DOD pushes toward CAC replacement

As insider threats and breaches continue to hit government agencies and the private sector alike, the search for better identity management and authentication tools has taken on newfound urgency. With its long-standing commitment to two-factor authentication, the Defense Department is on the front lines of that search.

The Common Access Card has been DOD's gateway to access and the standardized identity credential for more than a decade, and the often-maligned card is not going away anytime soon. But DOD officials say they are making progress on finding a suite of identity management tools to eventually replace the CAC.

Former DOD CIO Terry Halvorsen announced in June 2016 that the chip-based CAC's days were numbered, saying it was neither agile nor secure enough for today's environments. At the time, he said he wanted to have a new set of technologies in place within two years, though he later admitted that timeline might have been too aggressive.

Rather than a single solution, Halvorsen wanted a suite of 10 or more biometric and behavioral tools that could be used in a revolving mix-and-match fashion so that at any given moment a user would be subject to five of those measures to gain and maintain system access. In addition, Halvorsen said he did not want to issue a heavily proscriptive requirement but instead let companies present commercially available solutions for DOD to evaluate.

Normalizing authentication

A year later, the Defense Innovation Unit Experimental and DOD's Office of the CIO are testing and evaluating several commercial technologies that are demonstrating the ability to interface with the vast array of existing military networks and systems and that have the potential for wide-scale deployment as next-generation identity management solutions.

Col. Tom Clancy, identity and asset management lead in the DOD CIO's office, recently told FCW that CAC replacement is more likely to be an evolutionary process than a revolutionary one.

"In the absence of a 'forklift' replacement for the CAC, DOD is piloting vendor products that complement the CAC by addressing the use cases that CAC was unable to support," he said. "In some of those cases, we had previously been accepting risk by using username/password. All of the capabilities we're looking at show promise in supporting the operational mission while improving resistance to replay."

DIUx is currently conducting proof-of-concept prototyping with companies Plurilock, Lastwall and Yubico, and the Defense Information Systems Agency is also partnering with industry to explore continuous multifactor authentication solutions.

During his time as CIO, Halvorsen was a relentless evangelist for using commercial technology at DOD, saying he wanted a paradigm in which buying commercial technology was the rule, not the exception.

"DOD is working to maximize [commercial technology] by normalizing our standards and expectations in conjunction with the federal government and other mission partners," Clancy said.

One of the key motivations and objectives for replacing the CAC is to increase standardization and interoperability with the country's allies. Clancy said the National Institute of Standards and Technology's new SP 800-63 digital identity guidelines are central to normalizing identity management at DOD. The department played a significant role in coordinating the new standards and brought mission partners into the process.

Clancy added that maximizing the use of commercial technology "will help drive down onboarding, life cycle and training costs, and reduce our reliance on [government off the shelf] products over time. DOD will continue to shift our coordination of identity capabilities and standards upstream to international standards bodies as a part of our normalization strategy."

He said initiatives include evaluating and then deploying sensors on "devices we're already purchasing — including biometrics and behaviors — [and that] appears to be near- to midterm from an enterprise adoption perspective."

More complex biometrics

DOD is also exploring other dimensions of authentication such as "channel, band and environment" and "broader knowledge of a person's patterns of life as factors," which Clancy said offers interesting opportunities but also presents regulatory and other challenges.

The approach requires evaluating the privacy and civil liberties implications of collecting more behavioral data on users and drawing conclusions from that data.

"These types of authentication may lend themselves to authenticating our own subscribers to our own resources using equipment issued and managed by the government," he said. "Establishing the policy context for federating these types of capabilities with mission partners is something we're already working on."

Plurilock, one of the companies partnering with DIUx, produces a behavioral biometrics platform designed to quickly learn how each user handles his or her mouse and keyboard and then continuously monitor the user profile to allow system access.

Plurilock CEO Ian Paterson told FCW that DIUx is evaluating the company's software in a test environment on different platforms with a final goal of deploying it on a production, unclassified network.

"DOD is using the same product that our financial services clients are using," said Paterson, who added that the DIUx contract is the first federal deal for the company.

While he could not disclose the terms of the contract, which DIUx awarded in April, Paterson said he expects the project to serve as a stepping-stone for the company to move into more business with other federal agencies.

Yubico, which already does business with the federal government, has just completed a pilot program with DUIx to test the company's YubiKey USB authentication device on more than 70 DOD platforms. Jerrod Chong, Yubico's vice president of solutions, told FCW that his firm's open-standard device worked with more than 90 percent of the DOD systems in the test.

"We were quite surprised, and they were quite surprised," he said of the results. He added that there were some challenges with deploying the device in some combat scenarios, and there were other use cases the firm had not anticipated from its commercial applications.

Chong said Yubico and DIUx are sorting out the details and scope of the next phase of testing, and the company is evaluating back-end configuration changes to make the key compatible with all the devices in use at DOD. Phase two will involve more field-testing of the key in the hands of warfighters, he added.

Learning from CAC's deployment

Clancy said that regardless of which products DOD ultimately selects, Pentagon officials want to ensure flexibility and avoid being tied to any particular solution.

"DOD's current architecture and governance already facilitate a holistic, end-to-end view of identity, and support flexibility and future-proofing," he said. "We're continuing to improve that process and structure."

Former DOD CIO Teri Takai said that in addition to making sure whatever solutions DOD chooses are as forward-looking as possible, the department must consider the implications of its choices for other federal agencies.

"DOD really led the way from the standpoint of the CAC card in terms of what would be used across the federal government," she said. "One of the challenges that we faced when I started at DOD was just really even getting the rest of the federal agencies to implement the CAC card."

Takai said the complexity of deploying the CAC should inform the choice of the next technologies. "If they come up with a technology solution that doesn't require a card, that may or may not solve the problem depending on…how difficult it is to deploy," she added.

DOD will also have to consider the extent to which new technologies can be deployed centrally and how and when local control is necessary, Takai said.

Although there are a number of barriers to implementing a new identity management solution, she said culture will be less of a problem than it has been with other DOD reforms. "I think folks would love to find a solution that takes a lot less work to deploy than the current CAC," she added.

Still, she advised those hoping that DOD will select a solution quickly to be patient and let the evaluation process take its time.

"This is one case where it's really important to be thoughtful, to get the right solution, and then the time to really worry about a hurry-up is in terms of getting it deployed quickly," she said.