Dec 02 2016

DOD to Start Testing Secure Alternatives to Common Access Cards After Christmas

The Pentagon is moving forward with plans to replace the CAC card as a means for IT authentication.

The Defense Department plans to test a new approach to providing personnel with access to IT systems shortly after the Christmas holiday, as the Pentagon moves forward with DOD CIO Terry Halvorsen’s proposal to replace the Common Access Card within the next two years.

The CAC card is a “smart” card about the size of a credit card, and is the standard identification issued to active duty uniformed service personnel, Selected Reserve, DOD civilian employees and eligible contractors, the DOD notes. It is also the principal card used to grant physical access to buildings and controlled spaces, and it gives users access to DOD computer networks and systems.

The DOD has used CAC cards as an enterprisewide identity management tool since 2001, serving as a trailblazer for other agencies. So, as FCW notes, it was something of a shock when Halvorsen said in June that the DOD would start on a two-year plan to remove CAC cards from its information systems. At the time, he said CAC cards were “not agile enough to do what we want,” according to FCW, and that they had too much overhead in terms of cost, time and location, observing wryly that military personnel under fire should not have to fumble for their CAC card to access IT systems.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

A New Kind of Authentication System

In November, Halvorsen said he had asked the IT industry to submit proposals for advanced ID management technologies that deliver “10-factor” security without the use of smart cards or any other new hardware, and that he had already received four proposals that he will review, according to Federal News Radio.

“And I wouldn’t be seeing the proposals if the groups looking at this weren’t already pretty close to being able to deliver,” he said at AFCEA’s TechNet Asia–Pacific conference in Honolulu in November. “It’s absolutely doable today, with today’s technology.”

It’s unclear which technologies the Pentagon will use to replace CAC cards, but in June Halvorsen speculated that the eventual solution might involve a combination of biometric authentication, behavioral pattern recognition and a cross-reference to users’ personal information.

DOD needs to evolve its authentication solutions, Halvorsen said, in part because CAC cards are expensive and difficult to issue and in part because identity management technology has advanced significantly since 2001.

“The whole CAC infrastructure limits what we can do to get information to people, and frankly it makes me have to adapt security measures that sometimes aren’t all that secure,” he said, according to Federal News Radio. “So [a replacement] is one of the things I’ve asked for for Christmas.”

Enhanced Cybersecurity Protections

The new system could also make it possible for the Pentagon to achieve another security goal: putting different levels of cybersecurity protection on data depending on how sensitive it is. With multiple factors of authentication, more sensitive data could require different combinations of authentication methods to access it, such as a retinal scan on a computer terminal, Federal News Radio noted.

“There are some secrets that are more secret than others,” Halvorsen said. “Security has to be around the mission, and not everything has to be at the same level. I don’t know why we have trouble getting our heads around this, but we do. One of the ideas that many of our international partners use, and I like, is they have completely unclassified networks and also restricted unclassified networks. We need to be thinking about that.”

Indeed, at a Nov. 1 event hosted by FCW’s sister publication Defense Systems, Halvorsen said that there is a group of nations — including Australia, Canada, New Zealand, the United Kingdom and several other NATO partners — that have agreed to move toward a single identity standard.

“And we’ve got to have a multifactor, agreed-upon security measure to ensure that identity,” he said.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT