On the hunt for a CAC replacement
- By Sean D. Carberry
- Sep 22, 2017
With every new security breach making headlines, agencies' search for better identity management and authentication tools becomes more urgent. The Defense Department, with its long-standing commitment to two-factor authentication, is leading the way.
For more than 10 years, the Common Access Card has been DOD's standard identity credential, and the often-maligned card is not going away anytime soon. But Defense officials are making headway on identity management tools that can eventually replace the CAC.
In June 2016, DOD's then-CIO Terry Halvorsen announced that the chip-based CAC's was neither agile nor secure enough for today's environments and that he wanted to have replacement technologies in two years, a timeline he later admitted might have been too aggressive.
Halvorsen wanted a suite of 10 or more biometric and behavioral tools that could be used in a mix-and-match fashion so that for any login attempt, a user might be subject to five of those measures.
A year later, the Defense Innovation Unit Experimental and DOD's Office of the CIO are testing and evaluating several commercial technologies that are demonstrating the ability to interface with the vast array of existing military networks and systems and that have the potential for wide-scale deployment as next-generation identity management solutions.
Col. Tom Clancy, identity and asset management lead in the DOD CIO's office, recently said that CAC replacement is more likely to be an evolutionary process than a revolutionary one.
"In the absence of a 'forklift' replacement for the CAC, DOD is piloting vendor products that complement the CAC by addressing the use cases that CAC was unable to support," he said. "In some of those cases, we had previously been accepting risk by using username/password. All of the capabilities we're looking at show promise in supporting the operational mission while improving resistance to replay."
DIUx is currently conducting proof-of-concept prototyping with companies Plurilock, Lastwall and Yubico, and the Defense Information Systems Agency is also partnering with industry to explore continuous multifactor authentication solutions.
One of the key motivations and objectives for replacing the CAC is to increase standardization and interoperability with the country's allies. Clancy said the National Institute of Standards and Technology's new SP 800-63 digital identity guidelines are central to normalizing identity management at DOD. The department played a significant role in coordinating the new standards and brought mission partners into the process.
Clancy added that maximizing the use of commercial technology "will help drive down onboarding, life cycle and training costs, and reduce our reliance on [government off the shelf] products over time. DOD will continue to shift our coordination of identity capabilities and standards upstream to international standards bodies as a part of our normalization strategy."
He said initiatives include evaluating and then deploying sensors on "devices we're already purchasing — including biometrics and behaviors — [and that] appears to be near- to midterm from an enterprise adoption perspective."
More complex biometrics
DOD is also exploring other dimensions of authentication such as "channel, band and environment" and "broader knowledge of a person's patterns of life as factors," which Clancy said offers interesting opportunities but also presents regulatory and other challenges.
The approach requires evaluating the privacy and civil liberties implications of collecting more behavioral data on users and drawing conclusions from that data.
"These types of authentication may lend themselves to authenticating our own subscribers to our own resources using equipment issued and managed by the government," he said. "Establishing the policy context for federating these types of capabilities with mission partners is something we're already working on."
Plurilock, one of the companies partnering with DIUx, produces a behavioral biometrics platform designed to quickly learn how each user handles his or her mouse and keyboard and then continuously monitor the user profile to allow system access.
Plurilock CEO Ian Paterson said that DIUx is evaluating the company's software in a test environment on different platforms with a final goal of deploying it on a production, unclassified network. It's "
the same product that our financial services clients are using," Paterson said.
Yubico has just completed a pilot program with DUIx to test the company's YubiKey USB authentication device on more than 70 DOD platforms. Jerrod Chong, Yubico's vice president of solutions, said that his firm's open-standard device worked with more than 90 percent of the DOD systems in the test.
"We were quite surprised, and they were quite surprised," he said of the results. He added that there were some challenges with deploying the device in some combat scenarios, and there were other use cases the firm had not anticipated from its commercial applications.
Chong said Yubico and DIUx are sorting out the details and scope of the next phase of testing, and the company is evaluating back-end configuration changes to make the key compatible with all the devices in use at DOD. Phase two will involve more field-testing of the key in the hands of warfighters, he added.
Learning from CAC's deployment
Clancy said that regardless of which products DOD ultimately selects, Pentagon officials want to ensure flexibility and avoid being tied to any particular solution.
"DOD's current architecture and governance already facilitate a holistic, end-to-end view of identity, and support flexibility and future-proofing," he said. "We're continuing to improve that process and structure."
Former DOD CIO Teri Takai said that in addition to making sure whatever solutions DOD chooses are as forward-looking as possible, the department must consider the implications of its choices for other federal agencies.
"DOD really led the way from the standpoint of the CAC card in terms of what would be used across the federal government," she said. "One of the challenges that we faced when I started at DOD was just really even getting the rest of the federal agencies to implement the CAC card."
Takai said the complexity of deploying the CAC should inform the choice of the next technologies. "If they come up with a technology solution that doesn't require a card, that may or may not solve the problem depending on … how difficult it is to deploy," she added.
DOD will also have to consider the extent to which new technologies can be deployed centrally and how and when local control is necessary, Takai said.
Although there are a number of barriers to implementing a new identity management solution, she said culture will be less of a problem than it has been with other DOD reforms. "I think folks would love to find a solution that takes a lot less work to deploy than the current CAC," she added.
Still, she advised those hoping that DOD will select a solution quickly to be patient and let the evaluation process take its time.
"This is one case where it's really important to be thoughtful, to get the right solution, and then the time to really worry about a hurry-up is in terms of getting it deployed quickly," she said.
This article was first posted to FCW, a sibling site to GCN.
Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.