DISA’s Identity and Zero Trust Breakthrough

 

Original Broadcast 3/30/25

The Department of Defense is taking a major step forward in its Zero Trust journey with a new approach to identity, credential, and access management (ICAM)—one that promises to simplify access, improve user experience, and dramatically strengthen security across the enterprise.

On a recent episode of Fed Gov Today with Francis Rose, Brian Hermann, Director and Program Executive Officer, PEO Cyber at the Defense Information Systems Agency (DISA), shared exclusive details about the agency’s latest ICAM breakthrough: a federated authentication model that enables seamless access across DoD systems without sacrificing security. As Zero Trust continues to evolve from a concept into an operational imperative, Hermann and his team are laying the foundation that will support everything from internal collaboration to global mission partner engagement.

Screenshot 2025-03-19 at 9.27.20 PM“ICAM is the foundational capability that enables Zero Trust,” Hermann told host Francis Rose. “You have to understand who a user is and verify that identity before you can decide whether they should have authorization to access a system.” That verification—done in real-time, continuously, and without assumptions—is what makes ICAM central to Zero Trust architecture.

The capability DISA is now rolling out changes how identity works at a fundamental level. Traditionally, DoD systems have required users to authenticate separately when accessing applications managed by different services or components. That approach often created friction, confusion, and inefficiency, especially for joint operations or personnel who needed to access systems outside their “home” environment.

To solve this, DISA has developed a federated ICAM model that allows users to authenticate once—through their own service’s identity platform—and be granted access to other DoD systems based on a trust relationship between ICAM providers. “We didn’t want a user to have to think about which system they need to log into or where to go for access,” Hermann explained. “The goal was to simplify the user experience while keeping everything secure.”

The agency’s first successful federation was with the U.S. Army. According to Hermann, the Army had both the maturity in its identity infrastructure and the willingness to work through a first-of-its-kind implementation. “There were certainly challenges, but most of them were procedural, not technical,” he said. “And we were able to use commercial tools and standards, which sets us up for faster success with the other services.”

That rollout is already underway. Hermann confirmed that DISA will complete federation with the Navy and Air Force within the current fiscal year, and will move to other ICAM implementations as they become available across the department. This timeline aligns with a broader DoD goal: by the end of FY26, all financial systems must adopt automated ICAM provisioning in support of a clean audit.

But the benefits of the new ICAM model go far beyond audits. One of the key improvements is streamlined account provisioning. In the past, DoD relied on a paper-based approval system using the DD Form 2875—a process that was often slow, error-prone, and inconsistent. With the new approach, access is granted based on defined user attributes, roles, and organizational policies, all tracked and logged automatically.

Screenshot 2025-03-29 at 1.50.34 PM“We now have the ability to see exactly what access every user has,” Hermann said. “That’s a major step forward for both transparency and security.” It also enables better anomaly detection and automated revocation if a user’s role changes or their behavior suggests a potential threat.

Importantly, Hermann doesn’t see ICAM as just a DoD solution. He emphasized that many military operations require collaboration with external partners—whether that’s other federal agencies, private-sector logistics providers, or coalition allies. “Some of our most critical missions involve partners who will never have a common access card,” he said. “We have to be able to extend secure access to them too.”

That’s where the future of ICAM gets even more strategic. Hermann envisions a federated, standards-based ICAM environment that enables secure data and system access for a broader ecosystem of trusted partners—without creating unnecessary risk. Achieving that vision will require updated policy, scalable technology, and the agility to grant and revoke trust relationships as needed.

“The policies exist in some places, but they need to evolve,” Hermann noted. “Especially as we work with shifting coalitions and temporary mission partners, we have to be able to set clear expectations and respond quickly when the relationship changes.”

This evolution also reflects a broader trend: Zero Trust is no longer just a cybersecurity framework. It’s becoming a lens through which agencies evaluate digital experience, workforce access, and cross-domain collaboration. By making ICAM not just secure but user-friendly, DISA is enabling a more connected and resilient defense environment.

“Users shouldn’t have to think about the security layer—they should just be able to get to what they need, when they need it, if they’re authorized,” Hermann said. “That’s what we’re building.”

DISA’s federated ICAM model is more than a technical achievement—it’s a signal that the Defense Department is serious about turning Zero Trust from a buzzword into an operational reality. And as Hermann’s work continues, it offers a roadmap for how government can combine smart policy, modern tools, and cross-agency collaboration to secure its most critical assets.