When former Defense Department Chief Information Officer Terry Halvorsen talked about moving on from the Common Access Card (CAC) as the main approach to network authentication, many observers scoffed at the idea.
Halvorsen, who recently joined Samsung as an executive vice president focusing on mobile enterprise strategies and helping to navigate government and regulatory business affairs, envisioned and set as a goal last June for the next authentication technology to be more agile and less costly.
It looks as though the Defense Information Systems Agency is starting the process to make Halvorsen’s vision a reality.
Alfred Rivera, DISA’s director of the Development and Business Center, said during a panel sponsored by AFCEA Northern Virginia that they are moving toward multi-factor authentication, including biometrics and other “patterns of life” type of technologies.
“We are evaluating some solutions. We are about to put out a contract using an Other Transactions Authority equivalent,” Rivera said. “There is a contract. We were initially going to go through Defense Innovation Unit Experimental (DIUx), but now we are partnering with the Army through their OTA to do a contract. We are moving forward now and funding is available to do these initial pilots.”
Rivera said he didn’t have specific details of the pilots yet because they still are in the development phase. But, he said, DISA is planning multiple pilots over the next six-to-12 months.
Halvorsen, who retired at the end of February, said in November that he expected DoD to start testing alternative CAC technologies after Christmas. But here we are almost in May, and the pilots still are a few months from really getting going.
Hear Jason Miller discuss this story on Federal Drive with Tom Temin
Halvorsen said back in November that the eventual solution might involve some combination of biometrics such as iris scans, tools that monitor users’ behavior patterns and detect unusual deviations and some cross-referencing to users’ personal information.
Rivera said DISA has met with multiple vendors who have been able to prove there are several solutions, most notably biometric technologies, which are ready for testing.
“We’ve met with other scientific organizations like DARPA that have been evaluating this for multiple years. We are coordinating and collaborating with them,” he said. “There are capabilities that we are confident in and the next step is taking those and extending and expanding it to an organization as big as DoD.”
DISA has been working on a solution to the problem of having to use a CAC with a mobile device. The agency has been testing out different approaches to derived credentials, including an initiative called Purebred.
But this latest effort is not just derived credentials, but one step further. In many ways, it’s part of DoD’s continued push toward the commercial sector.
Take the Pentagon’s initiative to develop hardened phones that can access secret and classified networks.
Rivera said DISA now is testing mobile devices that can work across the top-secret network — a step up both in terms of trust of the devices as well as the technology from where both were a few years ago.
“We have a couple of top-secret phones out there for evaluation to our mission partners. As we look at that, the business will drive it and we are seeing demand from our leadership across the department,” he said.
DISA started testing and approved a secure version of the Samsung Galaxy S4 in 2014 for secret-level data under the Defense Mobile Classified Capability program. DISA also tested the Motorola 4G Razr Maxx for top-secret communications in a new pilot program, but only for voice calls in 2014.
Whether it’s the CAC or mobile devices, the Pentagon recognizes it needs to advance forward and the way it assured identities in 2004 or 2017 will need to be stronger, better and faster, and the only way to get there is to join the private sector’s lead.