Two years ago, then-Department of Defense CIO Terry Halvorsen announced a plan to replace the common access card within two years. Today, the CAC is still alive and well as the Pentagon’s primary means of identity authentication, and according to new CIO Dana Deasy, the cards aren’t going anywhere anytime soon.
“Now I know what you’re thinking. Most of you hear about identity and credential management at DOD, and what you think about is the common access card, CACs,” he said Thursday at the Billington Cybersecurity Summit. “They have been a key component of the DOD security. Something you may have heard, that the CAC is going away. Well, from my standpoint, the CAC will remain the department’s principle authenticator for the foreseeable future.”
That may come as a surprise to many who’ve followed the substantive fodder about the replacement of the CAC since Halvorsen’s announcement in 2016. For instance, the Defense Information Systems Agency in late 2017 introduced an elaborate continuous authentication system based on multiple forms of advanced biometrics like commercial facial recognition, iris scans and fingerprints, as well as locational patterns, gait, speech and keystroke rate. But such a replacement system is more likely, at least in a widespread format, further down the pipeline, Deasy said.
“The department must be ready to adapt, as well as accommodate an environment [with] more than 4.5 million users that is rapidly evolving due to current and emerging threats from our adversaries,” he said. “DOD has always been a pioneer when it comes to driving innovation. We must continue to do so and incorporate key storage and biometrics to prepare for a future where we need quantum-resistant cryptography. These innovations will become critical to ensure our warfighters continue to operate in a secure environment.”
The comments came as Deasy described DOD’s work to create a new identity, credential and access management (ICAM) strategy that will replace one it released in 2014 and how the CAC will continue to play a part in that.
The new strategy, he said, “will revolutionize how we create digital identities and any maintenance of associated attributes, including both people and non-person entities. ICAM creates a secure, trusted environment where any of our users can access all of the authorized resources, including applications and of course our valuable data, to have a successful mission. It will also let us know who is on the network at any time.”
ICAM, he said, is just one part of his attempt to take a more holistic, end-to-end view of cybersecurity risk within the Pentagon, to also include system, network and application security, data encryption and proper classification of information all the way out to weapon systems. That also includes contractors providing systems and services to the Pentagon, and the security of the U.S.’s connected critical infrastructure, Deasy said.
“So we have this conversation, but I always tell people you can’t have it at any one point,” he said. “You have to discuss the entire ecosystem of cybersecurity.”