Being Smart-Card Wiser

Lessons from a Department of Defense program are simplifying management for all.

The department of Defense faced numerous challenges around the issue of strong identity management when it implemented a credentialing and identity management program beginning in 2001.

This program produced a new identification card called the Common Access Card that would contain both identity information and PKI sets and certificates on a 32K smart card.

Learning from the DOD programs success, federal agencies are beginning to issue secure credentials this month, with the goal of having a standards-based, interoperable, multiapplication smart-card-based ID card issued throughout the federal government.

From the beginning, several principles that guided the CAC program also make sense for current or future secure identity programs in both the private and public sectors.

These principles include the idea that the components of the system should be commercial and off-the-shelf wherever possible and that they should be modular to allow for vendor competition in the program.

Next, interoperability among all parts of the enterprise needed to be built into the DOD program from the start. The DOD also needed to sustain this interoperability as the program matured and changes were made to the cards, middleware and operating systems. Finally, the DOD needed to integrate its legacy systems seamlessly with any new components.

The CAC would be the only card used in DOD networks and for physical access in DOD facilities. The issuance model was unique as well. In a 15-minute interaction, the goal was for an individual to provide proof of identity; update information in the central identity store; provide a new photo and biometric authentication; and surface and personalize the card, including the creation of three PKI (public key infrastructure) sets and certificates.

This interaction was to occur with the same time goal in any of more than 1,000 locations in the United States and in 27 other countries—using DOD intranet assets.

Today, more than 10 million CACs have been issued, and they continue to be issued at a rate of approximately 10,000 per day.

The DOD is continuing to build capabilities around this platform. Likewise, the card has continued to grow and mature. The components on the card, along with able cooperation from partner technology providers, have kept the promise of interoperability through all these changes.

There is good news in all this for those IT managers who are facing the daunting task of establishing an enterprisewide identity system based on sophisticated smart-card-based ID card programs.

/zimages/1/28571.gifDOD gets a handle on sensitive content. Click here to read more.

First, standards have emerged in many areas that lower both risk and cost for these systems. The technology has matured and is available to handle the complexity of these programs and also to integrate the different parts of an identity management system seamlessly.

Prices have come down for both the cards and the network and for client-side software pieces that connect the card to the infrastructure.

Finally, best practices have emerged—including many guiding the CAC program—which greatly increase the probability of success.

The identity industry has really done a wonderful job of working together for the customers benefit right at a time that the need for these systems worldwide is becoming critical.

Robert Brandewie was most recently director of the DODs Defense Manpower Data Center, where he was a principal architect of the CAC system. He is currently senior vice president in the Public Sector Solutions Group at ActivIdentity, which worked on that project. Contact him at

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.