On the hunt for a CAC replacement

 

Connecting state and local government leaders

Defense officials are making headway on identity management tools that can eventually replace the Common Access Card.

With every new security breach making headlines, agencies' search for better identity management and authentication tools becomes more urgent. The Defense Department, with its long-standing commitment to two-factor authentication, is leading the way.

For more than 10 years, the Common Access Card has been DOD's standard identity credential, and the often-maligned card is not going away anytime soon. But Defense officials are making headway on identity management tools that can eventually replace the CAC.

In June 2016, DOD's then-CIO Terry Halvorsen announced that the chip-based CAC's was neither agile nor secure enough for today's environments and that he wanted to have replacement technologies in two years, a timeline he later admitted might have been too aggressive.

Halvorsen wanted a suite of 10 or more biometric and behavioral tools that could be used in a mix-and-match fashion so that for any login attempt, a user might be subject to five of those measures.

Normalizing authentication

A year later, the Defense Innovation Unit Experimental and DOD's Office of the CIO are testing and evaluating several commercial technologies that are demonstrating the ability to interface with the vast array of existing military networks and systems and that have the potential for wide-scale deployment as next-generation identity management solutions.

Col. Tom Clancy, identity and asset management lead in the DOD CIO's office, recently said that CAC replacement is more likely to be an evolutionary process than a revolutionary one.

"In the absence of a 'forklift' replacement for the CAC, DOD is piloting vendor products that complement the CAC by addressing the use cases that CAC was unable to support," he said. "In some of those cases, we had previously been accepting risk by using username/password. All of the capabilities we're looking at show promise in supporting the operational mission while improving resistance to replay."

DIUx is currently conducting proof-of-concept prototyping with companies Plurilock, Lastwall and Yubico, and the Defense Information Systems Agency is also partnering with industry to explore continuous multifactor authentication solutions.

One of the key motivations and objectives for replacing the CAC is to increase standardization and interoperability with the country's allies. Clancy said the National Institute of Standards and Technology's new SP 800-63 digital identity guidelines are central to normalizing identity management at DOD. The department played a significant role in coordinating the new standards and brought mission partners into the process.

Clancy added that maximizing the use of commercial technology "will help drive down onboarding, life cycle and training costs, and reduce our reliance on [government off the shelf] products over time. DOD will continue to shift our coordination of identity capabilities and standards upstream to international standards bodies as a part of our normalization strategy."

He said initiatives include evaluating and then deploying sensors on "devices we're already purchasing — including biometrics and behaviors — [and that] appears to be near- to midterm from an enterprise adoption perspective."

More complex biometrics

DOD is also exploring other dimensions of authentication such as "channel, band and environment" and "broader knowledge of a person's patterns of life as factors," which Clancy said offers interesting opportunities but also presents regulatory and other challenges.

The approach requires evaluating the privacy and civil liberties implications of collecting more behavioral data on users and drawing conclusions from that data.

"These types of authentication may lend themselves to authenticating our own subscribers to our own resources using equipment issued and managed by the government," he said. "Establishing the policy context for federating these types of capabilities with mission partners is something we're already working on."

Plurilock, one of the companies partnering with DIUx, produces a behavioral biometrics platform designed to quickly learn how each user handles his or her mouse and keyboard and then continuously monitor the user profile to allow system access.

Plurilock CEO Ian Paterson said that DIUx is evaluating the company's software in a test environment on different platforms with a final goal of deploying it on a production, unclassified network. It's "

the same product that our financial services clients are using," Paterson said.

Yubico  has just completed a pilot program with DUIx to test the company's YubiKey USB authentication device on more than 70 DOD platforms. Jerrod Chong, Yubico's vice president of solutions, said that his firm's open-standard device worked with more than 90 percent of the DOD systems in the test.

"We were quite surprised, and they were quite surprised," he said of the results. He added that there were some challenges with deploying the device in some combat scenarios, and there were other use cases the firm had not anticipated from its commercial applications.

Chong said Yubico and DIUx are sorting out the details and scope of the next phase of testing, and the company is evaluating back-end configuration changes to make the key compatible with all the devices in use at DOD. Phase two will involve more field-testing of the key in the hands of warfighters, he added.

Learning from CAC's deployment

Clancy said that regardless of which products DOD ultimately selects, Pentagon officials want to ensure flexibility and avoid being tied to any particular solution.

"DOD's current architecture and governance already facilitate a holistic, end-to-end view of identity, and support flexibility and future-proofing," he said. "We're continuing to improve that process and structure."

Former DOD CIO Teri Takai said that in addition to making sure whatever solutions DOD chooses are as forward-looking as possible, the department must consider the implications of its choices for other federal agencies.

"DOD really led the way from the standpoint of the CAC card in terms of what would be used across the federal government," she said. "One of the challenges that we faced when I started at DOD was just really even getting the rest of the federal agencies to implement the CAC card."

Takai said the complexity of deploying the CAC should inform the choice of the next technologies. "If they come up with a technology solution that doesn't require a card, that may or may not solve the problem depending on … how difficult it is to deploy," she added.

DOD will also have to consider the extent to which new technologies can be deployed centrally and how and when local control is necessary, Takai said.

Although there are a number of barriers to implementing a new identity management solution, she said culture will be less of a problem than it has been with other DOD reforms. "I think folks would love to find a solution that takes a lot less work to deploy than the current CAC," she added.

Still, she advised those hoping that DOD will select a solution quickly to be patient and let the evaluation process take its time.

"This is one case where it's really important to be thoughtful, to get the right solution, and then the time to really worry about a hurry-up is in terms of getting it deployed quickly," she said.

This article was first posted to FCW, a sibling site to GCN. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.