DoD Enterprise Identity, Credential, and Access Management ...

UNCLASSIFIED

DoD Enterprise Identity, Credential, and Access

Management (ICAM)

CLEARED AS AMENDED

Reference Design

For Open Publication

Aug 07, 2020

Version 1.0

June 2020

Department of Defense

OFFICE OF PREPUBLICATION AND SECURITY REVIEW

Prepared by Department of Defense, Office of the Chief

Information Officer (DoD CIO)

DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors

(Administrative or Operational Use). Other requests for this document shall be referred to the DCIO-CS.

UNCLASSIFIED

UNCLASSIFIED

Document Approvals

Prepared By:

LAM.NGOAN.THOMAS.12294

38960

Digitally signed by

LAM.NGOAN.THOMAS.1229438960

Date: 2020.07.16 11:22:39 -04'00'

N. Thomas Lam

IE/Architecture and Engineering

Department of Defense, Office of the Chief Information Officer (DoD CIO)

CLANCY.THOMAS.JEROME.JR.1

022639923

Digitally signed by

CLANCY.THOMAS.JEROME.JR.1022639923

Date: 2020.07.16 11:29:55 -04'00'

Thomas J Clancy, COL US Army

CS/Architecture and Capability Oversight, DoD ICAM Lead

Department of Defense, Office of the Chief Information Officer (DoD CIO)

Approved By:

RANKS.PETER.THOMAS.12

84616665

Digitally signed by

RANKS.PETER.THOMAS.1284616665

Date: 2020.07.16 17:25:42 -04'00'

Peter T. Ranks

Deputy Chief Information Officer for Information Enterprise (DCIO IE)

Department of Defense, Office of the Chief Information Officer (DoD CIO)

Digitally signed by

WILMER.JOHN.W.III.1267975430

Date: 2020.07.17 11:07:35 -04'00'

John (Jack) W. Wilmer III

Deputy Chief Information Officer for Cyber Security (DCIO CS)

Department of Defense, Office of the Chief Information Officer (DoD CIO)

ii

UNCLASSIFIED

UNCLASSIFIED

Version History

Version

1.0

Date

TBD

Approved By

Summary of Changes

TBD

Renames and replaces the IdAM Portfolio

Description dated August 2015 and the IdAM

Reference Architecture dated April 2014. (Existing

IdAM SDs and TADs will remain valid until updated

versions are established.)

? Updates name from Identity and Access

Management (IdAM) to Identity, Credential,

and Access Management (ICAM) to align with

Federal government terminology

? Removes and cancels the list of formal ICAM

related requirements

? Restructures document for clarity

? Updates ICAM Taxonomy to better conform to

Federal ICAM Architecture

? Updates descriptions and data flows of ICAM

capabilities

? Summarizes current DoD enterprise ICAM

services

? Defines ICAM roles and responsibilities

iii

UNCLASSIFIED

UNCLASSIFIED

Executive Summary

The purpose of this Identity, Credential, and Access Management (ICAM) Reference Design (RD) is to

provide a high-level description of ICAM from a capability perspective, including transformational goals

for ICAM in accordance with the Department of Defense (DoD) Digital Modernization Strategy. As

described in Goal 3, Objective 2 of the DoD Digital Modernization Strategy, ICAM ¡°creates a secure and

trusted environment where any user can access all authorized resources (including [services,

information systems], and data) to have a successful mission, while also letting the Department of

Defense (DoD) know who is on the network at any given time.¡± This objective focuses on managing

access to DoD resources while balancing the responsibility to share with the need to protect. ICAM is not

a single process or technology, but is a complex set of systems and services that operate under varying

policies and organizations.

There are significant advantages to the DoD in providing ICAM services at the DoD enterprise level,

including consistency in how services are implemented, improved security, cost savings, and attribution

by having a discrete defined digital identity for a single entity. ICAM is also fundamental for the

transformation to a modern data-centric identity-based access management architecture that is

required in a future-state Zero Trust (ZT) Architecture. To gain these advantages, DoD enterprise ICAM

services must support functionality for both the DoD internal community and DoD mission partners,

must provide interfaces that are usable by Component information systems, and must minimize or

eliminate gaps in supporting ICAM capabilities.

The ICAM RD promotes centralization of identity and credential management, including attribute

management and credential issuance and revocation. The ICAM RD also establishes standardized

processes and protocols for authentication and authorization. Access decisions must be fundamentally

managed by local administrators who understand the context and mission relevance for person entities

and Non-Person Entities (NPE) who require access to resources.

The RD defines an ICAM taxonomy that is based on the core elements of the Federal ICAM (FICAM)

Architecture, and describes data flow patterns for each of the capabilities defined in the ICAM

taxonomy. Systems and services shown in these data flows may be operated at the DoD enterprise, DoD

Component, Community of Interest (COI), or local level. In addition to generic data flow patterns, the RD

provides a set of implementation patterns and their related use cases for ICAM capabilities. These

patterns are intended to demonstrate how capabilities may be implemented to meet a broad set of

mission and other needs. They are not intended to be prescriptive for how a given information system

consumes ICAM capabilities, nor are they intended to describe all possible ICAM use cases. Finally, the

RD describes existing and planned DoD Enterprise ICAM services, and roles and responsibilities for ICAM

service providers and for DoD Components in deploying ICAM.

This document is not intended to mandate specific technologies, processes, or procedures. Instead, it is

intended to:

?

Aid mission owners in understanding ICAM requirements and describing current and planned

DoD enterprise ICAM services to enable them to make decisions ICAM implementation so that it

meets the needs of the mission, including enabling authorized access by mission partners.

?

Support the owners and operators of DoD enterprise ICAM services so that these services can

effectively interface with each other to support ICAM capabilities.

iv

UNCLASSIFIED

UNCLASSIFIED

?

Support DoD Components in understanding how to consume DoD enterprise ICAM services and

how to operate DoD Component, COI, or local level ICAM services when DoD enterprise services

do not meet mission needs.

Each mission owner is responsible for ensuring ICAM is implemented in a secure manner consistent with

mission requirements. Conducting operational, threat representative cybersecurity testing as part of

ICAM implementation efforts is a mechanism that needs to be used to check secure implementation.

v

UNCLASSIFIED

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download