US Department of Defense personnel have used the Common Access Card (CAC) since 1999 for applications as broad as entry to base facilities, computer system log-ons and military benefits. CAC cards laid the groundwork for the Federal government-wide PIV card program which continues to bolster both physical and cyber security and are still held up as a model program.
Yet this week, DOD CIO Terry Halvorsen signaled that the CAC card will be phased out over the next two years. Why the sudden change of policy for a program which has been so successful? There are several reasons.
The Steady Decline
First and foremost, the physical card has become problematic. The time it takes to issue cards (or re-issue lost cards), the cost of actually producing the cards and the basic inflexibility of needing a card to do almost anything in DOD made the CIO’s office question their long-term value.
Cybersecurity is another key factor in the decline of the CAC. The desire for “true” multi-factor authentication beyond transferable cards and passwords is gaining steam throughout the Federal government. Halvorsen noted that DOD also wants to continuously authenticate users as well, necessitating more than just the one-time use of a card.
Mobility also hampers the usability of the CAC. The constant movements of personnel and systems requires systems which can authenticate users in a truly global network. An ever-larger part of that network consists of mobile devices which cannot authenticate against a card. Parsing cards from different partner countries (or issuing new cards to every officer on rotation) also became burdensome.
What Will Replace the CAC?
A combination of technologies and methods will likely replace the CAC card. Halvorsen hinted that biometrics are well-positioned to authenticate users with existing collection devices and proven software platforms. That may mean a physical biometric for certain applications, combined perhaps with behavioral biometrics for applications benefiting from continuous authentication.
What is less clear is how the backend systems will work. A greater range of authentication factors will increase user convenience, but those factors will have to be available throughout DOD’s huge global footprint – even in places with little to no connectivity. Interfaces with partner networks may be just as complicated to create and run, even as they increase the flexibility of administrators. Securing the central identity and access management system (Active Directory or its equivalent) will be more important than ever.
This is the start of a new era in authentication and access control for government applications and may be the start of a sea change which will be felt in the private sector as well. How it will play out in practice is currently anyone’s guess, but it will certainly be interesting to be a part of it.
Read more in our whitepaper here.
Ben Ball is the Government Market Director at Crossmatch, where he oversees market intelligence and strategic outreach to government customers around the world. A ten year veteran of the Federal government, Ben was a Foreign Service Officer and worked in the Department of Homeland Security.