Identity Management

Pentagon ponders going mobile with CAC

Placeholder Image for Article Template

The Defense Department is exploring ways to build on the success of the Common Access Card by extending identity management to mobile devices.

The rise of mobility in the government workplace means yet another case of policy playing catch-up with technology, and officials say they are hard at work establishing the identity management challenges inherent to the transition.

At the Defense Department, access to anything -- whether it is the gates to a facility or a computer workstation -- largely hinges on the common access card (CAC), which is tied to the Defense Enrollment Eligibility Reporting System. DEERS is the central database that DOD's Defense Manpower Data Center uses to manage the identities of roughly 42 million troops, civilians, contractors, dependents and retirees.

Whatever comes next in identity and access management that will allow federal users onto government networks through mobile devices also will have to be compatible with DEERS.

Speaking at a recent AFCEA event in Washington, DOD officials said they are examining possibilities in near-field communications -- the technology that allows some Android users to share data by touching phones -- as well as in derived credentials employed via options such as microSD and SIM cards that are inserted into devices. Even biometric identification is on the table to move the Pentagon away from the bulky external card readers on which CACs rely.

But any next-generation identity management solutions will have to clear policy and technology hurdles -- and not just at the Pentagon.

"The challenge there is because of the policies around federal [personal identity verification] cards, which have a whole lot of esoteric nonsense that we have to plow through," said Michael Butler, Defense Manpower Data Center deputy director for identity services, who added that he has seen successful examples. "We've worked with Google, Samsung, a number of different folks, and we're working on an NSA assessment. It's really pretty simple technically; it's really making all the standards work and getting all the standards folks to agree with it that's the hard part."

It is not just a DOD problem, though. Greg Youst, chief mobility engineer at the Defense Information Systems Agency, said that across the government, all eyes are on a yet-to-be-released document from the National Institute of Standards and Technology that will better define the use of derived certificates that use the same access-management data that is stored on a CAC, without using the card itself.

"Keep your eyes open for NIST special publication 800-157," said Youst, noting that the guidelines will help set policy for federal mobility writ large, as will forthcoming decisions from the Office of Management and Budget. Both sets of guidance will address how derived credentials will be used securely -- and, most agree, will be central to federal mobility.

"One of the requirements from OMB says that the certificate has to be separate from the device it's authenticating in," Youst said. "Here's the debate. Is a microSD separate? I can take it out and put it back in. What about a SIM chip? I can take it out, but now the phone doesn't work. There's still policy stuff that's being worked out at the federal level on how we're going to approach mobility and [public key infrastructure], and this is a very complicated field."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Wed, Dec 4, 2013

One word, stupid

Wed, Dec 4, 2013 SGW USA

Carrying the encrypted CAC card (or a facsimile) into retirement for access to DoD, OPM, VA and other gov agencies should also be mandatory. The current policy requiring retirees to create strong passwords that change bi-monthly to access on-line records is unworkable. Either that or return to providing those documents via email or even snail mail.

Wed, Dec 4, 2013 RF

SmartWatch is probably the answer. If they can really do biometric ID, then you can move to 3 factor authentication: 1) something you have (watch replaces CAC), 2) something you know (pin # to unlock device), and 3) something you are (biometric ID). The watch can store and present credentials via encrypted bluetooth or NFC. But it won't be cheap.

Tue, Dec 3, 2013

And wil they make the PIV card (non-Geneva convention) work in CAC devices?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group