10 years later, CAC is securely part of DoD


“They were looking for a place that was isolated because there were things like electronic money pieces that went into it,” said Mike Butler, the deputy director for Identity Services at the Defense Manpower Data Center in an interview with Federal News Radio. “They wanted a place that was contained and where people wouldn’t be taken their cards and traveling all over the place with the expectation of service. That was the official explanation.”

Butler said the unofficial story provides the real details of why the DoD Common Access Card (CAC) became the prototype for government and industry in a short 10 years.

He said several Navy people from Washington who supported the idea of a secure ID card were transferred to Hawaii at the same time.

“The four or five of them really had the idea of how to make this work,” said Butler, who credits these supporters for showing him the promise of the technology. “They went out there and made this thing into something that someone had to stand up and pay attention to.”

By November 1999, DoD created what became the Common Access Card office and began to create the DoDwide standard for smartcards.

A year later issued its first card with more than 500 data elements and only 32k of space on the card. But in a short amount of time, DoD saw the huge benefits the card could provide and pushed the issuance across the department. And by 2002, the military issued its millionth card.

“If you look back to what it was back then, there was no civilian standard ID card in the department,” he said. “Of course, we always had the standard military ID cards. There was no overarching strategy for how we were going to use that in the future other than it was really a benefits card and Geneva Conventions card.”

Now 10 years later, all 3.5 million employees have CACs and are using them to electronically sign e-mails, submit time and attendance information securely and most significantly, log onto to the DoD network. The cybersecurity benefits of the card are among the biggest success stories for DoD, Butler said.

Now, DoD issues more than 10,000 cards a day to its employees with a lot more memory-128k and 144k cards-for new applications.

Butler said 32k would be equivalent to a medium sized Microsoft Word file with only text and no graphics. The new cards have enough memory to store iris scans or other biometrics.

“Eighty percent of my e-mail and almost 100 percent of normal business that comes in is either signed or encrypted,” said Butler who left DoD in 2007 to work for the General Services Administration and the National Institute of Standards and Technology before returning in 2010. “That is huge change in the three years I’ve been gone. That is all because of a digital signature on a CAC, which has been put into a business process. It’s so much easier than all the nonsense that used to have to go through. We’ve been able to automate things by having these great cryptographic cards.”

DoD’s CAC became the model for Homeland Security Presidential Directive-12 and the Personal Identity Verification (PIV) mandated issued by President Bush in 2004.

And while civilian agencies continue to struggle to use these secure identity cards, DoD is advancing their use for broad physical security and other potential uses such as transit benefits and an electronic purse.

The Office of Management and Budget earlier this month mandated civilian agencies use their secure ID cards for logical and physical security by 2012. DoD implemented logical access in 2006, and several military sites, including the Pentagon already use it for physical access.

“We’ve been investigating adding the transit, which is not just Washington Metro, but something we do across the country if we work together,” he said. “We also are looking at a purse, which could be used for a lot of applications in the department and outside of it. I’m also hoping the card will be a lot stronger for digital signatures because it’s like the no-brainer thing we all have to do across the country.”

Eventually, Butler said DoD would like to provide this technology to retirees, but that brings in other complexities that still need to be addressed.

He said the card itself will not change much over the next decade, except for growing as DoD’s needs and the technology change. Butler said DoD will continue to implement the card for physical security.

“There is a Defense Installation Access Control initiative,” he said. “It takes the ID management piece and meshes it in with physical security at the architectural level. There is a lot of promise in that.”

Additionally, industry through the FIXs program is issuing cards that meet the PIV standard. Butler said DoD vendors are using the cards for logical and physical access control and are in discussions about how to use the cards on DoD’s networks.

Looking back over the last decade, Butler said a few things surprised him. First, the time it took to roll out the cards and get them in widespread use. Second, he said the fact that the use of public key infrastructure ended up being the “killer app” for the CACs.

“I’ll own up, I was never really a big PKI proponent at the beginning,” he said. “But that was the one that has made this worth all the money spent on it. If you open up the hood and look at it, it’s a huge capability for the department. I don’t think a lot of people understand how much.”

Butler said that even though progress seemed slow, he sees a big difference in the three years between when he left and came back to work at DoD.

“Having left the department and coming back, when you live in it, you never see the progress, but when I came back and went to my orientation, the first 20 minutes of a two-hour orientation was all about the CAC,” he said. “I was wowed.”

He said the next killer app will be to bring the card into business processes that DoD hasn’t used the CAC for previously.

Secure Identity Card Program History

1996 Army tests the multi-access reader card in Hawaii
1998 Navy picks up the program to expand DoDwide
April 1999 Deputy Secretary of Defense creates Program Office Responsibilities for the DoD Public Key Infrastructure (PKI)
June 1999 Secretary of Navy Certifies the successful outfitting of two Carrier Battle Groups and Amphibious Ready Groups with smart card technology
Nov 1999 Secretary of Defense establishes the Common Access Card (CAC)
2000 DoD issues its first CAC
August 2000 Release of GSA Government Smart Card Interoperability Specification (GSC IS) 1.0
August 2002 DoD issues is 1 millionth CAC
August 2004 President Bush issues Homeland Security Presidential Directive-12
January 2006 Joint Task Force- Global Network Operations issues a tasking order to expedite deployment of PKI based log-on to DoD’s unclassified networks and Web applications.
June 2006 DoD issues is 10 millionth CAC
June 2007 JTF-GNO reports that 93 percent of authorized users log on with CAC
October 2008 Civilian agencies miss goal to issue HSPD-12 cards to all employees and contractors
November 2009 OMB requires civilian agencies to implement only HSPD-12-capable hardware and software for all new systems starting in 2011, and update existing systems by 2012.
2010 DoD has more than 3.5 million employees with CACs, and is looking at expanding the use of the cards to include transit benefits and act as an electronic purse.

Source: The Defense Department’s Defense Manpower Data Center and Federal News Radio

(Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.)


Previous Story DoD wants vendor input on unnecessary costs Next Story CR means shorter lead times for Navy moves

Media Galleries