identity and Access Management (IdAM) is the combination of technical systems, policies and processes that create, define, and govern the utilization and safeguarding of identity information, as well as managing the relationship between an entity and the resources to which access is needed.
  • The vision of DoD IdAM, as presented in the DoD IdAM Strategy, is “person and non-person entities can securely access all authorized DoD resources, anywhere, at any time.” To realize this vision:
    • Access controls must be IdAM data-driven and automated.
    • IdAM capabilities must provide access accountability by recording IdAM activity.
    • IdAM must enable person entities to find contact data for other person entities and for non-person entities.
  • IdAM data is the cornerstone for achieving and maintaining the DoD IdAM end state.
  • Without access to standardized IdAM data, “dynamic access control” — the capability to automatically and securely have access to the resources we need, whenever we need them, from wherever we are — is not possible.
    • Dynamic access control allows resource owners to make more effective, efficient, and secure authentication and authorization decisions for both anticipated and unanticipated users.
    • Dynamic access control seeks to eliminate the time consuming delays in providing access encountered during such scenarios as geographic relocation, changes in roles and responsibilities, or simply working on a different desktop computer or mobile device. These time delays are not just an issue of end-user convenience — they detract from DoD mission effectiveness by hampering timely sharing of critical information.
    • Dynamic access control supports an “on-the-fly,” secure, and responsive warfighting posture where access control capabilities quickly adapt to changing real-world conditions, additional mission partners, and evolving mission needs.
  • Successful implementation of DoD IdAM depends on a federated approach that ensures standardized IdAM data is available to support access management and other applications.
    •  DoD Components are responsible to ensure all of their IdAM systems conform to the IdAM design.

Incremental Upgrades in Capability (March 2015)

  • Initial Authentication Gateway Services implemented.
  • Global Address Lists synchronized.

Robust IdAM capabilities are key to the department’s Joint Information Environment (JIE) way ahead and provide the following JIE-specific benefits:

  • Ensure users and systems have timely and secure access to the data and services needed to accomplish their assigned missions, regardless of their location.
  • Know who is operating on our networks and what they are doing with a high degree of confidence.
  • Deny adversaries freedom of maneuver within the JIE through anomaly detection and other means.


DoD Components are responsible to ensure all of their IdAM systems conform to the IdAM design, as presented in the DoD IdAM Reference Architecture and DoD IdAM Service Portfolio Description. Important early implementation steps include the following:

  • Convert all person entity identifiers in all IdAM systems to the DoD persona-based identifiers.
  • Synchronize core person entity IdAM data with the Defense Manpower Data Center.
  • Partner with approved DoD mission partners to ensure their person entities have smart cards.
  • Ensure all IdAM systems use DoD and DoD mission partner smart cards for authentication.
  • Ensure assertion services are implemented for all approved exceptions that allow passwords.


The solutions associated with each capability are listed below.

Manage Digital Identities

  • Enterprise Identity Attribute Services (EIAS)
  • Enterprise Directory Services (EDS)

Authenticate Users

  • Public Key Infrastructure (PKI)
  • Public Key Enabling (PKE)
  • Global Directory Service (GDS)
  • DoD Visitor
  • Authentication Gateway Services (AGS)

Authorize Access to Resources

  • Attribute-Based Access Control (ABAC)

Decisions in this four step process must depend on IdAM data and be automated to the greatest extent possible and:

  1. Identification: Person or non-person entity declares an identity when requesting access.
  2. Authentication: Verify that identity using authentication credentials.
  3. Authorization: Determine if access is authorized using IdAM data.
  4. Access: Grant or deny access, as appropriate.

IdAM Concept