The U.S. Defense Department has been a pioneer when it comes to smart cards in the federal government first issuing the cards in the 90s. So when the agency’s CIO talks about getting rid of the cards in the next two years it’s catching many by surprise.
Pentagon CIO Terry Halvorsen told the 2016 Federal Forum that the agency plans to get rid of the Common Access Card in the next two years and replace it with an “agile,” multi-factor authentication system. The cards would be replaced by “some combination of behavioral, probably biometric and maybe some personal data information that’s set from individual to individual.”
The smart card credential may still be used for physical access but that would be its sole function.
Halvorsen’s comments would seem to contradict HSPD-12. The directive, signed by President George W. Bush, called for a standard, interoperable credential across all agencies that would be used for physical access the facilities and logical access to computer resources.
The other problem is behavioral, continuous biometric systems, such as the one Halvorsen mentions, would have to go through testing and certification before it could be used by any agency.
Apple might be one reason behind the move, says Neville Pattinson, senior vice president for Government Affairs, Standards and Business development at Gemalto. “Apple products don’t work well with the Common Access Card but this will create less secure authentication methods,” he explains. “Its also fractures the CAC’s ability to sign and encrypt securely.”
A number of other smart card industry executives and government officials were caught off guard by Halvorsen’s comments. All had no idea that he was going to make those comments.
Another reason for the move is so the U.S. can share information with its allies. The Pentagon is working on an identity standard and methodology with Australia, Britain, Canada and New Zealand that would not include the Common Access Card.
Defense Department Public Affairs did not return calls for comment.