Trustworthy
People are used to accessing their money at any automated teller machine quickly, safely and pretty much wherever they go, thanks to worldwide banking networks built up over the last 55 years. Now the Defense Department is following the ATM example to give military personnel and contractors equally smooth access to DOD buildings and networks, while also complying with Homeland Security Presidential Directive 12 that mandates a secure, governmentwide credential.
The banking industry’s Star, Cirrus and Plus electronic funds transfer and ATM networks rapidly handle trillions of annual transactions from more than 1.3 billion U.S. credit and debit cards. Fraud, however, has been a persistent problem. DOD hopes to avoid fraud by replacing its current Common Access smart cards with forthcoming HSPD-12 credentials that are:
- Interoperable and nonredundant across organizational boundaries
- Securely tied to an individual’s biometrics, background data and documentation
- Quickly revoked if an individual is no longer entitled to access
- Subject to consistent, auditable rules
- Standardized across the entire departmental enterprise, but with local privilege management.
Mary Dixon, deputy director of the Defense Manpower Data Center (DMDC) and a longtime Common Access Card (CAC) proponent, says DOD “has made a lot of progress with some issues. Even if we don’t resolve all the issues, we’ll be 85 percent completed by October 2006, and we fully expect to meet the deadlines to issue cards to new employees plus those who hold expired credentials.”
To date, the department has issued about 10 million CAC cards, of which about 4 million are now active. In October — the HSPD-12 deadline to begin issuing cards — DOD will update its 2,000 card-issuing workstations, including about 400 deployable stations, to distribute new HSPD-12-compliant cards that embed two fingerprints per person.
“It will take until late 2010 to complete,” Dixon says. “The cards have a three-year expiration date, and the rollout will add an extra year. But we’re not in the same status as agencies that have nothing in place. DOD already had the infrastructure to meet many of the HSPD-12 requirements. We did have to change a couple of business processes and the card technology.”
Dixon says she thinks “DOD and a handful of other agencies that have done a lot of credential groundwork are ahead of most of the rest.” Among the leaders, she names the Homeland Security, Interior, State and Veterans Affairs departments, as well as NASA.
Help at Hand
— Defense’s Mary Dixon
To speed up acceptance of CAC and other smart cards governmentwide, DMDC in January formed an alliance with the Federation for Identity and Cross-credentialing Systems (FiXs). The Herndon, Va., industry coalition helps DOD “share what we have and help answer questions,” Dixon says.
“All the agencies are trying to share solutions,” she continues. “We need our commercial partners in FiXs — neither side can get along without the other very well. [Contractor companies] need to accept DOD credentials, and we need to accept their credentials.” The trust agreement means DOD will not have to maintain the infrastructure and bear the cost by itself, she says, “and the company knows sooner than we do when a contractor is no longer affiliated and the credential should not be accepted.”
That degree of trust between DMDC and FiXs members “is a step up in security,” Dixon adds. “There are operating rules that FiXs manages and that the government agrees are acceptable. But just because contractors present the credential, it doesn’t mean they get access — they must be authenticated,” which gives the government what she calls “de facto veto power.”
When a contractor presents a credential at a military site, the ID will be checked via a Web service against that company’s employee database, which will then respond with a photo and a biometric check, if necessary. The ultimate acceptance or rejection, however, “is a local decision at the base, camp or station,” Dixon says. “There’s a distinction between presenting a credential and getting into a military site.”
She estimates that the cost of distributing the CAC has been around $6 per card for 10 million cards, each bearing a photo, although it is not digitally embedded in the card’s chip. The card readers have cost DOD about $17 each, plus the middleware costs of about $2 to $7 per seat for personnel with computers — but not all cardholders use them. Overall, the cost of current credentials has been about $100 million over the last six years, Dixon says.
“We’re still figuring out the marginal cost of the HSPD-12 cards,” she adds. “There’s a lot of good work going on to share resources without everyone trying to do their own thing. This is a good approach and reasonably affordable.”
FiXs president-elect Michael Mestrovich says many of his organization’s members “have joined to take advantage of the cross-credentialing network,” which will resemble the international ATM banking networks. Not surprisingly, the federation members include several banking and clearinghouse institutions.
In Mestrovich’s view, the possibilities for Internetworking credential checks are “limitless — FiXs is not driven by the government, although it works with DOD and the General Services Administration. We’re on track to declare it worldwide” in most areas except war zones, following final tests this spring for DOD operation at bases, camps, stations, official buildings, shipyards and laboratories.
The interoperability tests just completed were “for regular authentication with digital photos but not biometric fingerprints,” Mestrovich adds. “It takes three to five seconds, depending on the local infrastructure. Behind a DOD or a vendor’s firewall, each case is slightly different.”
Matching a biometric print against a database takes longer, about five to seven seconds. Mestrovich says he is confident that “modifications over the next three or four months will speed that up.”
The current CAC goes only to DOD personnel. In contrast, the HSPD-12 credential and FiXs network will have the capability to admit DOD personnel to DOD as well as vendors’ locations, and vice versa. He estimates there are about three times as many contractors as DOD personnel who will need the new credential.
“A third possibility is to apply it across other government agencies” to comply with HSPD-12, Mestrovich says, “and the network could also work from company to company.”
