The Common Access Card has driven the Defense Department’s cybersecurity posture for much of the past 15 years. But the end of the CAC card may be near.
DoD Chief Information Officer Terry Halvorsen said June 14 that he plans to phase out the secure identity card over the next two years.
“We will not eliminate public-key infrastructure. We will not eliminate high security. But frankly, CAC cards are not agile enough to do what we want,” Halvorsen said at the FedForum 2016 sponsored by Brocade in Washington. “We may still use them to get into a building or something, but we will not use them on our information systems. We will use true multi-factor that actually does a couple of things for me — gets me more agile because there is an overhead for CAC cards, not just cost overhead, but a time overhead and in my business it’s a location overhead. It’s really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your systems. It just doesn’t work well.”
Halvorsen said he’d like to move to a behavior-based approach for network authentication.
“If I structure it right, I could build the behavior pattern of that person’s identity. We can like it or not, but one of the best ways for me to check security is to see if their behavior pattern has deviated. That might not be you anymore,” he said. “So we are looking at maybe, not giving an answer, but some of the things we are thinking about is some combination of behavioral, probably biometric and maybe some personal data information that is set for individuals. There are other thoughts like iris scans. All of those are doable today.”
DoD began issuing CAC cards in 2001, and over the last 15 years the smart identity cards have become the de facto, governmentwide standard for network and system security access control.
The Defense Manpower Data Center says it issued 2.8 million CAC cards last year to uniformed service members, civilian employees and contractors.
Over the last 15 years, DoD has issued more than 20 million CAC cards.
DoD has struggled over the last decade to find the best way to integrate the smart identity cards with mobile devices. But this was the first time a senior official has publicly said it’s time to move off the CAC cards for network access.
Since DoD mandated logical access control in 2006, the Pentagon’s networks have been better protected against typical attacks by hackers, including phishing and other attempts to steal credentials.
Halvorsen said another reason for the change is the work DoD is doing with its allies, including NATO.
“We are very close to reach upon an agreed upon identity standard and methodology,” he said. “That is an unbelievably powerful win for us in terms of combat and information multiplier. Today I have NATO officers serving in different positions, but one of my biggest problems is getting them on and off the network. It just doesn’t work well. If we had common identity standards with management principles, then I could get to a more data access driven system than today I have an identity access that doesn’t match up with what data they should be able to see and shouldn’t be able to see. We have to get to those environments. We will do that.”
Related to moving off of the CAC card, Halvorsen said DoD is doubling down on its data center consolidation effort.
He said he will name a panel to focus on how to close the 50 most expensive data centers that the military runs.
“We are behind on data center closures inside DoD. I’m not seeing fast enough the money I need from that,” Halvorsen said. “That will be an enterprise decision, not an individual element decision. That’s a big change for DoD. We ae working on it. It will not happen without some bumps.”
The panel will include DoD and industry experts.
A March report from the DoD inspector general found the military wasn’t consolidating data centers as required under the Federal Data Center Consolidation Initiative.
“DoD did not meet the FDCCI requirement to consolidate 40 percent of its data centers by year end FY 2015. Of the 3,115 data centers reported in DCIM at year end fiscal 2015, only 568 (18 percent) were reported as closed. This occurred because the DoD CIO did not revise its strategy to reduce data centers by 40 percent after OMB revised the data center definition to include smaller facilities,” auditors said. “In addition, the DoD CIO did not enforce compliance with the DoD requirement of one installation processing node (IPN) per installation. As a result, DoD will not reduce its energy and real estate footprint or achieve the cost savings as intended by the FDCCI. In addition, even with the planned closure of 796 additional data centers from fiscal 2016 through fiscal 2018, only 1,364 (44 percent) will be closed and DoD will not meet its internal goal to reduce the number of data centers by 60 percent by year end fiscal 2018.”
Halvorsen told the IG that he would revise DoD’s data center consolidation strategy by the end of 2016 to account for the increase in the number of data centers.
“The DoD CIO also stated that DoD was seeking relief from OMB to exclude special purpose processing nodes (SPPNs) from its data center consolidation metrics because SPPNs could not be severed from the facilities or equipment they supported,” auditors said. “He stated however, that he planned to work with the services to reconcile instances of multiple IPNs on individual bases.”