At the core of it, the DoD’s Common Access Card (CAC) is a plastic credit-card sized special ID that is embedded with an integrated circuit chip. These can authenticate identity, and often employ a public key infrastructure (PKI) that stores an encrypted digital certificate issued from the PKI provider along with other relevant information. With the move to implement Zero Trust and multi-factor authentication capabilities, the CAC is closer to its end. And that’s good news for those who find it hard to track – or like to leave it in their computer when they walk away from their desk.
Understanding the ABCs of CAC and PIV
The CAC is the standard identification for Active Duty United States Defense personnel. It is the principal card that is used to enable physical access to buildings and controlled spaces, and the CAC can serve as an identification card under the Geneva Conventions.
“The CAC is the secure identification card issued by the DoD, and it allows computer and other access – it does so by satisfying two-factor authentication,” said Baber Amin, COO of cybersecurity research firm Veridium.
Because it is essentially a “key” to the kingdom, the CAC is a controlled item. As Amin told ClearanceJobs, CAC is designed to provide two-factor authentication, which requires that the card holder have the actual card and a PIN.
The CAC shouldn’t be confused with the Personal Identity Verification (PIV) credential, which is issued at the appropriate security level.
“A PIV card is a Federal government-wide credential used for federally accessible facilities,” explained Amin. “A PIV credential can have certificates, key pairs, pin numbers, and biometrics like fingerprints and pictures. Both PIV and CAC provide equal level of authentication as they are highly vetted.”
Each type of card can rely on the PKI’s encrypted digital certificate – and are thus highly secure forms of identification. However, the term “PIV Card” is only used to describe an identity card that is fully conformant with Federal PIV standards, while only a federal entity is capable of fully meeting such standards to issue the card.
To add to the confusion is the fact some individuals will be issued a PIV card, while others may receive a PIV-I. Essentially the PIV is for civilian users working for the federal government, whereas the PIV-I is for non-federal entities that need to access government systems.
Challenges With the CAC
Even with the two-factor authentication that CAC cards provide, these are still not considered a perfect solution. Cards can be lost, stolen or forgotten.
There are other challenges that also need to be addressed.
“These include the effort for issuance of a PIV or a CAC credential, and the usage constraints, i.e. requiring readers, drivers, possession, etc.,” said Amin. “For most workplace authentication, an organization can get the same level of assurance and verification using device specific biometrics or device independent biometrics.”
Given that the government is still relying on many legacy systems, an upgrade to more modern biometric forms of identification likely isn’t in the cards.
Yet, at the recent AFCEA’s TechNet Cyber conference, which was held last month in Baltimore, Brandon Iske, the chief engineer for the security enablers portfolio in Defense Information Systems Agency’s (DISA’s) Cyber Development Directorate and Development and Business Center, addressed some of the current challenges that exist within the use of PKI and CAC.
“With PKI and CAC being standard…that has driven access management to be very decentralized. And so across the department, much of that is enforced directly at the application,” Iske said. “We can’t achieve zero trust if we have to touch every single application and to do the kind of complex integrations that will come in the future.”
As DISA continues to make strides in identity management, the CAC gets closer to being phased out as other, more secure systems are moved into place. Each contract gets the DoD one step closer to zero trust.