TAMPA, Fla. — The Army has moved more than 2,000 users of the military’s secret computer network to a new, more secure system for signing in — one of several advances the service said it’s making on identity management.
Currently, most users of the Defense Department’s classified network, known as SIPRNet, log on using just a username and password. That method is going away in favor of a more secure, two-factor identification system: combining something users know with something they have in their physical possession, just as they currently do when they log onto the non-secret network, NIPRNet, with their common access cards.
Users will get a similar but separate public key infrastructure, or PKI, smartcard and pin number that will be used only for the secret network. The Army said it has deployed these new cards to an initial 2,400 users through an initial operational test and evaluation (IOT&E).
Tracy Traylor, chief of the Army’s identity management division, said, so far, soldiers like them.
Leave the sticky note behind
“It’s really cool,” she told an Army audience at the LandWarNet conference Tuesday. “It’s a live token — you get to keep it for three years, it’s not that we’re going to take it back at the end of the IOT&E — and you don’t have to remember that 15-character password that we all have written on the sticky note under the keyboard or in the desk.”
The Army received DoD approval to continue deploying the cards in an extended test period to its organizations that volunteer. Traylor said they want to distribute as many as they can through the test in order to avoid a mad dash to make the switch all at once when DoD finally pulls the plug on SIPRNet usernames and passwords.
DoD is paying the bill for the initial deployment of the smartcard system, a capital expenditure that Traylor said would otherwise be significant for the Army. Just the physical cards themselves cost around $40 each, and the Army has an estimated 300,000 SIPRNet users.
Meanwhile, the Army, and DoD as a whole, are beefing up the security of their existing system of common access cards, which are used for most day-to-day unclassified tasks. They’re phasing out an older, weaker data security algorithm known as SHA-1, which is now more than 15 years old. Its replacement, the stronger SHA-2, will take over on Jan. 1, 2014, and SHA-1 will no longer be supported on newly minted cards.
Traylor said the Army wants to make the transition as painless to users as possible, but there are no guarantees.
“Your CAC card will continue to work,” she said. “Your Web applications and things like that that only accept SHA-1 may not. We just went out with a data call to find out what applications were out there to make people aware that this change was coming. As we do data center consolidation, we’ve added that to the checklist. As they take an application and move it from one data center to a new data center, that’s something they’re watching for. We want Jan. 1, 2014 to be uneventful, so that when that new CAC card is issued, it’s just transparent. The apps are ready to go, no big deal.”
Another reason for the move: it’s required for DoD to continue to share information with many of the federal government’s civilian agencies.
“A lot of organizations have just gone straight to SHA-2,” she said. “If you’re authenticating to some of their data systems or websites, they’re already there.”
But regardless of how DoD users authenticate themselves to the network, many of the discrete systems inside the network that people need to access on a day-to-day basis still rely on individual, localized schemes of usernames and passwords.
That brings up a third change the Army has just started to tackle with the Defense Information Systems Agency. DISA is working on a system to synchronize DoD users’ identities across the myriad systems the military services run around the globe and eventually aims to eliminate all of those individual accounts.
“We’re going to take your identity and your attributes that make up who you are — major, contractor, reserve, civilian — all of these things about you, and store it in an identity forest,” she said. “Our goal is to authenticate once, based on your single identity and all these attributes that we know about you, and then grant you access to those things that you need.”
The system would give users access to systems based on their roles in DoD, rather than based on the fact that they were manually granted approval for an account by a local system administrator.
Richard Hale, DISA’s chief information assurance executive, said the attribute-based system fits neatly into the enterprise IT view that DoD is trying to build.
“It’s invisible to me. I don’t have to go ask anyone for an account,” Hale said in an interview with Federal News Radio. “We’re hiding much of the access-control detail from the end user and we’re working it at the enterprise level, so it’s kind of a cloud access model, even if these individual systems aren’t in the cloud. We’re making it so that information isn’t so locally controlled. I can get access if I match the enterprise policy. The local site doesn’t have to set the policy. Hopefully this leads to all kinds of innovation in warfighting processes and humanitarian relief processes, because everything is easier to do.”
Traylor said the Army got the green light to start developing the system with DISA earlier this month. She said there are big questions left to answer though, including which and how many different attributes to collect and store about users, given the fact that the cards are used for many different purposes and by many different DoD organizations.