The Defense Department expects to begin pilot programs to test out new IT authentication mechanisms shortly after the Christmas holiday, an early step toward the DoD chief information officer’s objective of completely eliminating the Common Access Card within the next two years.
DoD CIO Terry Halvorsen said he had asked the IT industry to submit proposals for advanced ID management technologies that deliver “10 factor” security without the use of smart cards or any other additional hardware, and that four such proposals are already on his desk awaiting his review.
“And I wouldn’t be seeing the proposals if the groups looking at this weren’t already pretty close to being able to deliver,” he said at AFCEA’s TechNet conference in Honolulu last week. “It’s absolutely doable today, with today’s technology.”
Halvorsen did not elaborate on what sorts of technologies might be able to meet DoD’s needs, but in June, when he first announced the initiative to replace CAC cards, he speculated that the eventual solution might involve some combination of biometrics such as iris scans, tools that monitor users’ behavior patterns and detect unusual deviations and some cross-referencing to users’ personal information.
Whatever the technology solution, Halvorsen said Friday, DoD needs to move beyond physical smart cards as its primary means of multifactor authentication, partially because they’re expensive and cumbersome to issue, and partially because the state of the art in identity management has moved on since DoD began its first large-scale rollout of the CAC card 15 years ago.
“The whole CAC infrastructure limits what we can do to get information to people, and frankly it makes me have to adapt security measures that sometimes aren’t all that secure,” he said. “So [a replacement] is one of the things I’ve asked for for Christmas.”
A new identity management regime that’s made up of many different ways to verify that a user is who he or she claims to be could also, in theory, achieve another of the Defense Department’s goals: applying a sliding scale of cybersecurity protection to data depending on its sensitivity.
Different recipes of authentication schemes could come into play, with more sensitive information requiring progressively higher degrees of assurance that the eyeballs on the other end of a computer terminal have the authorization to see it.
“There are some secrets that are more secret than others,” Halvorsen said. “Security has to be around the mission, and not everything has to be at the same level. I don’t know why we have trouble getting our heads around this, but we do. One of the ideas that many of our international partners use, and I like, is they have completely unclassified networks and also restricted unclassified networks. We need to be thinking about that.”
Separately, Halvorsen said his office would issue additional directives by January to streamline the security processes DoD officials and industry must deal with in order to get new applications and other IT products approved.
In October, he signed a memo mandating reciprocity for security approvals among the military departments and Defense agencies. The broad presumption is that if the Air Force, for example, has already deemed a software package safe enough for DoD use, the Navy should not require the same vendor to run the testing gauntlet once again before the same product is used on naval networks. Any waivers from that presumption must be approved by the DoD CIO’s office.
“But the approval lines are way too long in the first place, and that’s hurting mission. I’ve heard the industry complaints, and I think they’re valid.” Halvorsen said. “We’re going to change the board structure for how we do both accreditation and authority to operate. It helps industry, and I’m glad, but the real reason we’re doing this is that I’ve heard from too many combatant commanders who say they can’t get the solutions they need because the security approvals take us too long. We’ve brought it down a little bit, and we’re going to bring it down some more.”