Identity Management

Pentagon ponders going mobile with CAC

Placeholder Image for Article Template

The Defense Department is exploring ways to build on the success of the Common Access Card by extending identity management to mobile devices.

The rise of mobility in the government workplace means yet another case of policy playing catch-up with technology, and officials say they are hard at work establishing the identity management challenges inherent to the transition.

At the Defense Department, access to anything -- whether it is the gates to a facility or a computer workstation -- largely hinges on the common access card (CAC), which is tied to the Defense Enrollment Eligibility Reporting System. DEERS is the central database that DOD's Defense Manpower Data Center uses to manage the identities of roughly 42 million troops, civilians, contractors, dependents and retirees.

Whatever comes next in identity and access management that will allow federal users onto government networks through mobile devices also will have to be compatible with DEERS.

Speaking at a recent AFCEA event in Washington, DOD officials said they are examining possibilities in near-field communications -- the technology that allows some Android users to share data by touching phones -- as well as in derived credentials employed via options such as microSD and SIM cards that are inserted into devices. Even biometric identification is on the table to move the Pentagon away from the bulky external card readers on which CACs rely.

But any next-generation identity management solutions will have to clear policy and technology hurdles -- and not just at the Pentagon.

"The challenge there is because of the policies around federal [personal identity verification] cards, which have a whole lot of esoteric nonsense that we have to plow through," said Michael Butler, Defense Manpower Data Center deputy director for identity services, who added that he has seen successful examples. "We've worked with Google, Samsung, a number of different folks, and we're working on an NSA assessment. It's really pretty simple technically; it's really making all the standards work and getting all the standards folks to agree with it that's the hard part."

It is not just a DOD problem, though. Greg Youst, chief mobility engineer at the Defense Information Systems Agency, said that across the government, all eyes are on a yet-to-be-released document from the National Institute of Standards and Technology that will better define the use of derived certificates that use the same access-management data that is stored on a CAC, without using the card itself.

"Keep your eyes open for NIST special publication 800-157," said Youst, noting that the guidelines will help set policy for federal mobility writ large, as will forthcoming decisions from the Office of Management and Budget. Both sets of guidance will address how derived credentials will be used securely -- and, most agree, will be central to federal mobility.

"One of the requirements from OMB says that the certificate has to be separate from the device it's authenticating in," Youst said. "Here's the debate. Is a microSD separate? I can take it out and put it back in. What about a SIM chip? I can take it out, but now the phone doesn't work. There's still policy stuff that's being worked out at the federal level on how we're going to approach mobility and [public key infrastructure], and this is a very complicated field."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Wed, Dec 4, 2013

One word, stupid

Wed, Dec 4, 2013 SGW USA

Carrying the encrypted CAC card (or a facsimile) into retirement for access to DoD, OPM, VA and other gov agencies should also be mandatory. The current policy requiring retirees to create strong passwords that change bi-monthly to access on-line records is unworkable. Either that or return to providing those documents via email or even snail mail.

Wed, Dec 4, 2013 RF

SmartWatch is probably the answer. If they can really do biometric ID, then you can move to 3 factor authentication: 1) something you have (watch replaces CAC), 2) something you know (pin # to unlock device), and 3) something you are (biometric ID). The watch can store and present credentials via encrypted bluetooth or NFC. But it won't be cheap.

Tue, Dec 3, 2013

And wil they make the PIV card (non-Geneva convention) work in CAC devices?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group