The Defense Department’s CIO announced a two-year plan to phase out CAC use on information systems.
Department of Defense CIO Terry Halvorsen announced on June 14 that his agency will be eliminating common access cards for authenticating users on information systems. “We are embarking on a two-year plan to remove CAC cards from our information systems,” he said at the Brocade Federal Forum in Washington D.C.
“Frankly, CAC cards are not agile enough to do what we want,” he said. According to Halvorsen, the cards have too much overhead in terms of cost, time and location. It's difficult, for example, to get to one's CAC card to access a system when mortar shells are flying, he quipped.
The plan is to use true multifactor authentication and some combination of behavioral or biometric information to allow users to access networks. Halvorsen was sure to clarify that DOD would not be eliminating public key infrastructure (PKI) encryption.
Defense Information Systems Agency Director Lt. Gen. Alan Lynn previously alluded to the notion of behavioral authentication. At an April event, Lynn suggested leveraging some form of commercial technology such as the popular traffic mobile application Waze, which monitor users’ travel patterns, exact location, speed and other data points to figure out how best to get drivers where they’re going. This information, Lynn said, could paint behavioral pictures, deviations from which could tip off system administrators that users might not be who they say they are.
Halvorsen also discussed data center consolidation, conceding that it’s “no secret, we’re behind in data center closures inside of DOD.” He announced the establishment of a panel within DOD – which will include some members of industry – to look at the 50 most expensive data centers currently in operation and figure out which should be closed. Halvorsen called this an easy first step, noting that the harder step will be determining where the data housed in those closed centers will go. That, he said, will be an enterprise decision, not an individual element decision.
Editor's note: This article was changed June 22 to correct a reference to PKI.
NEXT STORY: Is it time to buy cyber insurance?