Every federal worker or contractor accessing government data or facilities shares one common characteristic: the common access card (CAC) or personal identity verification (PIV) authentication system. It’s no secret that the current system has its challenges, as it simply wasn’t built for today’s modern IT solutions and evolving security threat landscape. Not only can a CAC/PIV card be easily lost or stolen, but they are also cumbersome to carry, costly to manage and don’t integrate well with emerging technology.
Department of Defense (DoD) knows these security and usability challenges all too well.
“We have to move away from the CAC as a form factor,” shared Steve Wallace, technical director at the Defense Information Systems Agency.
While finding a viable alternative approach has proven difficult, DoD’s recent announcement to solve the identity verification problem in the next two years using a new mobile-based approach represents a significant milestone in the path to modernization.
The complicated journey to CAC modernization
In 2016, former DoD chief information officer, and my now colleague, Terry Halvorsen shared his frustrations about the technology and intent to overhaul the system, “CAC cards are not agile enough to do what we want,” Halvorsen said. “We may still use them to get into a building or something, but we will not use them on our information systems.”
Establishing a CAC replacement requires separating the encrypted credential component from access cards. The Defense Department’s end goal — a “derived credential” — is “a software form of those PKI credentials that are on the CAC today being loaded into a device and stored on the device,” explained Jeremy Corey, lead engineer for DoD’s public key infrastructure.
For years, the National Institute of Standards and Technology (NIST) and DISA worked to extract card-contained credentials to make them compatible with mobile devices. DISA’s initiative, called Purebred, succeeded in establishing derived credentials and was implemented within DoD in 2017.
What’s possible with CAC reimagined
Now, the Defense Department is exploring opportunities to take authentication to the next level by leveraging the security, accessibility and convenience of mobile platforms.
As Anthony Montemarano, DISA’s executive deputy director, stated in a May 2018 Armed Forces Communications and Electronics Association’s cyber operations, “Everything’s going mobile … We’re looking at the young kids and that’s what they want, that’s what they expect. And those are the soldiers, sailors of tomorrow.”
New capabilities being explored that are only possible with this reimagined mobile approach include:
Behavioral credentialing: Devices will have built-in tools to collect and verify usage patterns to create a “risk score,” which — if within a safe range — will grant user access to federal systems and facilities. Conversely, uncharacteristic user behavior will result in a high-risk score, locking down the individual’s access. This continuous multi-factor authentication based on unique identifiers, like hand pressure and walking gate, will bring about heightened, dynamic access controls for agencies — verifying the individual, not just the device.
Location-based controls: Wallace also gave details on a GPS capability embedded in device chips that will factor a user’s physical whereabouts into their overall risk score. It is not possible with the old CAC system. The new tool will compare an individual’s location to their typical movements to determine if their behavior is risky. Eventually, agencies could also use GPS for “geofencing” in secured environments to notify personnel via their smartphone that they have entered a restricted zone. In classified spaces where certain phone apps or capabilities such as Bluetooth or camera are forbidden, geofencing could automatically disable those device features, then re-initiate them once the user is outside the space. This could prevent both accidental and intentional data breaches.
Per-agency customizations: Agencies will be able to pick and choose which capabilities they enable, customizing features to meet their particular organizational needs. In 2016, Halvorsen gave initial details of this concept, calling for “some combination of behavioral, probably biometric and maybe some personal data information that is set for individuals. There are other thoughts like iris scans. All of those are doable today.” Biometric sensors — which could use iris scanning, facial recognition and fingerprints to verify a user’s identity — are available as well, and under consideration for federal adoption in the future.
Compliance and standardization: The dynamic nature of new mobile-based CAC devices can also translate to new levels of standards compliance for agencies. Identity management and access control are core components of NIST’s updated framework, and the ability to incorporate new security and authentication measures as they roll out — or are mandated — is critical. On a broader scale, this can address the need for standardized and interoperable identity credentialing among international allies and DoD mission partners.
Considerations as mobile-based authentication strategies advance
CAC and PIV cards have been the de facto federal and DoD personnel authentication technologies for nearly two decades, and it’s time for a change.
The move toward a seamless and frictionless user experience for confirming you are who you say you are is on the horizon thanks to fresh thinking and a new approach. Simply by utilizing the incredible power of technology already in DoD users’ hands — mobile devices — the department can make cumbersome, inefficient authentication processes a thing of the past.
To stay ahead of the curve, DoD needs to pay particular attention to advances in areas like derived credentialing and continuous multi-factor authentication to paint a holistic vision for more secure and effective personnel authentication strategies. If implemented in the right way capitalizing on the collective efforts of industry partners, agencies can not only better meet a range of security, interoperability and compliance objectives, but also take advantage of the other productivity advantages inherent in a mobile-first deployment approach.
Chris Balcik is Samsung’s vice president of federal.