Terry Halvorsen, the Defense Department chief information officer, wasn’t surprised in the least bit by the reaction he got when he announced he wants to phase out the Common Access Card (CAC) over the next two years.
“It’s a two-year goal and plan. Do I have all the details worked out? No. Was I surprised by the reaction? Absolutely not. It panned out exactly how I thought it would, but that’s part of why you do it,” Halvorsen said June 17 at a lunch sponsored by AFCEA Northern Virginia’s chapter in Vienna, Virginia. “Part of setting these goals and coming public is to get the dialogue, and not just the dialogue in the building, but to get the dialogue outside the building to get people in industry thinking, ‘Now they’ve said they are going to do it, let us think hard about how we help them and frankly how do you make money on doing that, and how do you help us get there.’ I will keep saying we will do this as it improves security, improves agility and, hopefully, lowers the overhead cost of maintaining that system.”
Halvorsen said he thinks all of that is doable in a 24-month timeframe.
But he also didn’t offer too many more details about how he would move to a more secure, agile identity authorization, authentication and verification process.
Insight by Red Hat: Learn how organizations are working to meet their missions in real-time by downloading this exclusive ebook.
“To be very clear, we are a on two-year plan to move off the CAC card for access to our information systems. I think it will still play a role for inside physical access, and certainly we will still have a physical identity card,” Halvorsen said. “But I want to make it clear, when we replace the CAC card, it will be public-key infrastructure. It will be multi-factor. We will not do this until we have a plan that doesn’t just keep security at the same level. Part of what’s driving that is we are not keeping pace in the mobility space inside the DoD like I think we need to. We need to be able to do more software-based authentication using different methods. It could be biometrics. It could be personnel data. It could be behavior. Those things have to come in.”
Halvorsen said they are working on a detailed plan to get off of it in two years. He admitted it may take longer than expected, and DoD may be operating with both CAC and its replacement for a short period of time.
“Two years is not a bad timeline because by then I’ve flipped two-thirds of the workforce. So if I can start that, I can start looking at ways for it to accelerate,” he said. “Two years wasn’t an arbitrary timeline. We did look at how we do distribution of the CAC card.”
But current and former DoD executives say the idea of moving to something more secure and easier to use than the CAC is not practical in the short term.
“Mr. Halvorsen must understand DoD acquisitions and programs, but he doesn’t acknowledge without money or a formal program, none of this will ever go anywhere,” said a DoD source, who requested anonymity because they didn’t have permission to speak to the press. “With 4.5 million users, it would require a formal program to acquire, test, field and support a change like this. My only conclusion is that Mr. Halvorsen is saying this for effect and to get DoD moving in a specific direction. I do support that concept and for a number of years there have been initiatives to have factors other than CAC, but for one reason or another when efforts move forward funding is cut or priorities changed.”
Like this DoD source, others also said the secure identity card is marbled into the military’s infrastructure like few other technologies.
The CAC is used to sign emails and documents such as travel orders. It’s used for physical access control. DoD has spent the last 15 years making the CAC the centerpiece of almost everything DoD provides from a technology and access control perspective.
“CAC still works, but are there more elegant solutions out there now?” asked Rob Carey, a former DoD deputy CIO and Navy CIO and now vice president of Vencore’s Navy and Marine Corps programs. “There are several that could be used out there, but I’m not sure what is reliable and scalable to what the government needs.”
Randy Vanderhoof, executive director of the Smart Card Alliance, said in an email to Federal News Radio that “as far as we are concerned, there is no better technology than the CAC currently available that every military person and contractor can use today.”
Carey said the challenges with using CAC with smartphones and tablet computers is what’s driving Halvorsen and others’ frustrations and desire to change.
He said the examples of online payment apps from Google or Apple show there are ways to secure sensitive information and make authentication biometric-based, at the very least.
“Where he got the ideas to use behavior authentication, I’m not sure because to me it sounds like there are some things that he’s heard about there and are ruminating in his head he’d like to deploy, but aren’t fully formed,” Carey said. “As a veteran of the smart card wars in the 2000s, I don’t think anything is happening on his watch. It’s too big of an infrastructure move. He could do some studies or plant some seeds.”
The DoD source said there has been no indication of moving away from CAC in the military’s 2018 budget planning under the Program Objectives Memorandum (POM) that they’ve seen or heard about.
“The only way to get change in DoD is to move people and money,” the source said. “People are scratching their heads. The first time we heard about this was in a recent meeting on PKI.”
The source said the mobility challenge is a difficult one, but it’s also something DoD has been spending a lot of time and resources on to solve.
“We do have a significant effort in derived credentials. Mr. Halvorsen recently re-prioritized the order of using derived credentials to focus on BlackBerrys first, Android phones second and then Apple iPads,” the source said. “We are looking at derived credentials for Windows Surface tablets using Windows 8.1 It worked well in a pilot and you could use the biometric scanner to log in and unlock Trusted Platform Module and there’s were the PKI credential lives.”
The source added the classified mobility program doesn’t require a CAC or CAC sleds — devices to make mobile devices read CACs — so there already are examples in DoD of other approaches that could work.
And while Carey and the DoD executive said conceptually Halvorsen’s idea to improve identity management and authentication makes sense, the two-year timeframe and the lack of any real plans make this more of a desired state than an actual expected end state.