Millions of Common Access Cards (CACs) and Personal Identity Verification (PIV) cards have been issued to military and civilian personnel and contractors since the early 2000s. While CACs and PIVs are the most widely adopted solution for securing access to restricted federal facilities and IT resources, they present a variety of risks and drawbacks that have officials seeking ways to enhance and modernize the outdated technology.
“A CAC doesn’t play well in the mobile space,” said Jeremy Corey, chief of the Cyber Innovation Office at the Defense Information Systems Agency (DISA). “It’s kind of awkward, and the form factor [requires] some type of sleeve to integrate with that mobile device.”
Other factors driving the desire for change are the fact that CACs and PIVs simply weren’t built for today’s cybersecurity threat environment, don’t integrate seamlessly with modern federal IT systems and are costly and time-consuming to manage.
Meeting the Needs of an Evolving Workplace
The challenges associated with today’s CAC/PIV approach are complicated by the changing nature of where federal work gets done and by whom. Today’s federal workplace is anywhere personnel happen to be — at home, in the office, in the field or at the mission edge. New generations are also coming on board, and they are expecting to use the more advanced technology tools at work that they’re accustomed to using at home. The CAC and PIV systems don’t meet the needs of a mobile, tech-savvy workforce; nor are they equipped to authenticate users across multiple environments and locations.
For example, to access agency information systems, federal workers must go to the office, swipe a card to enter the building, then go to a computer fitted with a dedicated card reader and insert the CAC/PIV card to log in. The process is far from seamless for users and leaves significant room for misuse if a card is lost or stolen. CACs and PIVs present an additional set of problems for mobile workers, who must carry dongles or card readers in addition to their mobile devices.
Modernizing Credentials for the Mobile Age
Federal tech organizations and commercial industry are working to address the range of problems associated with traditional CACs and PIVs. Derived credentials have emerged as a critical factor in solving the mobile authentication challenge — they create a digital version of the certificate contained on a CAC or PIV, which can then run on mobile devices, with no card reader required. Government agencies are already implementing the concept, which was rolled out for Defense Department unclassified use via DISA’s Purebred initiative. DISA is working on a similar approach for accessing SIPR (Secret Internet Protocol Router) networks.
Expanding Security Capabilities
Commercial industry has stepped up to build robust mobile solutions that support derived credentials and holistically address other barriers to federal mobility. Samsung’s defense-grade Knox platform for mobility management, for example, lets IT personnel administer environments that use multiple biometric identifiers such as iris scanning, facial recognition, fingerprints or usage patterns to ensure each user’s true identity. The Knox platform can also be updated to incorporate additional types of sensors as they become available — ensuring continually upgraded authentication capabilities.
Former DOD CIO Terry Halvorsen, who is now the EVP & CIO of mobile IT & mobile B2B group at Samsung Electronics, first called for this capability in 2016, saying, “If I structure it right, I could build the behavior pattern of that person’s identity. … One of the best ways for me to check security is to see if [a user’s] behavior pattern has deviated. That might not be you anymore.”
For instances when a mobile device is lost or stolen, Knox can be used to quickly revoke the digital credentials and wipe data from the hardware — rendering the device unusable. Other benefits include potential cost reductions because less equipment and fewer personnel are needed for issuing and managing CACs and PIVs.
The shift away from traditional CAC and PIV not only has the potential to transform authentication and mobility for federal civilian workers; it also has implications for front-line DoD personnel: “It’s really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your systems,” Halvorsen pointed out. “It just doesn’t work well.”
Learn more about how Samsung’s federal government solutions can help embrace mobile innovation.