The Department of Defense is working to implement a new identity, credentialing and access management (ICAM) tool, a key part of its journey to a zero-trust cybersecurity model, the department’s chief information security officer said Wednesday.
The tool was developed by the Defense Information Systems Agency, which had previously solicited input from industry to help develop the technology to verify users on a network. The first users who will be offered use of the tool are in DOD’s financial management divisions and will be given access on a fee-for-service basis, DOD CISO David McKeown told senators.
“Right now we have an enterprise-level solution for ICAM,” McKeown told the Senate Armed Services Cybersecurity Subcommittee during a hearing on zero trust. “That will be the exemplar that we adopt across the board, throughout the department.” It’s unclear how long it will take to roll out the solution across the department.
ICAM is critical to zero trust because the model relies on being able to track user identities across the network and ensure data access is limited only to those who can verify they need it. In the current model of cybersecurity, defenses are placed at login points — or at the perimeter — but if an attacker can get past those first defenses, they have free reign on sensitive data. That’s not the case with zero trust, where with the help of ICAM solutions access is heavily limited even within a network.
The recent SolarWinds hack where suspected Russian intruders gained access to systems and then moved around networks looking for sensitive information has pushed DOD to adopt zero trust with even more zeal, McKeown said in the hearing. DOD has said none of its networks were compromised in the hack, but it has spurred action nonetheless.
“These recent events have lead us to accelerate the implementation of our zero-trust frame works,” McKeown said.