Five Million and Counting
Called the Common Access Card or CAC, Department of Defense (DoD) smart cards today provide identification credentials, access to controlled doors and access to computer networks for millions of people around the world. Before the end of 2004, the flexible DoD system will expand its capabilities by adding digital signature verification for e-business. DoD will also lay the groundwork for a transition from contact to contactless door access technology this year.
According to Michael P. Butler, chief of DoD’s smart card programs, the department has issued nearly 5 million cards since 2001. Accounting for attrition, active DoD smart cards now total about 4 million. Every day, 1,600 issuing stations located in 900 DoD card management installations in the U.S. and around the world pump out 10,000 to 14,000 new smart cards, which cost $4.60 each. Holders include active duty military, selected reserve and National Guard personnel, DoD civilian employees and certain DoD contractors.
The smart card program began in 1998, when Deputy Secretary of Defense John J. Hamre directed that all DoD personnel receive identification cards. While not limiting applications for the cards, Hamre specified that they would at least identify personnel, provide secure computer log-on, and authenticate digital signatures. Prior to this, local units throughout the DoD issued their own identification cards and made local decisions about what their systems would do. Some, for example, provided access control to doors and some did not. The new system would consolidate everything, without limiting local decisions, with a deadline of October 2004.
The CAC program took several years — from 1998 through 2001 — to get to the smart card stage. Hamre’s directive did not specify smart cards. As a result, CAC cards evolved through several technologies, including two barcodes and a magnetic stripe. According to Butler, however, the only technology capable of handling Hamre’s e-business requirement efficiently was a smart card with a microchip.
Today, smart cards provide the lion’s share of DoD card services, from door access control to computer log-in to authenticating digital signatures. New military and civilian personnel coming on board receive smart cards that are recorded in a central database called the Real Time Automated Identification Card System, which connects to all 1,600 card-issuing stations and the human resources department.
E-business, Hamre’s final requirement, is currently coming on line throughout DoD, and Butler believes that the department will meet its October deadline.
But e-business hasn’t been easy. For DoD personnel to transact business electronically, all 2 million DoD computers have had to install something called middleware, which enables e-mail programs to retreive a digital signature certificate stored on a smart card that has been slipped into a computer reader.
Three years ago, middleware vendors provided proprietary products, leading Butler to choose between specifying a particular middleware or issuing specifications that would lead various vendors to develop compatible middleware. Butler reasoned that specifying one middleware product across DoD would lead to exorbitant prices. At the time, for example, proprietary middleware cost about $78 a copy. Butler also feared that computers using proprietary middleware provided by competing vendors would create bottlenecks by limiting the ability to sign documents to an individual’s own computer.
As a solution, Butler’s group wrote a middleware standard and allowed any vendor to develop middleware for DoD. Since all vendors would deliver middleware compatible with the standard, anyone could use any DoD computer to sign a document, as long as the signer had his or her smart card.
Since then, a half dozen vendors have developed compatible middleware at prices ranging from $3.50 to $6 per copy, far below the proprietary prices that prevailed three years ago. And e-business has begun to take root in the DoD. “It isn’t uncommon for me now to sign my e-mail,” Butler says.
The DoD smart card system continues to add new capabilities. Currently, for example, Butler is evaluating a move to contactless CAC smart cards to facilitate door access. Currently, most DoD agencies that need door access control employ the CAC’s magnetic stripe or bar code. Contactless technology will require the addition of a second chip to the CAC smart cards. This will push card costs into the $8 range, Butler says.
Before issuing two-chip cards, Butler must also settle several security specification issues. An interagency advisory board is currently developing physical access specifications for all federal government smart cards. The specifications permit contact as well as contactless chip access cards. Butler believes that his group will begin issuing contact cards under the board’s specifications by the end of the year.
The move to contactless technology will follow normal access control system upgrades in individual DoD offices within a year or two. When an office buys a new access control system, it will meet government standards and likely include contactless readers. “Once installed, employees in those offices will be walking around with contact CAC cards,” Butler says. “At that point, they will probably get temporary contactless cards from the vendor. Later, when we issue contactless CAC’s, the temporary cards will go away.”
But it might work differently, continues Butler. If the Army or another service wants to spend the money, it could move to a new contactless CAC right away. “We want to facilitate different business approaches that don’t force groups to make changes until they are ready,” he says.
Eventually, the contactless technology will also incorporate biometric data for use with physical security.
Further down the road, Butler hopes to revise the CAC card specifications to fit a new design for federal government physical access control systems. Called the Physical Access Control System Implementation Guidance, it lays out a plan to build interoperable physical access control systems across departments of the federal government. Says Butler: “When someone from DoD goes over to the Department of the Interior, he or she would have the hope of being recognized by their security system and let in.”
