10 years later, CAC is securely part of DoD

Wednesday - 2/23/2011, 7:06am EST

WFED's Jason Miller

Click below to hear part one of the report

Download mp3


Click below to hear part two of the report.

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Defense Department's secure identity card almost died after the initial pilot.

In 1996, the Army began testing a multi-access reader card in Hawaii, but decided not to continue with the program despite its initial success.

But a group of Navy enthusiasts picked it up from the Army and created a DoDwide program, yet still focused in the Hawaii area.

"They were looking for a place that was isolated because there were things like electronic money pieces that went into it," said Mike Butler, the deputy director for Identity Services at the Defense Manpower Data Center in an interview with Federal News Radio. "They wanted a place that was contained and where people wouldn't be taken their cards and traveling all over the place with the expectation of service. That was the official explanation."

Butler said the unofficial story provides the real details of why the DoD Common Access Card (CAC) became the prototype for government and industry in a short 10 years.

He said several Navy people from Washington who supported the idea of a secure ID card were transferred to Hawaii at the same time.

"The four or five of them really had the idea of how to make this work," said Butler, who credits these supporters for showing him the promise of the technology. "They went out there and made this thing into something that someone had to stand up and pay attention to."

By November 1999, DoD created what became the Common Access Card office and began to create the DoDwide standard for smartcards.

A year later issued its first card with more than 500 data elements and only 32k of space on the card. But in a short amount of time, DoD saw the huge benefits the card could provide and pushed the issuance across the department. And by 2002, the military issued its millionth card.

"If you look back to what it was back then, there was no civilian standard ID card in the department," he said. "Of course, we always had the standard military ID cards. There was no overarching strategy for how we were going to use that in the future other than it was really a benefits card and Geneva Conventions card."

Now 10 years later, all 3.5 million employees have CACs and are using them to electronically sign e-mails, submit time and attendance information securely and most significantly, log onto to the DoD network. The cybersecurity benefits of the card are among the biggest success stories for DoD, Butler said.

Now, DoD issues more than 10,000 cards a day to its employees with a lot more memory-128k and 144k cards-for new applications.

Butler said 32k would be equivalent to a medium sized Microsoft Word file with only text and no graphics. The new cards have enough memory to store iris scans or other biometrics.

"Eighty percent of my e-mail and almost 100 percent of normal business that comes in is either signed or encrypted," said Butler who left DoD in 2007 to work for the General Services Administration and the National Institute of Standards and Technology before returning in 2010. "That is huge change in the three years I've been gone. That is all because of a digital signature on a CAC, which has been put into a business process. It's so much easier than all the nonsense that used to have to go through. We've been able to automate things by having these great cryptographic cards."

DoD's CAC became the model for Homeland Security Presidential Directive-12 and the Personal Identity Verification (PIV) mandated issued by President Bush in 2004.

And while civilian agencies continue to struggle to use these secure identity cards, DoD is advancing their use for broad physical security and other potential uses such as transit benefits and an electronic purse.

The Office of Management and Budget earlier this month mandated civilian agencies use their secure ID cards for logical and physical security by 2012. DoD implemented logical access in 2006, and several military sites, including the Pentagon already use it for physical access.

"We've been investigating adding the transit, which is not just Washington Metro, but something we do across the country if we work together," he said. "We also are looking at a purse, which could be used for a lot of applications in the department and outside of it. I'm also hoping the card will be a lot stronger for digital signatures because it's like the no-brainer thing we all have to do across the country."