Challenges of “operationalizing” dynamic system access control: Transitioning from ABAC to RAdAC

While the DoD has a strong identity and credential management foundation, much work remains to achieve the DoD access control vision of providing dynamic access control with appropriate granularity. Ongoing access control investments are transitioning from administrators manually provisioning of user accounts to Attribute-Based Access Control (ABAC) capabilities. While this offers significant operational benefits over manual provisioning, ABAC capabilities must evolve. A limiting factor of the ABAC method is its reliance on the availability of authoritative attributes, and the need for access control policies that focus on specific access requests and still result in desired enterprise-wide operations. In today´s DoD mission and business environments, there is a compelling need to provide authorized users, both anticipated and unanticipated, access to sensitive and classified enterprise information and the resources they need, when and where they need it, while preventing disclosure or exploitation by malicious insiders and other adversaries access to the same information. To meet this challenge, a DoD-wide Dynamic Access Management capability is needed by combining ABAC with risk management to achieve Risk Adaptive Access Control (RAdAC).