Identity Management

Pentagon ponders going mobile with CAC

Placeholder Image for Article Template

The Defense Department is exploring ways to build on the success of the Common Access Card by extending identity management to mobile devices.

The rise of mobility in the government workplace means yet another case of policy playing catch-up with technology, and officials say they are hard at work establishing the identity management challenges inherent to the transition.

At the Defense Department, access to anything -- whether it is the gates to a facility or a computer workstation -- largely hinges on the common access card (CAC), which is tied to the Defense Enrollment Eligibility Reporting System. DEERS is the central database that DOD's Defense Manpower Data Center uses to manage the identities of roughly 42 million troops, civilians, contractors, dependents and retirees.

Whatever comes next in identity and access management that will allow federal users onto government networks through mobile devices also will have to be compatible with DEERS.

Speaking at a recent AFCEA event in Washington, DOD officials said they are examining possibilities in near-field communications -- the technology that allows some Android users to share data by touching phones -- as well as in derived credentials employed via options such as microSD and SIM cards that are inserted into devices. Even biometric identification is on the table to move the Pentagon away from the bulky external card readers on which CACs rely.

But any next-generation identity management solutions will have to clear policy and technology hurdles -- and not just at the Pentagon.

"The challenge there is because of the policies around federal [personal identity verification] cards, which have a whole lot of esoteric nonsense that we have to plow through," said Michael Butler, Defense Manpower Data Center deputy director for identity services, who added that he has seen successful examples. "We've worked with Google, Samsung, a number of different folks, and we're working on an NSA assessment. It's really pretty simple technically; it's really making all the standards work and getting all the standards folks to agree with it that's the hard part."

It is not just a DOD problem, though. Greg Youst, chief mobility engineer at the Defense Information Systems Agency, said that across the government, all eyes are on a yet-to-be-released document from the National Institute of Standards and Technology that will better define the use of derived certificates that use the same access-management data that is stored on a CAC, without using the card itself.

"Keep your eyes open for NIST special publication 800-157," said Youst, noting that the guidelines will help set policy for federal mobility writ large, as will forthcoming decisions from the Office of Management and Budget. Both sets of guidance will address how derived credentials will be used securely -- and, most agree, will be central to federal mobility.

"One of the requirements from OMB says that the certificate has to be separate from the device it's authenticating in," Youst said. "Here's the debate. Is a microSD separate? I can take it out and put it back in. What about a SIM chip? I can take it out, but now the phone doesn't work. There's still policy stuff that's being worked out at the federal level on how we're going to approach mobility and [public key infrastructure], and this is a very complicated field."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected