DoD eyeing bigger role for biometrics in CAC replacement

For much of the past dozen years, federal identity management mostly focused on the Common Access Card at the Defense Department and its sister Personnel Identity Verification (PIV) in the civilian agencies for federal employees.

The calls to improve and modernize PIV cards and CAC have been rising over the last few years, especially as the technology sector for identity management continues to evolve.

While the Office of Management and Budget is expected to update and consolidate many of the policies governing how agencies address identity management, the technology side has been slow to transform.

Paul Grassi, a senior standards and technology adviser at the National Institute of Standards and Technology (NIST), confirmed a long-held rumor of OMB’s plans.

Advertisement

He said a 2004 memo for e-authentication will be rescinded in the coming weeks.

“Hopefully we will see in the identity realm something in the January time frame what the future direction is,” Grassi said. “The IT Modernization Strategy tasks OMB 45 days after to release an identity management policy. That’s coming. It will be out for public comment.”

Beyond the expected policy changes, DoD is on the cusp of some biometric breakthroughs that could give the federal identity management sector some considerations about the next generation of physical and logical access control.

Will Graves, the deputy product manager and chief engineer for biometrics enabling capability in DoD, said the Pentagon is planning several tests in Iraq or Afghanistan over the next year of face, DNA and other biometric modals.

“What we have been seeing lately is these new joint emerging requirements,” Graves said during an AFCEA Bethesda breakfast panel on Dec. 13. “When we talk about voice, we actually are going to deploy voice to the theater next year. We have a project that has rapid DNA. We are working with the University of Virginia to create a rapid DNA device that’s actually built on a CD. It’s a 10-pound device. It’s not packable in a ruck yet. But it’s going to be very cheap. The device is going to be less than $10,000. The current device right now is about $225,000. We are going to deploy that in the Central Command region next year.”

Graves said these tests are part of how DoD is shifting the use of biometrics from just law enforcement to identity and access management.

He said the Mark Center in Alexandria, Virginia is a perfect example of how DoD is using the modalities differently.

“There is an iris and fingerprint access. You can swipe your badge and say you want to use your iris or fingerprint and you can get into the Mark Center that way,” he said. “We are looking at contactless fingerprint and on-the-move face and iris, and we are going to deploy two systems in Kuwait right now and they are on the way to Iraq. They are in a 40-foot conex, so you walk through, swipe both hands and keep on walking and it does facial and iris recognition on the move as you walk through that conex.”

This is just the beginning, too. Graves said his research arm is developing video analytics for facial recognition from social media and from the dark web.

“If you are an ISIS fighter creating a video on how to build a pipe bomb, we can take that video, scrape those faces and put that face on a watchlist,” Graves said. “So if they come close to a [checkpoint], we will have that local watchlist and say, ‘That’s a bad guy, maybe put this person aside for additional screening.’”

He said video will become a more important identity and access management capability in the future.

DoD is using Amazon Web Services to demonstrate by March the concept of connecting closed-circuit television cameras and send the video feeds to an analytical back end. Graves said this capability will enable DoD to protect additional buildings because there are CCTV cameras on nearly every structure.

The science and technology office also about three weeks ago successfully tested a new “defense-in-depth” capability where a system used facial capture and recognition at 500 meters away. Graves said DoD has a requirement to do this from 800 meters away.

“We are actually trying to create that bubble further and further away,” he said. “If we can recognize you as a bad person 300 meters away, we can take some corrective action.”

As for the CAC, Graves said the CIO/G6 is looking at how they could use the biometrics submitted to get the CAC to verify employees for physical and logical access.

“It’s kind of a baby-step type of process. We will start with the physical access and then we will move on to some of the logical access,” he said. “DARPA has been doing some work on active authentication. As you are on the computer, it will take a face from the camera and confirm it’s you. They’ve also looked at keystroke, mouse stroke and other active authentication. If you steal my CAC and my PIN, you can’t actually access the information I’m allowed to access. That’s some of the stuff that is further down the road.”