The Navy is keeping a close eye on its current access card program for vendors and contractors to get on base.
Former acting Navy Secretary Sean Stackley told lawmakers the service is closely watching its Defense Biometric Identification System (DBIDS) as vendors and contractors make the switch by Aug. 15.
In a letter to Congress, Stackley stated the Navy is reviewing DBIDS, the Navy Commercial Access Control System (NCACS) and four other variations to make sure they meet Navy and Defense Department standards.
Stackley stated in the letter that so far DBIDS has the greatest security for Navy installations, is cost effective and is the least cyber vulnerable option.
Updates on the Navy’s switch to DBIDS can be found here.
“DBIDS increases installation security and communications by receiving frequent database updates on changes to personnel/credential status, law enforcement warrants, lost/stolen cards, and force protection conditions. The system provides a continuous vetting anytime the DBIDS card is scanned at an installation entry point,” a Navy release stated.
The Navy began transitioning to DBIDS in December 2015. All Navy and government civilians began using the system by the end of 2016.
In April, Navy began transitioning all vendors, contractors, subcontractors, suppliers and service providers seeking base access from NCACS to DBIDS.
Contractors and vendors currently use RAPIDgate passes to get onto Navy bases. Those passes were issued by a company called SureID.
However, a 2013 DoD Inspector General report found 10 RAPIDgate pass holders should never have been issued passes due to prior convictions.
The report stated 52 felons routinely entered Navy installations, including a child molester.
Since Navy announced its move away from RAPIDgate to the new DBIDS system, SureID has laid off nearly 300 employees.
DoD and the military services have been trying to move away from traditional access cards.
Former DoD Chief Information Officer Terry Halvorsen set a goal to phase out Common Access Cards in the next two years.
“The whole CAC infrastructure limits what we can do to get information to people, and frankly it makes me have to adapt security measures that sometimes aren’t all that secure,” he said last year
A new identity management regime that’s made up of many different ways to verify that a user is who he or she claims to be could also, in theory, achieve another of the Defense Department’s goals: applying a sliding scale of cybersecurity protection to data depending on its sensitivity.
Different recipes of authentication schemes could come into play, with more sensitive information requiring progressively higher degrees of assurance that the eyeballs on the other end of a computer terminal have the authorization to see it.
In June, the Defense Innovation Unit-Experimental reached an agreement with PlurilockTechnologies, a Victoria, British Columbia-based firm that holds several patents on behavior-based authentication (or, “behaviour-based,” to our friends to the north).
The company claims that after spending about 20 minutes monitoring and analyzing the specific patterns people engage in when using their computers — particularly their habits when pressing keys on their keyboards and their mouse movement techniques — its software can build a reliable digital fingerprint for any user that can be used later on to sound an alarm when an impostor is logged onto a system using someone else’s credentials.