DISA is testing technology that could someday replace the Common Access Card. (Army)
The Defense Information Systems Agency is taking a first step away from the Defense Department’s longtime security backbone, the common access card, with a small, early pilot exploring derived credentials.
One month ago, the National Institute for Standards and Technology released draft guidance for government agencies looking to institute derived credentials, which store security certificates directly on a device instead of through a separate piece – in the case of DoD, the CAC. NIST’s guidelines for derived credentials outline the use of secure, standards-based public-key infrastructure (PKI) credentials that use digital tokens instead of a physical card reader.
“We’ve gotten huge benefits from the PKI infrastructure in DoD and the CAC has carried us a long way; we're now doing a similar thing on SIPRNet,” said Mark Orndorff, DISA chief information assurance executive. “So our main effort in mobility is to bring that technology into the mobile platform, and the way I see it, the key is the derived credential and using the capabilities that the leading-level device vendors have built in to their platforms so we can bring our certificate into their devices.”
DISA appears to be the first defense agency, if not the first government agency, to begin testing derived credentials. So far the pilot program, in its earliest stages, is very small – “a single-digit number of folks,” Orndorff said – and is limited to unclassified data. The focus is on ironing out some of the most significant, up-front challenges the move away from CAC poses.
“Really the hardest problem is going to be the provisioning side of it, to make sure we have a trusted and secure way of getting certificates on the device – once they’re on there, the security that the vendors have built into the devices, I think we're all very comfortable with how that's been provided,” Orndorff said. “If we make this clear [that] this is our main effort, get industry on board, get all of government on board...I think we can work through the remaining issues very quickly.”
Orndorff acknowledged there will be hurdles to overcome in the process of moving to a mobile world free of the familiarity of CACs, but he indicated it is a question of when, not if, the switch to derived credentials will happen.
“To me, that is the main enabler that will allow us to move mobility forward beyond the fringe-use cases we have today and make it a main capability for us in the future. We don’t want to get to the point where the use of mobile is less secure in the sense that we don’t have the same strength in our identity and access control,” he said. “Getting ourselves quickly away from the idea of using the CAC sleds and the sort of bridging solutions we’ve used in the past – we want to drive those solutions to end of life as fast as we can and move to the derived credentials stored on devices as the main effort going forward.”