BY KIMBERLY BRENNER CONTRIBUTING EDITOR
In 2000, the United States Department of Defense (DoD) began its long awaited issuance of the new generation military identification card, the Common Access Card (CAC). The initial cards contained a magnetic stripe and an integrated circuit chip. This contact chip was used for secured logon to computer networks while the magnetic stripe was encoded with the individual’s military ID number. Just one year later, an initiative to better control physical security at military locations led the DoD to consider the addition of an RFID technology on future-issued CACs.
Background on the CAC
The Common Access Card was borne out of the DoD’s need for additional services and security from the military ID card along with the desire to standardize the card for use throughout the branches of the armed services. Charged with oversight for this enormous task, the Defense Manpower Data Center (DMDC) began to research card technologies in early 1998. Two short years later, the group launched a smart card-based ID that will eventually be issued to more than 4 million active duty, civilian, and contractor personnel.
The initial cards purchased contained 8k integrated circuits running the Java Card Operating System. Two million cards were purchased from Oberthur Card Systems in January 2000. In July 2002, an additional 1 million cards were ordered, this time with a higher capacity 32K chip. Meanwhile, discussions on future additions–both RFID and biometric– were well underway. In April 2002, the Security Equipment Integration Working Group (SEIWG) issued a report recommending that the DoD pursue ISO 14443 standard contactless technology. No recommendation as to the specific variety of 14443 technology was made.
In November 2002, a pilot project was announced to test the contactless enabled CAC. While details on the location for this test have not been released, the pilot will reportedly utilize the Type A variety of ISO 14443. Cards will be obtained in January 2003 and the pilot will likely run for six to eight months. The next major procurement of cards for the CAC program will likely occur in the Fall of 2003. It seems likely that the results of this pilot will be instrumental in determining whether or not the contactless technology is included in this card order. If included this new CAC would be an extremely advanced card as it would, for the first time, include the contactless component and, sources report, a 64K contact chip.
The DoD has unique challenges in providing physical access control to its constituents worldwide. They represent millions of individuals that must be granted or denied access privileges at thousands of disparate locations around the globe. Some of these locations are fixed such as bases and buildings, while others sail the seas or are temporary in nature. Data and power connectivity at DoD locations can vary dramatically. Add to this the fact the DoD represents many different autonomous bodies– army, navy, air force, marines, coast guard–and the logistical and hierarchical challenges begin to emerge.
This led the SEIWG to recommend an approach that selects an RFID standard and a data layout standard while leaving the system administra tion decentralized within the control of the local security administrators. In this manner, the physical access component is afforded maximum flexibility, reciprocity, and departmental buy-in.
What can we learn from the DoD project?
The DoD faces enormous challenges. Not only is the scale of the project unmatched with more than 4 million eventual cardholders, but the required functionality is large as well. The CAC must serve traditional identification needs, enable secure access to computer networks and personal data, function for physical access needs at widespread locations, and perform a host of other yet-to-be-determined applications.
To some it might seem that the massive scale of the CAC project means that it holds little value for those of us responsible for card issuance programs within our respective organizations. For certain, few of us will ever undertake a project of this magnitude. But the lessons and experiences are quite transferable to other card and RFID implementations.
Securing buy-in across the enterprise
The project required buy-in from multiple levels in a variety of working groups within the DoD and within the impacted military branches. The project leaders had to sell and resell their vision to decision-makers. Almost all card and RFID projects impact the entire organization in some way. Because these projects are enterprise- wide, project leaders must secure buy-in from key players in the organization to ensure success.
From the outset of the CAC program, the most widely reported problems have centered on card issuance. Common Access Cards have to be imaged and printed; barcodes added; magnetic stripes encoded; and contact chips loaded with data and digital certificates. This can be challenging in a single, dedicated facility but the DoD has to conduct this process at locations around the globe via connection back to a centralized data center. With the addition of a contactless technology to the card, an additional step in the issuance process is added (though documents released by the SEIWG suggest that this process will likely occur post-issuance at a decentralized security office). While typical issuance processes are far less complex, it is important to plan for this part of a project. Issues including hardware and software, traffic flows, timelines, staffing, and connectivity must all be considered.
Printing over embedded chips
With any card technology there are issues that must be considered when printing on the card. For magnetic stripes and contact chips, it is obvious that you cannot print visual information on top of the stripe or chip. But with embedded technologies such as RFID chips and antennae, this is less obvious. The DoD has experienced problems printing on top of the actual contactless chip using their traditional card printers.
The chip often leaves a slight indentation or ripple in the card’s plastic surface. This can cause imagery printed in this location to be distorted. Options in this situation can include adjusting card design to leave this area blank or utilizing card printers that apply images to an overlay that is then affixed to the card’s surface.
The lesson is to understand the physical characteristics before defining elements and layout. And plan for future technologies to the fullest extent possible.
With a broad range of implementing organizations participating in the CAC program, a variety of legacy technologies existed. Some locations were utilizing the magnetic stripe as the vehicle for transmitting the ID number to the security system, others relied upon a 2D barcode, while others used proximity card technology. The decision as to which, if any, legacy technologies should be supported was likely challenging–and the DoD, it seems, is still grappling with this issue.
The more complex the card required, the longer the supply cycle time. This also narrows the number of suppliers capable of delivering the card and adds importance to the quality control processes. For early card buys, only Oberthur and Schlumberger were certified on the Federal Information Processing Specification (FIPS) program to supply chip cards to the DoD.
Currently, at least four additional companies are progressing through the certification process in an attempt to be eligible to supply Common Access Cards in future card procurements.
An important big boost for contactless personal ID?
The Common Access Card project has received significant attention for its sheer magnitude and its multi-application and now multi-technology aspects. The RFID industry will keep a close watch on the DoD’s pilot project early in 2003 as a successful test promises to expedite the widespread adoption of contactless technologies for secure personal ID.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.