Pentagon ponders going mobile with CAC

The rise of mobility in the government workplace means yet another case of policy playing catch-up with technology, and officials say they are hard at work establishing the identity management challenges inherent to the transition.

At the Defense Department, access to anything -- whether it is the gates to a facility or a computer workstation -- largely hinges on the common access card (CAC), which is tied to the Defense Enrollment Eligibility Reporting System. DEERS is the central database that DOD's Defense Manpower Data Center uses to manage the identities of roughly 42 million troops, civilians, contractors, dependents and retirees.

Whatever comes next in identity and access management that will allow federal users onto government networks through mobile devices also will have to be compatible with DEERS.

Speaking at a recent AFCEA event in Washington, DOD officials said they are examining possibilities in near-field communications -- the technology that allows some Android users to share data by touching phones -- as well as in derived credentials employed via options such as microSD and SIM cards that are inserted into devices. Even biometric identification is on the table to move the Pentagon away from the bulky external card readers on which CACs rely.

But any next-generation identity management solutions will have to clear policy and technology hurdles -- and not just at the Pentagon.

"The challenge there is because of the policies around federal [personal identity verification] cards, which have a whole lot of esoteric nonsense that we have to plow through," said Michael Butler, Defense Manpower Data Center deputy director for identity services, who added that he has seen successful examples. "We've worked with Google, Samsung, a number of different folks, and we're working on an NSA assessment. It's really pretty simple technically; it's really making all the standards work and getting all the standards folks to agree with it that's the hard part."

It is not just a DOD problem, though. Greg Youst, chief mobility engineer at the Defense Information Systems Agency, said that across the government, all eyes are on a yet-to-be-released document from the National Institute of Standards and Technology that will better define the use of derived certificates that use the same access-management data that is stored on a CAC, without using the card itself.

"Keep your eyes open for NIST special publication 800-157," said Youst, noting that the guidelines will help set policy for federal mobility writ large, as will forthcoming decisions from the Office of Management and Budget. Both sets of guidance will address how derived credentials will be used securely -- and, most agree, will be central to federal mobility.

"One of the requirements from OMB says that the certificate has to be separate from the device it's authenticating in," Youst said. "Here's the debate. Is a microSD separate? I can take it out and put it back in. What about a SIM chip? I can take it out, but now the phone doesn't work. There's still policy stuff that's being worked out at the federal level on how we're going to approach mobility and [public key infrastructure], and this is a very complicated field."