DOD IT is killing CACs

DOD Common Access Cards

The military is ditching the computer Common Access Card reader.

"We are embarking on a two-year plan to eliminate CAC cards from our information systems," Defense Department CIO Terry Halvorsen said at a June 14 event sponsored by FedScoop and Brocade.

"Frankly, CAC cards are not agile enough," Halvorsen said, noting, "It is really hard to get you a CAC card when people are dropping mortar shells on you and you need to get into your system. That doesn't work."

Halvorsen said the Pentagon will be looking to move to a new hybrid user authentication model, "true multi-factor," that will combine biometric, behavioral analytics and passwords.

He said Pentagon officials will be working with NATO allies to develop a standard authentication process, so that NATO forces can better share IT functions.

CACs may still have a role for things like building access, Halvorsen added. The CAC announcement was one of several bits of news the DOD CIO dropped in his appearance.

Halvorsen also promised a new data center closure panel, made up of government and industry members, which will choose one of the Pentagon's top 50 data centers to close and determine where to route the homeless data. He also teased a DOD move to an "on-prem cloud-based system that will include hybrid cloud and public cloud." That formal announcement will come this summer, he said.

For contractors in the audience, Halvorsen sought to recast the traditional Pentagon-vendor relationship. Given constrained defense budgets, Halvorsen said, industry can't pitch projects that cost the Pentagon $100 million up front and will pay off only after several years

"You're going to have to share in that investment, and [then] share in the return," he told vendors, indicating a desire for creative arrangements.

Another ask: completely autonomous cybersecurity tools. With the lightning speed of digital attacks, Halvorsen said, "I can't have people in that loop" of breach response.

The DOD process of certifying commercial technology is "completely broken," Halvorsen also noted, echoing earlier comments. He expects to be able to offer larger, trusted firms some level of self-certification.  

"All of the upcoming changes will require close partnerships between the military and industry," Halvorsen added, and it will all need to happen as systems stay up and running.

"Unfortunately my business is growing: we're deployed everywhere," he said.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Thu, Jul 14, 2016

What I also found interesting is how the biometrics will be managed. With no CAC, that means authentication will have to be done over the wire/air...or the biometic will have to be cached on the laptop. Neither of these is particularly secure. Conversely, when the biometric is on a FIPS-compliant smart card, then you can match the biometric on the spot. Maybe this could use some re-thinking?

Fri, Jul 1, 2016 Mr. Anderson

Interesting read. I’m concerned about his statement on “true multi-factor”. Are we talking in garrison, theater of war or both? Behavioral analytics which to me, equates to dynamic biometrics. Examples include recognition by speech pattern, writing characteristics, typing rhythm, and hand movements to name a few. The question will be how the middleware reacts to the chaos of war. There was no mention of non-repudiation. How would you send an encrypted email? Automatic certificate download once the user authenticates? In the field it’s difficult to receive a solid wireless signal. I’m assuming the leadership’s direction will be hybrid proximity locks which will provide ease of use. But that will open up a slew of security concerns. With that said, I’m looking forward to seeing what they decide on.

Wed, Jun 22, 2016

"Frankly, CAC cards are not agile enough," Really?! Is that the actual reason for ditching the CAC? Or, is it that the CAC and supporting infrastructure technologies have been so compromised over the past 20 years that you can find a bootlegged CAC in Beijing almost as quickly as getting an appointment with your local Personnel Office and getting a new one issued that actually works right?

Tue, Jun 21, 2016 Pete Langley

Interesting, I currently have 170 personal and work related passwords to deal with and that's with the CAC card. What we need is a personal password vault that can be accessed from the battle field to the bathroom!

Thu, Jun 16, 2016

The reasoning isn't because you can't remember your CAC pin with mortar blasts. It's because if you damage your card during action or lock the pin by too many attempts, you are effectively locked out of potentially vital systems. While that's an easy fix at Al Udeid, little tougher at a FOB which typically don't have a PERSCO capable of unlocking your pin, let alone replacing a damaged CAC.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group