The End of the Common Access Card Could Be in Sight
The official start of summer is almost here, and so is the beginning of the end of the Common Access Card.
The Defense Department has long sought to move beyond the CAC to authenticate users’ identities, but now it’s getting serious about doing so. The Defense Information Systems Agency, the Pentagon’s IT services branch, plans to roll out the first CAC replacement prototypes this summer, according to top DISA officials.
The shift, which will begin with the initial rollout of prototype authentication devices this summer, is part of a broader plan within DISA to deploy new ways to validate users’ identities through biometrics that go beyond the normal methods of authentication, and include a user’s gait, or manner of walking.
DISA has been working to develop a suite of seven multifactor authentication tools. In a video DISA posted in December, the seven factors include GPS location, voice recognition, facial recognition, device orientation, trusted peripherals and trusted networks, as well as gait.
“Prototype devices for establishing assured identity are being developed right now,” Vice Adm. Nancy Norton, DISA’s director, said at an AFCEA cybersecurity operations conference in Baltimore in May, FCW reports. “The first few will arrive this summer to assist with determining the right test parameters,” with the agency planning to distribute 75 devices later this fall.
SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!
DISA Plans Overhaul of Authentication Tech
The CAC is a “smart” card about the size of a credit card, and it’s the standard identification issued to active-duty uniformed service personnel, selected reserve, DOD civilian employees and eligible contractors, the DOD notes. It is also the principal card used to grant physical access to buildings and controlled spaces, and it gives users access to DOD computer networks and systems. Last year, the DOD tested alternatives to the CAC.
However, the DOD wants to make authentication via biometrics easier for soldiers in the field. Identity management is becoming more critical as war fighters become more mobile. DISA wants to provide ways for officers and DOD officials to access classified and sensitive data on the go.
At the AFCEA conference, Norton said DISA will deploy an additional prototype that will give DOD testers “a more convenient alternative to using a CAC for authentication, decryption, and signing operations in [a] Microsoft Windows PC environment,” according to FCW.
According to Nextgov, the authentication pilot program is being developed by an unnamed private company with DISA funding. The technology, which will be embedded in smartphones, will use a variety of unique identifiers, such as the hand pressure and wrist tension when a user holds a smartphone and the user’s gait, Steve Wallace, technical director at DISA, tells Nextgov.
The publication reports:
Organizations that use the tool can combine those identifiers to give the phone holder a “risk score,” Wallace said. If the risk score is low enough, the organization can presume the person is who she says she is and grant her access to sensitive files on the phone or on a connected computer or grant her access to a secure facility. If the score’s too high, she’ll be locked out.
Wallace tells Nextgov the new tool will be able to continuously gather and verify encrypted identifying information.
After the pilots this fall and after kinks have been worked out, Wallace says that the tool will be embedded inside smartphone chipsets, and smartphone makers that supply the DOD with equipment will need to update their phones to take advantage of it. Wallace tells Nextgov he expects the technology to be commercially available within a couple of years and that the capabilities will be available “in the vast majority of mobile devices.”
It’s unclear how many smartphone makers or DOD organizations will use the tool, but it will be up to DOD components on whether they want to use it, Wallace tells Nextgov. DISA worked with some private-sector organizations, including in the financial sector, to gather data on whether the verification tool also meets their needs, according to Wallace. “We foresee it being used quite widely,” he says.