Department of Defense Common Access Card gets a FIPS 201 facelift
30 November, 2006
category: Biometrics, Government, Library
By Andy Williams, Contributing Editor
A new generation of the Department of Defense’s (DoD) Common Access Card (CAC), the most prevalent identity smart card in the U.S., is about to hit the market. Just how many CACs have been issued since its inception in 2001? To put it in perspective, enough to provide one to each of the State of Michigan’s 10.1 million residents.
With the Oct. 27 deadline for federal agencies to have their IDs comply with a presidential mandate to issue secure and interoperable federal credentials (HSPD-12/FIPS 201), the DoD is set to roll out its most ambitious card yet.
“The DoD celebrated a milestone event this past summer when it issued the 10 millionth Common Access Card,” said Lynne Prince, division chief for Card Technologies and Identity Solutions, Defense Manpower Data Center (DMDC). “To date, we have issued 10.2 million cards,” she states adding that there are 3.3 million active CACs in circulation.
Though many assume the CAC began following the 9-11 attacks, DoD personnel had actually been using the card month’s prior. The program started in early 2000 and the first CAC issued in 2001. It has been one of the government’s, and the identity industry’s, most successful projects.
The 3.3 million “active” CACs cover “all populations of DoD, reservists, the National Guard, other branches of the service. It’s quite a comprehensive group of people,” said Ms. Prince.
And, as seen in the following list, the card has multiple-uses, from controlling access to buildings and computers, to e-purse capabilities, and digital signing for paperless office transactions.
The DoD’s Common Access Card can be used…
- As the identity card for all DoD personnel.
- As the Geneva convention card for Active Duty military and other OCONUS personnel.
- As the benefits and privileges card for Uniformed Services and DoD Civilian personnel.
- As an ePurse for cashless transactions, which was evidenced in a recent pilot between DMDC, the U.S. Treasury, and the Marine Corps.
- For logical access to DoD networks, websites, applications, and computers. Also, the CAC will enable logical access to other Federal resources that are interoperable with FIPS 201.
- For physical access to DoD facilities and bases worldwide. Also, the CAC will facilitate physical access to other Federal installations that are interoperable with FIPS 201.
- For non-repudiation to promote data and information sharing.
- To digitally sign e-mail and other electronic forms for paperless office transactions.
- To encrypt e-mail and other documents for security and privacy purposes.
- To authenticate to multiple data sources through backend transactions, which is the real power of the CAC. The use of the credential plus multi-factor authentication promotes more efficient information sharing and more secure collaboration.
- To protects the release of private information. Personal information cannot be accessed on the chip without the cardholder providing his/her PIN.
Origins of the Common Access Card
“We’ve always been in the ID card business,” she added. “What we wanted was to move towards new technology, something that would give us more capability in an identity card, something that would allow us to better reuse the card. That’s how we landed on the smart card. Before that we were using a laminated paper card. Our retirees and family members still carry that card. (But) we wanted something that would last longer and with greater capabilities for updates.”
The first version of the CAC contained a chip, a magnetic stripe, and a bar code. It could be used for rapid electronic authentication, physical access, and it was also an ID card; it carried privileges for certain populations. By July 31, all DoD networks had to be cryptographically-enabled, adds Ms. Prince, “so the CAC was ideal.”
With such authentication, you insert the card into a card reader, the middleware that sits on your client or workstation talks to the reader and essentially it uses the PKI key to create a secure session.
DoD always has at least two vendors to supply the cardstock for the CAC “making sure we have a supply on hand because we issue 10,000 cards a day,” said Ms. Prince. Past suppliers have included Gemalto and Oberthur Card Systems. Oberthur has already been awarded the contract to supply the new cards. “We’ll be bringing in another (card supplier) by next summer. There are not many who are FIPS 201-compliant (currently),” she said.
The CAC, Version 201 (or actually Version FIPS 201)
The next generation CAC, which will roll out by Oct. 27, will be a dual interface card containing both contact and contactless technologies. Contactless pilots are in place in different parts of the country with different areas of the armed services testing the technology in CAC environments.
The card will contain two fingerprints, a photograph, and the cardholder unique identifier (CHUID), she said. It will also allow for electronic signature verification.
But not everyone will be credentialed immediately. It will take three years–the card’s specified lifespan–before everyone enjoys the benefits of the dual interface CAC, says Ms. Prince. “We have a legacy system and we’re not going to flip to the new one right away. As your card expires you’ll get a new card.”
More robust and flexible physical access control via the contactless interface
“We see the contactless technology revolutionizing the physical access component of the card, while the contact side will continue to be used for logical access,” she said. “What we’ll see is a flattening of physical access options. They will become more standard. The key is interoperability, utilizing the CHUID.”
So a person with a CAC will approach the door and, depending on the security or threat level set by the local installation, the person could just ‘wave’ the card to initiate the access request from the backend database. “Authorization is dependant on the local installation,” explained Ms. Prince. “At a higher level you might (wave) the card at the first gate and be required to enter a code at the second gate, or insert your card and enter a PIN number,” she added. “That’s what’s so great about this new technology. We have more options to secure our buildings.”
She said DoD had intended to eventually move towards contactless anyway, but HSPD-12 and FIPS 201 “accelerated the process. We had it on our map. We just had to do it sooner rather than later.”
Protecting the privacy of the cardholder
“At initial issuance we’ll be handing out a badge or card holder that has a shield on it so the card can’t be read until you take it out of the carrier,” said Ms. Prince. “That’s not a mandate, but that’s something we were concerned about within DoD.”
As she explained it, the CAC allows the cardholder to “protect his own information. He has control of the card. He has to supply the PIN to unlock it. You can protect your identity better than in the past,” she said.
“We’re looking forward to the next generation CAC. It offers a lot of advantages for DoD as we move forward.”
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.