UNCLASSIFIED
13
UNCLASSIFIED
Federation is addressed within the three core areas. Core ICAM capabilities are shown inside the box in
Figure 2, labeled Identity, Credential, and Access Management.
For DoD mission partner entities, ICAM capabilities can be performed internally by the DoD at the DoD
enterprise, DoD Component, COI, or local level, or can be performed by federated service providers.
These external services may onboard and manage mission partner entity identity and authorization
attributes, issue and maintain credentials, and even perform authentication and generate assertions as
an Identity Provider (IdP). Because DoD does not operate or oversee the operations of these external
services, DoD must make a determination whether the service is operated in a fashion that is
appropriate for DoD parties to rely on artifacts produced by the service. This determination requires
that the service provider operates in accordance with an agreed upon set of minimum requirements.
Approval may be implemented through a Memorandum of Agreement (MOA) or other formal
mechanism.
Users who require a broad set of entitlements to perform their job function, or who require
entitlements that allow them to manage the operations of information systems, network components,
or resources are known as privileged users. Privileged users may require separate identifiers and
credentials as well as additional auditing or monitoring to verify privileged user accounts are not being
accessed by unauthorized users and privileged users themselves are acting within their job
responsibilities. Provisioning entitlements for privileged users may leverage physical or virtual network
segregation and specialized provisioning and authentication tools. However, the patterns for identity,
credential, and access management for privileged users are the same as for non-privileged users.
Examples of privileged users include:
IT privileged users who have roles that allow read, write, or change access to manage IT systems
including system, network, or database administrators; and security analysts who manage audit
logs – IT privileged user roles are generic to all IT infrastructure, including transport, hosting
environments, cybersecurity, and application deployment
Developers and users with access to test tools
Functional privileged users who have approval authorities within workflows – functional
privileged user roles are specific to a mission area, such as human resources or finance
2.2.1.1 Identity Management
The baseline requirement for ICAM services is identity management. Entities must be assigned a
persistent unique identifier. Attributes can then be bound to the identifier to define a digital identity. A
single entity may be assigned different identifiers in different contexts. If these different contexts
interconnect, it may be necessary to map identifiers from one context to another. While attributes
associated with a digital identity change and evolve over time, digital identities never truly expire.
Instead, a digital identity may be deactivated.
Attributes may be categorized into different types, such as identity, contact, and authorization,
depending on how they are managed and used. Person entity identity attributes are generally managed
as part of a human resources function, and may include name, rank, and organizational affiliation.
Contact attributes are used to find and contact other entities, such as physical location, telephone
number, and email address. Authorization attributes are used to support provisioning and access control
decisions, such as clearance, training completion, and COI membership. Entitlements are an example of
authorization attributes that are used to determine which information systems or resources within
systems that an entity is authorized to access. Each attribute should be managed at a single source and
distributed as needed.