The Pentagon has reissued calls for all components to onboard their Internal Control Over Financial Reporting (ICOFR)-relevant systems to an approved identity, credential, and access management (ICAM) solution by the end of fiscal year (FY) 2026, in an effort to support a clean departmentwide audit by FY 2028.

Then-Acting Chief Information Officer Leslie Beavers issued the memo on Nov. 26, 2024. It was reissued and publicly released on Dec. 1.

“Modernized ICAM services for ICOFR-relevant systems will help remediate scope limitations, material weaknesses associated with access management, and address separation of duties issues,” the memo states. It adds that monthly in-progress reviews will track component adoption.

The effort is essential for the DOD to achieve target-level zero trust by the end of FY 2027, the memo states.

In addition to the requirements for ICOFR-relevant systems, classified and unclassified non-ICOFR systems must onboard to a DOD-approved identity provider by the end of FY 2026 and transition to automated account provisioning and a master user record by FY 2027 to meet zero-trust targets and support the 2028 audit goal.

The memo outlines four lines of effort, key tasks and deadlines, and identifies the organizations responsible for execution.

The four lines of effort include ICAM capability delivery and federation, segregation-of-duties rule development, onboarding of ICOFR-relevant applications, and governance and accountability. Requirements range from updating ICAM capability roadmaps by late fiscal 2024 to establishing a DOD federation hub by FY 2025 and delivering core ICAM capabilities by early FY 2026.