With CPR app, Defense readies first aid for CAC cardholders
Wan Kim, left, senior analyst with ViaTech, resets his CAC PIN with help from project leader David Harris.
David S. Spence
The Defense Department's Common Access Card is the most ambitious federal smart-card program. About 10,000 cards are now being issued each day to meet an October deadline for one in the pocket of each of 4 million service members, contractors and civilian employees.
But for the millions of cardholders, it's just one more personal identification number to forget.
'People have too much information,' said Lt. Col. Greta Lehman, program manager for secure electronic transactions and devices in the Army's program executive office for enterprise information systems. 'I personally have no less than 22 PINs, passwords and account numbers. And that's just in my work life, not my personal life.'
Cardholders select their own six- to eight-digit PINs when they get their cards. Lehman said the memory problem surfaced almost immediately.
'About two years ago when we started rollout, we noticed that people would get their cards, go back to their workplaces and realize they had forgotten the PIN,' she said.
Absent-minded users had to go back to a CAC-issuing workstation to get a new PIN. There are 900 stations around the world'400 in the Army alone'and at least one at every major Defense installation. But each station already is busy working to meet the issuance deadline. Even after the deadline, they will be busy with the first round of replacement cards this fall.
'It's a problem that fully half of our people could be walking around' with unusable cards, Lehman said. 'That's a lot of business to dump on the issuers. They couldn't handle it.'
Keeping the program alive required CPR'a CAC Pin Reset application.
The CAC program management shop did the conceptual design and 'laid out the requirements,' Lehman said. 'We wanted as small a footprint as possible, that could be pushed down as far as possible to the local level. We wanted to be able to reset a PIN within five minutes and for it to be as simple as an automatic teller machine.'
The Defense Manpower Data Center did the software development, producing the first working application in January. CPR workstations now have gone to the Pentagon, Air Force, Navy and reserves for field testing.
'We're using the Pentagon as a joint-service test,' Lehman said. 'So far the average reset time has been about a minute. We're about ready to start fielding it.'
The Army already has requested 550 of the units, which consist of a notebook PC equipped with CPR software, two card readers and a fingerprint scanner. The CPR operator and the cardholder each insert their cards in a reader, the cardholder's fingerprint is scanned and, if it matches the data on the card, the cardholder can enter a new PIN.
It's simple for users but 'was very difficult to create,' Lehman said. 'The ID issuance is complicated for a reason''to ensure validity. The PIN reset process has to meet the high security level of the initial issuing process.
The National Security Agency, which has accredited CPR, requires the presence of a credentialed operator. But Lehman said she hopes the process can be further simplified to omit the operator.
'Our drive for the next year is to develop a kiosk where all you need is a biometric,' she said.
That will require improving the fingerprint template, however. The Army, the lead service for Defense's biometrics program, is working on a new version accurate enough to be used for standalone authentication. A lot of work remains to be done, Lehman said, but acquisition plans call for the Army to begin replacing PINs with biometrics for some base access technologies in fiscal 2004.
The Navy also wants to develop the ability to edit other CAC data, so that cards can be updated without burdening the issuance stations.