DoD ZTA CoA User Inventory Requirements: Meeting DTM 25-003 Centralized Identity Management Mandates

Why Centralized User Inventory Remains a Critical DoD Zero Trust Fail Point

The Department of Defense's (DoD) rapid shift to Zero Trust is anchored by the principle that every user identity must be continuously discovered, classified, and managed through a centralized ICAM (Identity, Credential, and Access Management) platform. DTM 25-003 makes this requirement explicit, but as recent DoD IG and GAO findings reveal, many program offices continue to fail this foundational mandate.

DTM 25-003: One Policy, No Ambiguity

DTM 25-003: Implementation of Zero Trust Cybersecurity Activities mandates that all user accounts, administrative and non-administrative, reside within a centrally managed ICAM authoritative source. The policy does not leave room for legacy shadow identity stores: application-specific identity silos, unmanaged privileged accounts, and disconnected service accounts must be decommissioned or federated into the enterprise ICAM.

Why Programs Stumble: Shadow Stores & Incomplete Inventories

Failure to meet these requirements is not theoretical, DoD IG audits confirm persistent shadow accounts in legacy apps, while GAO reports document incomplete user inventories and unreliable access governance. Even programs well along in their Zero Trust journey often stumble on these basics because:

• Legacy applications continue to maintain independent user databases outside of ICAM.

• Privileged accounts and service identities are inventoried inconsistently.

• Lack of automation means inventories drift the moment users change roles.

This directly undermines the User pillar of the DoD Zero Trust Architecture Course of Action (CoA), which requires a consolidated user inventory feeding live identity data into every access decision.

Requirements: No Shortcuts, No Exceptions

To meet the Strategic Foundation of the DoD ZTA CoA, every program must:

• Plan for decommissioning or forcibly federating all local application accounts via centralized ICAM.

• Identify every application and account type still using their internal user management.

• Maintain a current and complete inventory of all user and privileged accounts in ICAM.

• Centrally mark regular vs. privileged application accounts.

• Automate the entire inventory process to ensure no drift or manual audit lag.

  
  

The NSA ZIG leaves no room for doubt: continuous discovery, real-time inventory, and the elimination of duplicate or orphaned identity stores are the new baseline for DoD Zero Trust maturity.

AISE: Clear, Defensible Scoring for DoD Maturity

AISE addresses this directly. AISE automatically produces separate maturity scores for both the DoD ZTA CoA and the CISA ZTMM from a single, comprehensive assessment. You get a clean DoD CoA scorecard, free of 'civilian framework' noise and confusion, making it fast and defensible to show exactly where you stand on User Inventory as mandated by DTM 25-003.

What Good Looks Like: Zero Trust User Inventory, No Compromises

The gold standard: every account, application, and privilege mapped to a single authoritative ICAM source, with automated tools in place to prevent the introduction of shadow or disconnected stores. This model delivers the enforceability and visibility needed for true Zero Trust, and stands up to the scrutiny of any CoA validation or Inspector General review.

Identify your User Inventory risks today: Get your DoD ZTA CoA scorecard at zephon.tech/zt to support DTM 25-003 implementation.