Date: On demand
Duration: 1 hour
Cost: No Fee

Like Mark Twain, the reports of the Common Access Card’s impending demise have been exaggerated to say the least.

The standard identification card for Defense Department personnel is probably not going the way of compact discs as soon as you think. As Drew Malloy from the Defense Information Systems Agency pointed out, it’s not just about accessing DoD computers and networks – it’s also how personnel still get onto base and into buildings.

But if the notion of “killing the CAC” can be attributed to Malloy’s boss, DISA Director Lt. Gen. Robert Skinner, than it’s worth looking at his full quote from the 2021 Billington Cybersecurity Summit: “I want to kill the CAC as the primary authentication mechanism for the department.” (my emphasis added)

To that end, DISA is currently piloting several efforts around bring-your-own-device and using authentication beyond the CAC, according to Malloy.

“We wanted to give some flexibility in how we provision users and what multifactor authentication they can provide, be it hardware tokens, be it software-based authentication mechanisms, things of that nature,” Malloy said during a Federal Insights webinar sponsored by Okta on Federal News Network. “And then using that in order to do access control, and granular access control around what you’re allowed access to, if you come in using a username and password and a one-time passcode as opposed to your CAC-based identity.”

The Army also thinks the CAC will be useful and needed well into the future, according to Christopher Joseph Jr., acting deputy director of the Office of the Chief information Officer within the Army’s cybersecurity directorate.

But like DISA, the ground service is plowing ahead with efforts to look beyond the CAC to make it easier for its personnel to access their work. The Army is piloting a “MobileConnect” application for authentication using BYOD, and it’s also exploring software tokens and the Yubikey hardware authentication device as possible multifactor authentication measures.

“There’s a lot behind the CAC,” Joseph said. “I don’t think it’s going to be an overnight change where the CAC goes away, but we need to continue exploring other avenues for connections.”

Within the manpower, personnel and services directorate (A1) at Air Force headquarters, officials need to look beyond the CAC. That’s because it serves about 5 million customers, including veterans, retirees, new recruits and military families who don’t have CAC access, according to Jason Howe, chief information officer and deputy director for plans and integration at Air Force A1.

“What you see is the Air Force strategy is very much focused on commercial, multifactor capabilities that can scale very quickly, and are more comprehensive than what I’ve seen occurring in the past,” Howe said. “And I think there’s a lot of value. We care a lot about our stakeholders. And the way we protect them through zero trust and ICAM should be of the same security level as how we take care of our Airmen and Guardians.”

While much of the conversation around ICAM is understandably focused on enterprise capabilities and connections, Howe says officials also have to stay focused on the user experience and on modernizing how IT systems integrate with ICAM solutions.

“Making not just role-based, but data-based decisions on who can access what based on where they’re coming from, what I know about them, along with a token that could be a CAC,” Howe said. “I think any discussion of ICAM without the system user experience perspective is going to limit the value what an enterprise capability to bring.”

Sabrina Lea, director of DoD programs at Okta, says using open standards will be crucial as DoD explores a federated identity strategy that is connected across defense organizations but tailored to the unique needs and access requirements of individual users.

“I don’t think you’re going to just replace the CAC overnight, but you can complement the CAC and have a service that says, ‘Okay, this capability services, the CAC population, and it integrates and interoperates with this service that services the non-CAC population,’” Lea said.

Learning objectives:

• Current ICAM Vision
• Addressing the DOD Common Access Card
• ICAM and the Zero Trust Architecture

This program is sponsored by