The Defense Department’s reliance on Common Access Cards may be coming to a close.
On Tuesday, DOD Chief Information Officer Terry Halvorsen announced a 2-year plan to eliminate CACs, 20 million of which have been issued to active duty Defense personnel, DOD civilian employees and contractors since 2001.
“Frankly, CAC cards are not agile enough to do what we want,” said Halvorsen, speaking at the Brocade Federal Forum in Washington. “We may still use them to get into a building or something, but we will not use them on our information systems.”
Halvorsen said the Pentagon will move to “true multifactor” authentication that would increase DOD’s agility and cut costs and the time to issue the cards themselves.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
“It’s really hard to issue CAC cards ... when people are dropping mortar shells on you and you need to get in your systems,” Halvorsen said. He also said closer partnerships with NATO at the Five Eyes countries – Australia, Canada, New Zealand, the United Kingdom and the United States – are driving the shift.
“Today, I have NATO officers serving in different positions, and one of the biggest problems is getting them off the network,” Halvorsen said. “If we have common identity standards, we could get to more data access-driven systems.”
Halvorsen hinted that DOD’s future of network authentication would almost certainly account for the behavioral patterns of its users. In the post-Edward Snowden world, Halvorsen said combinations of behavior patterns coupled with biometric and personnel data would better protect high-end security systems from vulnerabilities – especially those pertaining to insider threats.
“I could build a behavioral pattern of that person’s identify and see if the behavioral pattern is deviating,” Halvorsen said. “That might not be you anymore.”