With more than 10 million Common Access Cards issued and currently in the hands of DOD personnel and contractors, DOD has learned how make use of smart ID cards.
With more than 10 million Common Access Cards issued and currently in the hands of 3.4 million DOD personnel and contractors, the Defense Department has learned how to issue and make use of smart ID cards.
Mary Dixon, director of the Defense Manpower Data Center, responsible for issuing all of those cards, now wants to see agencies begin issuing the civilian CAC counterpart, the interoperable Personal Identity Verification cards.
'Stop thinking about it and do it,' she told her Washington audience Wednesday at the Smart Cards in Government conference hosted by the Smart Card Alliance.
With enough cards in use, applications that provide a return on investment become practical, Dixon said. The more cards, the greater the return, and DOD wants to take advantage of that benefit of scale by leveraging PIV cards through a federated identity system.
'We cannot afford to credential every person I do business with,' she said.
DOD already is well into its CAC program, but civilian agencies have only scratched the surface of PIV. Homeland Security Presidential Directive-12 required agencies to demonstrate the capability of issuing the smart ID cards by last October. This required having an identity vetting program and a minimal card issuing system in place. Deployment and use of the cards will be phased in over several years.
Dixon said DOD already has demonstrated the worth of smart ID cards in a number of programs. It is being used to digitally sign and route documents in the Defense Travel System.
'It saves something like $35 per transaction using the system over the paper system,' she said.
It also is being used as an electronic purse for paying Marine recruits, who often do not have local bank accounts when they arrive at camp. The department is making plans to role the program out to other services.
'It means we don't have to handle cash, which is an expensive operation,' she said.
Using the cards for cryptographic log-on to DOD IT systems also has improved security by reducing the number of successful intrusions by 46 percent. A federated identity system that would let the department accept cards issued by other entities could improve security further by pushing the issuing process closer to the cardholder and could improve privacy by sharing only essential data needed for authenticating identity. Federated systems could include cards issued by other agencies, as well as by foreign governments and companies providing contractors to DOD. The department currently issues CAC cards to contractors working at DOD sites.
'My dream world is one in which we will never issue a CAC to a contractor,' Dixon said.
DOD is piloting a program for cross-certifying digital certificates in cards issued to contractors by their employers. 'This will be a big step forward for us,' because the department typically requires other entities to trust DOD certificates, she said.
But the key to making any smart-card application practical is getting enough cards in circulation and leveraging them through interoperability, Dixon said. If you can achieve a critical mass, 'it does work.'
NEXT STORY: State comes up short on information security