Contactless CACs slated for 10 DOD locations

Test will prove whether new cards will work with existing systems

At a glance

Who: Defense Department's Access Card Office

What: Testing contactless Common Access Cards on door readers

Where: 10 Defense locations in Alabama, Texas and Virginia

When: August through December

Why: To ensure the new cards meet the requirements under Homeland
Security Presidential Directive-12 for physical access control.

STEP FORWARD: 'The cards handle almost all of the data requirements to meet the October deadline,' said Mike Butler, chief of DOD's smart-card programs.

Rick Steele

Members of the Defense Department's Access Card Office like to say they eat their own dogfood in testing the contactless smart-identification card.

In a pilot begun earlier this summer, employees traded their Common Access Cards for a newer version that has both contact and contactless capabilities. Contact cards have to touch a card reader; contactless cards, which have a radio frequency chip, can be read at a short distance.

The test proved, on a limited scale, that the new CAC and associated hardware could be modified to accept the new standards under Homeland Security Presidential Directive-12 and Federal Information Processing Standard 201-1.

DOD now will test whether others across the country will be able to follow suit.

'A great big step'

'This is a great big step forward,' said Mike Butler, chief of DOD's smart-card programs, who is on detail to the General Services Administration to work on HSPD-12 implementation. 'The cards handle almost all of the data requirements to meet the October deadline.'

By Oct. 27, agencies need to issue at least one HSPD-12 compliant card that includes a cardholder unique identifier (CHUID) with a digital certificate.

Frank Jones, who also works in the Access Card Office, said DOD this summer will test the contactless cards at 10 other military locations around the country, involving more than 5,000 Defense employees.

He said the pilots will run in Alabama, Texas and Virginia between August and December.

'We want to make sure we don't break the functionality that is there today,' Jones said at an Interagency Smart Card Advisory Board meeting in Washington.

Separate issuance stations will be set up at each base to hand out the new cards. DOD also, from time to time, will trade the used cards for new ones to perform forensic analyses to ensure the cards are working properly.

Jones said the trading of cards will complement the Access Card Office's monthly data collection about the system.

'Go' or 'no go'

'We want to understand how the CHUID operates and is parsed by vendors,' Jones said. 'The key is for the card readers to read and interpret the CHUID and make the right 'go' or 'no go' decisions.'

Butler added that the test will include 10 vendor products.

The Access Card Office's pilot used the existing infrastructure in two buildings, said Eric Hildre of Technologies Industries of Williamsburg, Va.

He said the office learned that it will take longer than first thought to get started with the cards and card readers. He said one of the keys is to establish a lowest common denominator for the data elements of each user.

'PIV authenticity is easy, but validity is harder to achieve,' he said. 'We could authenticate data on the CAC but need to close the loop with validity in terms of the certificates and token status.'

Defense services and agencies are about 70 percent ready for HSPD-12, said Debra Gallagher, chief technology officer in the Access Card Office.

'We will be adding containers for the biometric and the [Federal Agency Smart Card Number],' she said at a recent HSPD-12 conference in Washington, sponsored by the Potomac Forum Inc. of Potomac, Md.

The Government Printing Office is designing the new card to include optical variable ink, ultraviolet images and a holographic magnetic stripe.

DOD, however, will not be fully HSPD-12 compliant for a number of years and will operate using the transition card, Gallagher said.

Gallagher said DOD's challenges include its large installed base'Defense has about 3.5 million active Common Access Cards'and the need for backward-compatibility to ensure that the old and new cards work.

GSA and the Office of Management and Budget's Executive Steering Committee for HSPD-12 also are developing governmentwide training modules for agencies.

The first two courses'Personal Identity Verification overview and PIV roles and responsibilities'are posted in USALearning.gov. The other three'privacy and awareness, technical architecture and appropriate uses'are expected in the next few months.

As agencies move closer to the October deadline, Hildre reminded the IAB of one important lesson: 'Every PIV implementation can and will be different. Look for flexibility ... everywhere in the solution, including the technology and business processes.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above