The CAC will continue as DOD’s principle authenticator for the foreseeable future
The Pentagon’s common access card (CAC) certainly doesn’t seem to be going away, despite widespread speculation otherwise, according DOD Chief Information Officer Dana Deasy.
“From my standpoint, the CAC will remain the department’s principle authenticator for the foreseeable future,” especially since they’ve become a central element of DOD security, Deasy said in his opening keynote address at the 2018 Billington CyberSecurity Summit on priorities of the CIO at the Department of Defense. “Most of you hear about identity and credential management at DOD, and what you think about is the common access card, CACs …”
Earlier this year, Army Col. Tom Clancy, the Identity Management and Public Key Infrastructure lead for the DOD’s CIO, also stated during a panel on the future of government identity, that reports DOD will no longer use the common access card just weren’t true.
“Two years ago, the CIO kicked off an examination into the future of CAC,” Clancy said. “After that, we are actually planning on making the CAC better, and issuing additional authenticators to meet mission needs, but we are not getting rid of the CAC. There is no plan for that,” noting, “identity management has a role in all three of Secretary James Mattis’ priorities.”
“The department must be ready to adapt, as well as accommodate an environment … more than 4.5 million users that is rapidly evolving due to current and emerging threats from our adversaries,” Deasy said. “DOD has always been a pioneer when it comes to driving innovation. We must continue to do so and incorporate key storage and biometrics to prepare for a future where we need quantum-resistant cryptography. These innovations will become critical to ensure our warfighters continue to operate in a secure environment.”
Deasy did say, however, work on developing an up-to-date identity, credential and access management (ICAM) approach involving an authentication system based on cutting-edge biometrics like facial recognition, iris, and fingerprints, locational patterns, gait, speech, keystrokes, etc., is farther away down the road.
The goal of ICAM is to “know who is on the network at any given time,” and to build a “secure, trusted environment where any of our users can access all of the authorized resources, including applications and valuable data,” Deasy said.
“So we have this conversation, but I always tell people you can’t have it at any one point,” he said. “You have to discuss the entire ecosystem of cybersecurity.”
Nevertheless, he stated, existing ICAM innovation “will revolutionize how we create digital identities and any maintenance of associated attributes, including both people and non-person entities. ICAM creates a secure, trusted environment where any of our users can access all of the authorized resources, including applications and of course our valuable data, to have a successful mission. It will also let us know who is on the network at any time.”
“We must have a meaningful dialogue with all of our stakeholders in order to be successful long-term,” said Clancy. “Scale, performance and assurance are needed for the success of identity management platforms.”