History of the Common Access Card (CAC)

March 20, 2012
The government’s identity verification program continues to evolve and grow

Since its introduction in the early 2000s, the Common Access Card (CAC) has become the most widely used Department of Defense (DoD) identity credential, with more than 24 million cards issued to date. Its genesis dates to 1999, when Congress directed the Secretary of Defense to implement smart card technology within the DoD that would increase efficiency, security and readiness.

It has been estimated that the DoD issues more than 10,000 cards every day. The CAC has become the standard identification card for active duty military personnel, reserve personnel, DoD civilian employees, non-DoD government employees, state employees of the National Guard and eligible contractor personnel.

When the CAC was launched, there was no consolidated and interoperable ID management for civilian employees, reservists and active duty personnel. The CAC gave everyone a single credential that could be used as a general identification card as well as for authentication to enable access to DoD computers, networks and certain facilities. The DoD’s Defense Manpower Data Center (DMDC) is responsible for CAC issuance, and has steadily transitioned from a simple card issuance to more secure and scalable identity management based on the Public Key Infrastructure (PKI), which provides the framework for securely exchanging information based on public key cryptography.

The CAC has also steadily moved toward meeting further compliance with new federal identity requirements imposed by Homeland Security Presidential Directive-12 (HSPD-12), which established a new federal standard for identification credentials issued to all federal employees and eligible contractors. HSPD-12 is intended to provide a scalable and interoperable solution that enhances security, increases government efficiency, reduces identity fraud, and protects personal privacy, and also established the federal government’s vision for future converged logical and physical security.

Beginning in October 2006, the DoD launched a new CAC in compliance with HSPD-12, and in November of 2006, published a document entitled “Implementation Guide for CAC Next Generation (NG),” which defined guidelines for implementing the government’s Federal Information Processing Standard 201 (FIPS 201) Personal Identity Verification (PIV) of Federal Employees and Contractors to meet the HSPD-12 mandate.

The CAC NG guidelines document also specified technical details for implementing interagency PIV I and PIV II NIST Special Publication (SP) 800-73 transitional requirements in the DoD CAC environment. The PIV transitional data model has been added to the existing CAC v2 card in conjunction with other evolutions such as an electronic purse for cashless payment, and physical access control. Finally, the SP 800-73 document also documented how the DoD CAC and middleware implement PIV interoperability.

As the DoD explains at http://www.cac.mil/, the PIV solution is implemented on the DoD CAC NG, but is largely separate and distinct from the DoD multi-application CAC, and will evolve at its own pace but in the same environment. Meanwhile, the purpose and function of the CAC NG remains much broader than the focused interoperability function of the PIV.

The new CAC maintains all the features of the earlier card. Additionally, the new CAC contains advanced technology designed to improve the security of federally controlled facilities and computers, while ensuring that federal employees and contractors have a safe working environment. The next-generation CAC also uses contactless technology to transfer data between the card and the card reader for physical access, speeding the identity authentication process and making it easier to manage heavy traffic entering controlled facilities.

In addition to PKI certificates, the CAC NG also added biometrics in the form of a digital photo and index fingerprint information. Biometrics provides the ability to positively bind the individual to his or her credential, and the integration of biometrics and PKI on the CAC provides an added multi-factor authentication capability for logical and physical access systems. The CAC NG also has more storage capacity to accommodate biometrics and the federally-required PIV certificate.

While the capability to provide both physical and logical access is built into the CAC NG, this is not yet available to all card holders, and access control remains the responsibility of each local command or agency. Since CAC NG issuance began in Oct. 2006, cards have been phased in throughout the DoD as earlier CACs expire. Meanwhile, both the current CAC and the new CAC are valid forms of DoD identification. Managing the transition and FIPS 201 compliance requires a broad ecosystem of products including RFID cards and readers, as well as smart cards, readers and middleware used for secure identity assurance and network authentication, plus secure card printing and issuance solutions, and a variety of tools for achieving FIPS 201 compliance.

The CAC has reached a number of impressive milestones including its tenth anniversary and the issuance of more than 24 million credentials. It continues to prove its value and, with the advent of ongoing technological advances, will deliver even greater security, utility and convenience in the years ahead.

Stephane Ardiley is Product Marketing Manager for HID Global.