As insider threats and breaches continue to hit government agen- cies and the private sec- tor alike, the search for better identity management and authentication tools has taken on newfound urgency. With its long-standing commitment to two- factor authentication, the Defense Department is on the front lines of that search.
The Common Access Card has been DOD’s gateway to access and the standardized identity credential for more than a decade, and the often- maligned card is not going away any- time soon. But DOD officials say they are making progress on finding a suite of identity management tools to even- tually replace the CAC.
Former DOD CIO Terry Halvorsen announced in June 2016 that the chip- based CAC’s days were numbered, saying it was neither agile nor secure enough for today’s environments. At the time, he said he wanted to have a new set of technologies in place within two years, though he later admitted that timeline might have been too aggressive.
Rather than a single solution, Halvorsen wanted a suite of 10 or more biometric and behavioral tools that could be used in a revolv- ing mix-and-match fashion so that at any given moment a user would be subject to five of those measures to gain and maintain system access. In addition, Halvorsen said he did not want to issue a heavily proscriptive requirement but instead let compa- nies present commercially available solutions for DOD to evaluate.
Normalizing authentication
A year later, the Defense Innovation Unit Experimental and DOD’s Office
BY SEAN D. CARBERRY
of the CIO are testing and evaluating several commercial technologies that are demonstrating the ability to inter- face with the vast array of existing military networks and systems and that have the potential for wide-scale deployment as next-generation iden- tity management solutions.
Col. Tom Clancy, identity and asset management lead in the DOD CIO’s office, recently told FCW that CAC replacement is more likely to be an evolutionary process than a revolu- tionary one.
“In the absence of a ‘forklift’ replacement for the CAC, DOD is piloting vendor products that com- plement the CAC by addressing the use cases that CAC was unable to support,” he said. “In some of those cases, we had previously been accept- ing risk by using username/password. All of the capabilities we’re looking at show promise in supporting the operational mission while improving resistance to replay.”
DIUx is currently conducting proof-of-concept prototyping with companies Plurilock, Lastwall and Yubico, and the Defense Information Systems Agency is also partnering with industry to explore continuous multifactor authentication solutions.
During his time as CIO, Halvorsen was a relentless evangelist for using commercial technology at DOD, say- ing he wanted a paradigm in which buying commercial technology was the rule, not the exception.
“DOD is working to maximize [commercial technology] by normal- izing our standards and expectations in conjunction with the federal gov- ernment and other mission partners,” Clancy said.
One of the key motivations and objectives for replacing the CAC is to
increase standardization and interop- erability with the country’s allies. Clancy said the National Institute of Standards and Technology’s new SP 800-63 Digital Identity Guidelines are central to normalizing identity man- agement at DOD. The department played a significant role in coordinat- ing the new standards and brought mission partners into the process.
Clancy added that maximizing the use of commercial technology “will help drive down onboarding, life cycle and training costs, and reduce our reliance on [government off the shelf] products over time. DOD will continue to shift our coordination of identity capabilities and standards upstream to international standards bodies as a part of our normalization strategy.”
He said initiatives include evaluat- ing and then deploying sensors on “devices we’re already purchasing — including biometrics and behaviors — [and that] appears to be near- to midterm from an enterprise adoption perspective.”
More complex biometrics
DOD is also exploring other dimen- sions of authentication such as “chan- nel, band and environment” and “broader knowledge of a person’s pat- terns of life as factors,” which Clancy said offers interesting opportunities but also presents regulatory and other challenges.
The approach requires evaluating the privacy and civil liberties implica- tions of collecting more behavioral data on users and drawing conclu- sions from that data.
“These types of authentication may lend themselves to authenticat- ing our own subscribers to our own resources using equipment issued
August 2017 FCW.COM 37