It was 10-year ago this past October when the first U.S. Defense Department Common Access Card was issued. Since then the largest U.S. agency has issued 24 million of the smart card-based secure credentials.
In that time the staff at the Defense Manpower Data Center (DMDC), the group within DOD responsible for issuing the card, went from simply issuing an ID card to truly managing with identity, says Mike Butler, deputy director of identity services at the DMDC.
Butler was with the Defense Department when it first issued the credential and rejoined the agency in August 2010 after three years away.
“In 2000, 2001, 2002, we (DMDC) saw ourselves as card issuers, but somewhere in that time frame there was this shift. It’s not really ID cards–although that’s technically what we do–it’s really identity,” Butler says. “At that point came the full embracing of the PKI process within DMDC.”
The changes that the Common Access Card created within the agency were, at the time, widespread, Butler says. There was no ID for civilian employees, and there were separate cards for reservists and active duty personnel. The Common access Card put everyone on the same footing.
Some may say the Common Access Card paved the way for the PIV credentials carried by federal employees across the country. Others go even further calling it the example for all high-tech, PKI-enabled IDs.
The Defense Department is in the process of replacing the original card with a PIV-compliant credential, but the future Common Access Card may look very different than today’s version … both in terms of its applications and its physical form factor.
PKI is the difference
Public key infrastructures still have a reputation for being time consuming and costly to deploy and maintain. But the Common Access Card is helping to change that line of thinking.
Without PKI the Common Access Card would be just another ID, says Scott Jack, director of identity assurance for DOD PKI. “The PKI literally binds the human identity to a virtual identity in cyberspace,” he says. “It cryptographically asserts an identity that’s been proofed and vetted for the lifetime of the credential.”
Using PKI for electronic communications is as good as having an individual sign a piece of paper in person, Jack says. “The recipient can be assured through the certificate validation that the person who sent the message is who sent it.”
PKI has become the killer app for the credential, Butler says. “We were always looking for that killer application and when it started coming in I wasn’t sure that PKI was that app,” he says.
After returning to DOD after three years and using the Common Access card everyday to sign and encrypt email and access networks, he more fully realizes its importance.
Butler contrasts the DOD use of PKI to other enabled ID programs such as citizen e-IDs. “Most credentials given to citizens are used once or twice a year and there’s very few places to use them,” Butler says. ” I can’t get on the network without my CAC so every single day it has to be used. That is what differentiates it from other programs.”
Since 2006 the Common Access Card has been required to login to Defense Department networks and no more than 90% of network authentication is done cryptographically, Jack says.
But the credential has not always been so popular. When first rolling out the Common Access Card it took 15 to 20 minutes to issue each credential, Jack says. “Leadership at every echelon were seeing productivity loss because people were standing in line,” he says. “Any kind of change for a more than 3.6 million work force will create some problems.”
Then there was the challenge of PKI-enabling application on Defense Department networks. With many different applications and vendors involved this didn’t always go smoothly, Jack says. “But once it’s employed the value proposition becomes so demonstrative because you cut the overhead costs.”
Performance reviews, travel and many other tasks are now handled electronically. According to Jack, “(thanks to the card) the typical DOD employee can touch and do many things in the virtual environment.”
PIV: Blessing or curse?
When HSPD-12 was signed in 2005 it would have appeared the Defense Department would be in good shape. The largest federal agency already had smart cards issued and the infrastructure in place to support them. But the FIPS 201 standard veered from what the Defense Department was doing. “There was a requirement for a fairly major shift,” Butler says.
The Defense Department if still adjusting for this shift, a situation that has brought criticism from both the Government Accountability Office and the White House Office of Management and Budget. Butler says the agency has taken some time to adjust to the new specification, but it’s gaining momentum and there have been cross agency use of PKI certificates with the U.S. Department of Veteran’s Affairs.
The DOD has now issued more than 80% of the PIV-compliant Common Access cards, Butler says, “we’re on track to continue moving that along.”
Other form factors on the horizon?
The Defense Department is planning to expand the use of PKI, including adding the technology to non-person entities such as routers, switches, hubs and even PDAs and laptops, Jack says. “The devices would have a PKI that is bound and vetted so it would be recognized on a digital level,” he says.
They are also considering the use of other form factors, such as mobile devices, for credentials to login to networks, Jack says. “We’re starting to look at technology that’s available to the commercial sector that comes in a number of different form factors,” Jack says
The challenge with other form factors is finding a solution that still enables the Common Access Card to be used for physical access, Jack says. The credentials primary use is for logical access control but it is used for physical access as well. “We are seriously thinking about how we would do that,” he says.
Payment, transit and other applications
The Defense Department is also considering new application for the card. The agency issued a request for information from vendors about adding an open transit fare collection application and an EMV stored value payment applications to the card.
“It’s going to take a lot of time,” Butler says. “There’s FIPS testing and requirements, but it would absolutely have a return on investment in the Department of Defense. And we need to be looking at things like that.”
The DOD also wants to continue to strengthen its PKI and the business case for the credential, Butler says. “Using the CAC and PKI we may be able to better service data that’s up in the cloud, like back end authentication,” he says. “Being able to deliver people’s status–more than just PKI status of whether or not I’m still an employee but something–out to physical access systems and business systems.”
Ten years later and still getting stronger
Butler was at the Defense Department from the start of the Common Access Card but left to work on other aspects of the PIV card program outside of DOD. He was reminded of the credential’s impact when he restarted at the agency.
“My first day back, I had to raise my right hand and swear back in as a government employee,” he explains. “It was actually kind of a thrill for me because there was a two hour seminar, which was not at DMDC, and a significant part of it was about the Common Access Card and if you don’t have one you can’t do anything.”
“For somebody who’d only been gone from the department for three years, I kind of knew that,” he explains, “but as one of the folks who was here from the very beginning with the team that really made this happen, it was a real thrill.”
It seems fitting that Butler would rejoin the program and his team as the Common Access Card reaches a series of major milestones including its tenth birthday and so its 25 millionth credential. “It really does show you that if you’re just tenacious enough,” Butler concludes, “you actually can make something work.”
Translating experience from government ID to citizens
Mike Butler has more than a decade of experience in the identity business for the federal government. He’s now back where he started rejoining the U.S. Defense Department’s Defense Manpower Data Center as deputy director of identity services.
In a recent discussion with Re:ID, Butler talked about government credentialing programs, but he also shared some thoughts on issues around identity and citizens. Many of these issues are being discussed in the National Strategy for Trusted Identities in Cyberspace and Butler says the federal government and technology providers need to find solutions.
The Defense Department is going to look at mobile devices and other form factors for credentialing, but Butler says that smart cards will be the standard for federal employees and contractors for the next few years because of the investment made in infrastructure.
For others who do business with the federal government, however, the smart card may not be used. “Once we move outside of those core populations, smart cards probably aren’t the answer,” Butler says. “I’m accepting the fact that a smart phone would be a great way to do this.”
He says the government should work with outside providers so that federal employees, who have anchored identities that have been vetted, can have a credential that can be used in the private sector. “We’ve never really been able to get our arms around that and make it work,” he says.
One of the most challenging and expensive parts of a credentialing program is the original identity vetting and the efforts required to keep it current. The federal government has been able to solve this issue so why not give employees the option to use it in other areas. “It would be a great thing to be able to transfer that anchored identity into government or non government use,” he says.
The smart phone would be the perfect form factor for this type of personal use credential. “People are carrying them and there’s no real additional hardware cost … we might be able to make that work,” Butler says.
Hardware cost has made this a difficult goal, Butler says. “It’s been elusive because there always seems to be this huge cost factor that goes with it,” he says. “If you could get rid of the hardware and at least mitigate the in-person vetting piece, it might make good sense for everybody.”
Butler says efforts are underway, but it won’t happen overnight. “I’m hoping maybe another six to nine months,” he says. “We’re going to start seeing some of the commercial guys come in and maybe lay out some opportunities for the government to partner.”
Butler’s experience gives him unique insight and he is remarkably upbeat saying, “I think this is the first time that we’ve had a chance that it may actually happen.”