Army plans ICAM rethink to support unified network operations
Lt. Gen. John B. Morrison, Jr. (left) speaks at the retirement ceremony of Col. Christopher M. O'Connor (right). DOD photograph by Edward Loomis
To make mobile device use more secure, the Army is preparing a new identity and access requirements as it adopts zero trust security principles.
The Army is preparing new requirements to govern access to networks and data as it moves to embrace more mobile device use and the security that has to come with it.
"So we have [identity, credentialing, and access management] implemented today. It is not as holistic as it needs to be. We have a significant amount of work to do with our tactical formations to make sure that we get it fully implemented in that space," Lt. Gen. John Morrison Jr., the Army's deputy Chief of Staff, G-6, said during an Army IT event on Jan. 13 hosted by AFCEA's northern Virginia chapter.
Morrison said the Army is working on a requirements definition package for ICAM "because that's got to be the first step in applying zero trust security principles. And it's got to be done in a joint context," which includes the Pentagon's CIO and the Defense Information Systems Agency, along with the other military services.
"We've got to make sure that whatever we apply works across all three echelons -- strategic, operational, and tactical," he said. "Because whatever we implement needs to be in a joint context so that we really get after this notion of a unified network across all the services that will actually provide that secure highway to support a Joint All Domain Command and Control."
A draft version of the requirements definition package, which identifies performance and system needs, is expected later this month before heading through the formalization process to include operational requirements for ICAM and later approval through Army leadership, Morrison said.
The effort is also a part of developing requirements for unified network operations, which also includes determining how to harmonize capabilities at the tactical edge so that battalions or brigades don't have to work off of multiple systems.
Morrison said the identity credentialing, access management was "foundational" to employing zero trust principles, which assumes that a network has already been breached, "because not everybody needs access to everything."
The general said application of zero trust looks different "depending on where you're at in the environment" but the Army's implementation of it was key especially for unclassified networks where the right data is protected. But with that also comes the need for training personnel on what behaviors and data can be transmitted – especially as the Army broadens its use of "bring your own device."
"We are really going to have to be mindful of operation security and really making sure that we educate our soldiers and our civilians on what is the balance between information that we can do from a mobile perspective and then what just plain needs to either move to a higher level of classification, or just needs to stay straight on the [Department of Defense Information Network]," Morrison said.
"It's striking the balance between security and convenience and then having capability sort of be that gold star that's in between those two things we're striking your balance on. That's why we're embarking on this 'bring your own device' pilot."
The Army has been experimenting with gradually increasing its mobile capabilities for personnel, particularly with being able to use personal devices for work. Army chief information officer Raj Iyer announced in December that the Army was expanding its pilot program for bringing personal but approved devices to the workplace.
Iyer said the ultimate goal is to make it so users can bring their own laptops and tablets and access their virtual desktops as if they were in the office.
"We are now developing the architecture for the virtual desktop infrastructure to be able to access your email or your desktop," Iyer said. "And we want to make this really, really seamless. We have the multi factor authentication technologies already in place that's approved to go. You do not need [common access] cards to be able to go access all of this stuff. All you need is MFA. And we know we can get there."
A pilot program is being developed for virtual desktop use, he said.