The Defense Department has been trying to kill the Common Access Card for a long time. Before it does so, it wants to make it more like a commonly used authentication measure: the Personal Identity Verification (PIV) card.
Former DOD CIO Terry Halvorsen announced a two-year plan in June 2016 to move away from the CAC.
The CAC is a “smart” card about the size of a credit card, and is the standard identification issued to active duty uniformed service personnel, selected reserve, DOD civilian employees and eligible contractors, the DOD notes. It is also the principal card used to grant physical access to buildings and controlled spaces, and it gives users access to DOD computer networks and systems. Last year, the DOD tested alternatives to the CAC.
Before that replacement process is complete, the Pentagon wants to evolve the CAC to make it more like the PIV card, Andy Seymour, the DOD’s public key infrastructure manager, tells Federal News Radio. The goal is to bring more security and interoperability to the DOD’s authentication technology.
Directives Forthcoming for PIV Authentication
The PIV card was established during the George W. Bush administration under Homeland Security Presidential Directive-12. The PIV authentication certificate helps a federal user prove their identity to get access to secure systems and data. PIV cards allow users to receive, store, recall and send information in a secure manner by encrypting the data, the Veterans Affairs Department notes.
According to the National Institute of Standards and Technology (NIST), PIV authentication certificates on PIV cards (called “certs” for short in the IT security community) are “issued in a manner that satisfies the requirements for level of assurance 4 (LOA-4) for identity proofing, tokens, and token and credential management.”
“We are on the verge of releasing directives to the services that says you have 18 months to unlock the PIV certificate authentication that is currently on the card and start utilizing that for logical access,” Seymour tells Federal News Radio. “We are seeing the requirements that support PIV identity cert are more than what the CAC cert has.”
What’s behind the move? Seymour says “one of the big drivers” is to achieve “interoperability across the entire government space,” and not just DOD. The changes have been circulating in the military service branches for months and should not come as a surprise, according to Seymour.
“The identity management experts that I work with across the services all understand it. They all get it and know what it takes,” he tells Federal News Radio. “The Air Force folks already utilize this for other capabilities. They understand the PIV [authentication] and the certificate is on the CAC as we speak right now.”
In some of the military services, these authentications and certificates are locked and not viewable. For others, they can be unlocked.
There will likely be some hurdles ahead for DOD components, Seymour acknowledged. “They know it’s coming and they know it will be a challenge to reconfigure because you now have to look at the PIV [authentication] certificate instead of the CAC ID,” he says. “Some applications may have been using the email cert as identification and we will ask them to use the PIV [authentication] at the application level as well.”
The Benefits of a New Approach to Authentication
DOD likely wants to embrace the authentication approach taken by PIV because of how its authentication works. Federal News Radio reports:
NIST says the benefits of using the PIV authentication is systems and applications are using one certificate to perform a digital signature operation through the private key associated with the certificate, and that the system performing the authentication can verify the signature while also validating the certificate itself.
PIV cards can be used to access high-value systems and systems that require fewer security protections.
DOD is exploring other ways to improve the CAC, including something known as the opacity, which, Federal News Radio reports, “is protocol to protect contactless communication between the card and the system, and adding encrypted certificates that will let users do tap-and-go authentication.” This is crucial for first responders and others who need quick access to systems or facilities, the publication notes.
The effort to evolve beyond the CAC is an ongoing process, Seymour says. “The CAC is the anchor for everything for the DOD — physical access, logical access. It’s so difficult to try to do away with that and replace it with something else,” he says. “We are looking at a lot of multifactor authentication capabilities. We are looking at identity federation services. We are looking at federation with our mission partners. We’ve also got a big mobility program coming out of the Defense Information Systems Agency called Purebred that is going to help us with derived credentials on things like cell phones and make that user experience more frictionless and seamless.”