Before replacing the CAC, DoD to evolve current smart identity card

The Defense Department sometimes has an old fashioned website problem. At times, visitors get a message that the site isn’t secure and they are at risk if you go to the website.

This message appears because a piece of backend software needs to be updated and not because there is really anything insecure with the website.

Andy Seymour, the DoD’s public key infrastructure (PKI) manager, said a collaborative effort with the General Services Administration aims to fix this problem once and for all.

Advertisement

GSA and DoD are developing a new non-person entity or external based root certificate authority (CA) that is trusted by the main browsers from Google, Microsoft, Apple and Mozilla.

“We are working with GSA to build this new root CA and we are doing it to the regulations of the CA browser forum to make sure it is globally trusted right out of the box to improve that customer experience,” Seymour said on Ask the CIO. “Some of those issues are because it’s an older root CA and it doesn’t meet the requirements of a CA browser for the CAB forum. Things like certificate transparency will be brand new for the department to think about. That is a requirement for the CAB forum to get your root CA publicly trusted. We needed to do that. It was just time.”

Seymour, who spoke at a recent FIDO Alliance event in Washington, D.C., said by teaming with GSA, they will develop one root CA that covers the entire federal government.

“We have been at it for a little over a year. We’ve had it out on Github for public review and comment. We are starting to build the certificate practice and certificate practice statements,” he said. “We are hoping to have it out by early 2018 or mid-2018.”

The Federal CIO Council faced a similar problem recently and it took down their site for a week or more.

Seymour said another priority that has both long term and short term goals is around continuing to update the Common Access Card (CAC).

He said DoD is transforming the CAC to be more like the personnel identity verification (PIV) card under Homeland Security Presidential Directive-12 (HSPD-12). The PIV authentication certificate helps prove who the person is that holds the identity card.

The National Institute of Standards and Technology (NIST) defines the PIV Authentication certificates on PIV Cards as those certs that are issued in a manner that satisfies the requirements for level of assurance 4 (LOA-4) for identity proofing, token, and token and credential management.

“We are on the verge of releasing directives to the services that says you have 18 months to unlock the PIV certificate authentication that is currently on the card and start utilizing that for logical access,” Seymour said. “We are seeing the requirements that support PIV identity cert are more than what the CAC cert has. Our goal really is for joint interoperability across the entire government space, and not just DoD. That is one of the big drivers in doing this.”

Seymour said the services shouldn’t be surprised by this new requirement as his office has been circulating the change for several months.

“The identity management experts that I work with across the services all understand it. They all get it and know what it takes,” he said. “The Air Force folks already utilize this for other capabilities. They understand the PIV auth and the certificate is on the CAC as we speak right now. In some of the services, it’s not unlocked, it’s not viewable. For others, you unlock the edge and it’s available to be used. They know it’s coming and they know it will be a challenge to reconfigure because you now have to look at the PIV auth certificate instead of the CAC ID. Some applications may have been using the email cert as identification and we will ask them to use the PIV auth at the application level as well.”

NIST says the benefits of using the PIV authentication is systems and applications are using one of certificate to perform a digital signature operation through the private key associated with the certificate, and that the system performing the authentication can verify the signature while also validating the certificate itself.

NIST says the security level for the certificate doesn’t have to be only for high-value systems. The certificate is capable of providing authentication involving a third party that simply conveys to the system that needs to know the individual’s identity that successful PIV-based authentication has occurred.

Seymour said DoD also is addressing other ways to improve the CAC such as the opacity, which is protocol to protect contactless communication between the card and the system, and adding encrypted certificates that will let users to do tap-and-go authentication. He said this is especially important for first responders and others who need quick access to systems or facilities.

The Defense Department is considering how to modernize the CAC. Former DoD Chief Information Officer Terry Halvorsen floated the idea of moving away from CAC back in 2016, and the Pentagon kicked off at least one pilot to test out new concepts earlier this year.

Seymour said his office’s effort is a middle step in that effort to evolve the CAC.

“The CAC is the anchor for everything for the DoD, physical access, logical access. It’s so difficult to try to do away with that and replace it with something else,” he said. “We are looking at a lot of multi-factor authentication capabilities. We are looking at identity federation services. We are looking at federation with our mission partners. We’ve also got a big mobility program coming out of the Defense Information Systems Agency called Purebred that is going to help us with derived credentials on things like cell phones and make that user experience more frictionless and seamless.”

DISA’s Purebred effort uses a mobile device manager for secure communications for transferring the certificates, for enrolling and proofing people and getting that derived credential on a mobile device.

“We are starting to look at our networks at maybe not needing a medium hardware requirement, a level 3authenticator, which is what the CAC is. Maybe a majority of the stuff we can do is at a level 2 and we believe the Purebred fits perfectly into that model,” Seymour said. “With new capabilities coming to the CAC in the future, if you have a tap-and-go solution and you have something you need to do on our network that requires a level 3 authentication, you tap your CAC to your phone and all of a sudden you have level 3 authentication and can do those things. There is a huge desire for this across the DoD for this mobile capability.”