The Defense Information Systems Agency (DISA) is preparing new acquisition efforts for identity, credential, and access management (ICAM) and Thunderdome, DISA’s zero trust program, as the Defense Department (DOD) works toward its fiscal year (FY) 2027 zero trust deadline.
Brian Hermann, portfolio acquisition executive for cyber at DISA, told reporters on June 2 at the TechNet Cyber conference in Baltimore that the agency plans to release a new other transaction authority (OTA) agreement for ICAM by the end of the year. DISA also plans to award a second OTA supporting Thunderdome foreign military sales efforts within the next two months, he said.
The planned procurements support DOD’s broader effort to make identity the foundation of its zero trust architecture while extending secure access beyond traditional department boundaries. All DOD components and supporting contractors are required to achieve target-level zero trust by the end of FY 2027, followed by a fully optimized advanced level by FY 2032.
The Trump administration has rebranded the DOD as the War Department.
Building identity beyond DOD networks
“Identity is at the center of everything,” Hermann said, describing ICAM as a core element of a broader security portfolio that includes data protection, network security, analytics, and access controls.
One of DOD’s biggest challenges is creating a consistent identity framework across thousands of applications that have modernized at different rates and have not uniformly adopted approved ICAM capabilities, Hermann said.
To address that challenge, the department is expanding the use of federated ICAM hubs that establish trust relationships with users who do not possess common access cards.
Hermann said many mission partners – including federal agencies, commercial transportation providers, defense contractors, and international partners – will never receive DOD-issued credentials but still require secure access to department systems and data.
Organizations including the Defense Logistics Agency and U.S. Transportation Command routinely work with external partners around the world, creating demand for identity services that extend beyond traditional DOD networks, he noted.
Federation efforts on unclassified networks continue to expand and now support a growing number of external organizations, Hermann said. At the secret level, the department has focused on federation with allied mission partners rather than deploying multiple enterprise ICAM systems.
For example, the DOD recently achieved successful federation with Canada on unclassified networks. Hermann described the effort as one of the department’s more challenging federation use cases and noted it was completed despite not being part of the original roadmap.
DOD’s federation strategy, which enables collaboration using the systems organizations already operate, is shaping the upcoming ICAM OTA, which will seek industry input on future enterprise authentication capabilities and potential replacements for technologies adopted during the COVID-19 pandemic.
At the time, DOD deployed authentication technology to support the Commercial Virtual Remote environment that enabled Microsoft Teams access. Hermann said the decision met immediate operational requirements but may not satisfy future enterprise needs.
The upcoming procurement, he explained, will help determine whether the department pursues a new commercial off-the-shelf platform or transitions toward a software-as-a-service model for enterprise ICAM capabilities.
Thunderdome expands from enterprise deployment to coalition operations
While ICAM establishes trusted identities, Hermann said Thunderdome serves as the enforcement layer that applies zero trust policies across operational environments.
The platform has been deployed at more than 500 sites through the Fourth Estate Network Optimization initiative and is supporting U.S. Southern Command and other organizations pursuing zero trust modernization efforts.
The integration of ICAM and Thunderdome is particularly visible in coalition environments supporting exercises in the Indo-Pacific region. Hermann said those environments combine operational capabilities with security services that use identity, authorization levels, and mission roles to make real-time access decisions.
Under that model, U.S. personnel receive access based on their credentials, while partner from allied nations with have more restricted access to resources based on their credentials.
The next phase of Thunderdome’s growth will focus on international adoption. Hermann said allied governments have expressed significant interest in the technologies underpinning the platform, and some are adopting similar tools to improve interoperability and strengthen shared cyber defenses. The forthcoming OTA is intended to support foreign military sales requirements and broaden access to Thunderdome capabilities among partner nations.