DOD's Deasy: The CAC Will Be Here for a While
The Pentagon's CIO says the Common Access Card will remain a key component of the Defense Department's identity management system.
All of those headlines heralding the end (or at least the beginning of the end) of the Defense Department’s Common Access Card might need to be put on hold. The CAC is staying put.
Defense Department CIO Dan Deasy, speaking Sept. 6 at the Billington Cybersecurity Summit, noted that when most people hear about identity and credential management at the DOD, they think of the CAC. “They have been a key component of the DOD security. Something you may have heard, that the CAC is going away,” he said, according to FedScoop. “Well, from my standpoint, the CAC will remain the department’s principle authenticator for the foreseeable future.”
The stance is notable because former DOD CIO Terry Halvorsen heralded the end of the Common Access Card in 2016 and the Defense Information Systems Agency, the Pentagon’s IT services branch, has been working on the first CAC replacement prototypes. The prototypes are part of a broader plan within DISA to deploy new ways to validate users’ identities through biometrics that go beyond the normal methods of authentication, and include a user’s gait, or manner of walking.
Deasy indicated that such an authentication system will not be deployed across the DOD in a widespread manner in the near future. According to FedScoop, Deasy said:
The department must be ready to adapt, as well as accommodate an environment [with] more than 4.5 million users that is rapidly evolving due to current and emerging threats from our adversaries. DOD has always been a pioneer when it comes to driving innovation. We must continue to do so and incorporate key storage and biometrics to prepare for a future where we need quantum-resistant cryptography. These innovations will become critical to ensure our warfighters continue to operate in a secure environment.
The goal of the Pentagon’s Identity, Credentials and Access Management strategy is to allow the department to “know who [or what] is on the network at any given time” and create a “secure, trusted environment where any of our users can access all of the authorized resources, including applications and valuable data,” Deasy said, according to FCW.