Since late 2021 rumors about the impending demise of the Department of Defense’s (DoD) longtime standard identification card have spiraled. Several DoD officials earlier this week explained that the Common Access Card (CAC) will not be replaced overnight, but that the department is currently researching modern identity management solutions beyond the CAC.
Drew Malloy, the technical director for the Cyber Security and Analytics Directorate at the Defense Information Systems Agency (DISA), attributed much of the CAC replacement frenzy to the misinterpretation of a statement made by the DISA Director Lt. Gen. Robert Skinner in 2021.
“Director Skinner said back in 2021 I want to kill the CAC as the primary authentication mechanism for the department,” Malloy emphasized during an event organized by Federal News Network on May 25.
The Director, he added, was not suggesting the elimination of the CAC but “the addition of modern identity management solutions beyond the CAC.”
To that end, DISA is currently piloting several efforts around bring-your-own-device (BYOD) and using authentication beyond the CAC, according to Malloy.
“We wanted to give some flexibility in how we provision users and what multifactor authentication they can provide, be it hardware tokens, be it software-based authentication mechanisms, things of that nature,” Malloy explained. “And then using that to do access control, and granular access control around what you’re allowed access to if you come in using a username and password and a one-time passcode as opposed to your CAC-based identity.”
Like DISA, officials at the U.S. Army are plowing ahead with efforts to look beyond the CAC to make it easier for its personnel to access their work. One example is the Army’s “MobileConnect” application pilot for authentication using BYOD.
However, as the Army continues to pilot modern identity management solutions, Christopher Joseph Jr. – the acting deputy director for the Office of the Chief Information Officer within the Army’s cybersecurity directorate – emphasized that even with the addition of more modern solutions the CAC will be useful and needed well into the future.
He pointed out that the ID card is not just about accessing DoD computers and networks, “it’s also how our people still get onto a military base and into buildings.”
“There’s a lot behind the CAC and I don’t think it’s going to be an overnight change where the CAC goes away, but we do need to continue exploring other avenues for connections,” Joseph said.
However, Jason Howe, chief information officer and deputy director for plans and integration at Air Force A1, explained that his directorate officials do need to look beyond the CAC because “we serve about five million customers, including veterans, retirees, recruits and military families who don’t have CAC access.”
Howe also highlighted how conversations around modern identity management solutions currently focused on enterprise capabilities and connections, “but officials also have to stay focused on the user experience and on modernizing how IT systems integrate with these solutions,” he said.
“Making not just role-based, but data-based decisions on who can access what based on where they’re coming from, what I know about them, along with a token that could be a CAC,” Howe added. “I think any discussion of [identity management] without the system user experience perspective is going to limit the value what an enterprise capability to bring.”