The Army will extend identity, credential and access management across the enterprise and into field units this year. Officials expect wider use of automated account provisioning and privileged access tools by the end of 2025, with more systems added as connectors mature. The effort ties to audit findings and identity policy now in force across the department.
The command will focus on two near-term goals:
- First, eliminate orphaned accounts. Link account creation and removal to authoritative data and role rules.
- Second, reduce administrator risk through privileged access controls that record changes and restrict elevation to defined windows.
The service already uses PAM on part of its portfolio and intends to expand coverage in waves as applications complete readiness checks.
Defense officials confirm the identity program supports a large footprint on unclassified and classified networks. Enterprise ICAM currently covers about 1,600 applications on NIPRNet and more than 300 on the classified side, giving program teams the reach they need to enforce policy without forcing every application to modernize on day one. Scale like this lets owners sequence work instead of pausing operations to re-platform.
The Inspector General’s reporting for fiscal 2024 cited weak access controls and poor segregation of duties in financial systems. Following these findings, the department issued guidance with deadlines for identity provider adoption and automated provisioning across financial systems and subsequently extended similar controls into non-financial systems in phases.
ICAM rollout timelines across Army networks
Program managers describe a synchronized plan that accelerates provisioning and PAM while applications align to enterprise standards.
Automated account provisioning anchors the financial systems effort, with enforcement tied to internal controls over financial reporting. Department direction requires those systems to onboard to an approved identity provider by the end of fiscal 2025, then stand up automated provisioning across the portfolio by 2026.
Access control defects, slow account removal and unresolved segregation of duties keep showing up year after year. These issues fall squarely under ICAM.
DoD federation hub NIPRNet integration and SIPRNet status
The department operates a federation hub to let organizations trust each other’s identity assertions while retaining local providers. The Army integrated early, which gives unclassified mission partners a faster path to shared access. Commanders gain room to decide how far to federate with external units based on the mission.
No SIPRNet federation pilot runs through the hub right now. Army teams say they’re configured to integrate once the pilot opens. Until then, federation work stays on NIPRNet, while classified partners use existing, more limited methods. “We’re ready to integrate on SIPRNet when the pilot is available,” one official said, describing a standing posture, not a new announcement.
Risk decisions sit with commanders when partner access reaches the edge. Federation at local echelons will let units accept defined levels of risk while staying inside enterprise policy. The framework published by the department explains how attributes and assertions flow, and how trust updates propagate across partners.
Tactical ICAM phase two demonstration in DDIL conditions
Field users need identity services that work when links fail or degrade. The tactical ICAM effort has entered phase two with an operational unit, where teams test the package during live exercises that include disconnected, degraded, intermittent, and limited conditions. Program staff describe a down-select to a pair of vendors under an Other Transaction, with government and industry working side by side to capture soldier feedback and adjust builds between events.
Jack Wilson, who manages Interoperability, Integration and Services, said, “We are in phase two with an operational unit, and we’re doing this in the field during exercises.” The effort has moved from lab demos to formations on mission nets that face real interference, not test harnesses. Short cycles with direct user input guide design so authentication stays reliable without burning bandwidth or computing resources the unit can’t spare.
According to Andre Townes on the enterprise side, field units need the same identity controls they use on garrison systems. Account data has to stay correct through network drops – with logs queued and synced when links return. He also said modular kits so brigades carry only what they need, not extra hardware that slows movement.
myAuth transition DS Logon replacement and ICAM integration with AI anomaly detection
The department has begun replacing DS Logon with a new sign-in service named myAuth. The transition spans approximately 18 months and affects more than 200 web properties across defense and veterans services.
Since the summer launch adoption has climbed fast while agencies move portals onto the new system. Army officials are evaluating myAuth for retirees and beneficiaries and how to preserve identity visibility along with a rapid “kill switch” for E-ICAM managed accounts.
Evaluation work centers on assurance levels, device posture, and session control. If a third-party single sign-on handles the front door for a mission owner, program staff still need audit trails in authoritative systems. They also need confidence that risk signals can trigger step-up authentication or immediate revocation without delay.
Analysts are testing AI and machine learning models to spot unusual access by time, location, resource type and privilege elevation. A late login alone doesn’t count as suspicious anymore. Context does. Travel days, sudden bursts of admin requests, or a new browser fingerprint on a network where it never appears can trigger extra checks. Industry sources state that these models run alongside rule-based controls, not instead of them, and they feed operators signals that cut response time when something looks off.
Enterprise ICAM enforces policy on business systems that handle money and records. Federation enables organizations to accept identity assertions across boundaries without rebuilding their directories. Tactical ICAM keeps the same core and still works when bandwidth drops or disappears for hours. The myAuth change retires legacy non-CAC logins and cuts fragmentation for millions of dependents, retirees and other users.
According to our analysis, the Army is advancing on each front in parallel. Early integration with the federation hub set conditions for partner access on unclassified networks. Provisioning and PAM work address audit findings where they occur. The field demos bring identity assurance to units that cannot count on stable links.
The myAuth transition modernizes the external user base that touches defense systems every day. None of this requires new slogans. It does require steady configuration work, careful testing and the discipline to keep logs clean.
REFERENCE SOURCES
- https://www.yubico.com/industries/federal
- https://federalnewsnetwork.com/defense-main/2025/08/army-expands-icam-capabilities-to-the-tactical-edge/
- https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM-FederationFramework.pdf
- https://dodcio.defense.gov/Portals/0/Documents/Library/ZeroTrustOverlays.pdf
- https://www.dodig.mil/reports.html/Article/4093988/understanding-the-results-of-the-audit-of-the-fy-2024-dod-financial-statements/
- https://comptroller.defense.gov/Portals/45/Documents/afr/fy2024/4-Financial_Section.pdf
- https://comptroller.defense.gov/Portals/45/Documents/afr/fy2024/5-Other_Information.pdf
- https://armedservices.house.gov/uploadedfiles/5.8_arrington_testimony.pdf
- https://defensescoop.com/2025/02/21/disa-federated-icam-solution-2025/
- https://breakingdefense.com/2025/02/disa-dod-to-achieve-federated-icam-connection-across-all-military-services-by-end-of-fiscal-year/
- https://www.defense.gov/News/News-Stories/Article/Article/4248190/dod-launching-new-authentication-system-to-replace-ds-logon/
- https://www.militarytimes.com/news/your-military/2025/07/22/over-20-million-dod-users-to-get-new-online-login-verification-process/
- https://federalnewsnetwork.com/defense-main/2025/07/dods-new-myauth-system-surpasses-900000-users-in-first-two-months/
- https://federalnewsnetwork.com/federal-insights/2025/08/transportation-command-moving-all-systems-to-dod-approved-identity-provider-by-end-of-year/
- https://mobileidworld.com/va-mandates-switch-from-ds-logon-to-login-gov-or-id-me-by-september-2025/
