DoD Issues Time-saving Common Access Cards
By Linda D. Kozaryn
American Forces Press Service
WASHINGTON, Oct. 10, 2000 Over the next several years, DoD officials expect "smart cards" to replace the identification cards of all active duty military, Selected Reserve personnel, DoD civilian employees and eligible contractors.
Bernard Rostker, undersecretary of defense for personnel and readiness, has his fingerprint digitally encoded on his Smartcard during an Oct. 6 demonstration. Photo by Staff Sgt. Kathleen T. Rhem, USA
(Click photo for screen-resolution image);high-resolution image available.
DoD began issuing the cards this month, Pentagon officials announced Oct. 10. Personnel at the Pentagon and Marine Corps Base Quantico, Va., will be among the first to receive the new card. The card will eventually allow physical access to secure areas, permit entry into DoD's computer networks and serve as he authentication token for DoD's computerized public key infrastructure, officials here said.
The Common Access Cards, as they're called, put DoD in the forefront of e-commerce and security, said Bernard Rostker, under secretary of defense for personnel and readiness. The cards feature barcoding, a magnetic strip and, for the first time, an embedded integrated circuit chip, he said.
"We'll be using this card for access to buildings, to computer systems, and eventually, it has the capability of facilitating electronic commerce, allowances, mess hall accesses and the like," he said. As new applications come on line, he added, DoD will have the wherewithal to allow its personnel to gain access to the various systems.
The deployment of the card moves DoD one step closer to a significant milestone in securing its information systems, said Paul Brubaker, deputy chief information officer, Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.
"The smart card will give us the capability to digitally sign documents, transactions, orders and a lot of other implements we use to do business," he said. The cards also give DoD the capability to encrypt and thus privately exchange sensitive information over open networks.
What makes the card "smart" is the circuit chip, Brubaker said. The chip has the ability to read, write and perform various functions and operations on several thousand bytes of information,he said.
"I'd view this chip as a small computer without a monitor or power supply," he continued. "A smart card reader will provide the power to read the data on the integrated circuit and provide an automated interface between the chip and other computer systems."
The cards will store data on identification, demographics, benefits, physical security and card management, Brubaker said. "The chip will store certificates that enable the card holder to digitally sign documents such as e-mail, encrypt information and establish secure Web sessions to access and update information via the Internet.
The cards are about the size of a credit card. They've been tested in the services for the past two years and have proven to be efficient time savers that can be programmed for use everywhere from dining facilities to weapons armories, he noted.
"It's different from an ID card in that it has additional power," said Mary Dixon, director of DoD's Access Card Office. "You don't have just bar codes and printed data and pictures on it, you also have the capability to store and process information on the chip."
The Common Access Card will have 32 kilobytes of usable data space. About 7 kilobytes will be reserved for the services to program the cards with any applications they so choose, she said. One Marine Corps program, for example, would use cards to track weapons issued by armories.
The access cards will help eliminate standing in line, filling out forms and other administrative processing chores, Dixon said. Instead of moving service members from one station to the next, a simple swipe of the card provides all the necessary information. Flight manifests and deployment processing could be completed in minutes rather than hours.
"Every time we have introduced smart cards into an environment, even those that might have been apprehensive at first have found ways to use that card to improve the way they do business and to improve the quality of life," she said.
In Oahu, for example, the Army's 25th Infantry Division uses smart cards to determine deployment readiness.
"Under the old process," Dixon said, "a person would have to go to a gymnasium once or twice a year with all their records and go to several different stations. It would take them most of the day to go through that process. Now, deployment readiness can be verified in minutes if everything is up to date and in an hour if something requires updating or the person needs additional processing, such as receiving and recording a shot."
In some cases, she added, personnel are required to show up as much as four hours before a flight. They sit and wait while their information is processed for the manifest. With smart cards, the wait can be cut by half or more. "So that's more time that's given back to the soldier, sailor, airman, Marine -- or it's given back to the commanders to use for training," she said.
Initially, the cards will contain identification and security information. Later versions will also hold information about service members, such as inoculations, medical and dental data, finance allotments and other data.
"People have to be somewhat patient though," Dixon said. "We are just beginning to develop applications that can work across the board, so the card may be used in certain areas more than in others."
The need for information security on the Defense Department's computer networks has driven the decision to employ smart cards, Dixon said. The card will serve as a hardware token containing several "keys" for use in the DoD "public key infrastructure," or PKI.
An individual's smart card will receive a private and a public code. A personal identification number, selected by the cardholder, must be used with the card to access the computer network. The card shuts off if the user enters the wrong PIN too many times, Dixon said.
The PKI creates the foundation and structure for authorized access to Defense Department computer systems. It will allow cardholders to conduct secure online transactions. The individual uses the "digital keys" on the smart card to access secured applications, to digitally sign documents and to encrypt and decrypt information.
Defense officials say a critical element of this infrastructure is that it requires strong and substantial evidence of the individual's identity. The integrity of the information sent is such that a party cannot successfully deny the origin, submission or delivery of the encrypted information or the integrity of its contents.
"The information stored on the card allows you to prove you are the person you say you are," Dixon explained in simpler terms. "When you conduct business on the Internet, for example, people can give you access to their systems and they'll know that it's you that is actually logging on, not some other person that happens to have your password."
In 1999, then Deputy Defense Secretary John Hamre authorized the department to implement the program, which military officials have been working on in one form or another for more than a decade. DoD then worked to develop software and obtain card stock and hardware. Defense officials plan to install hardware in the more than 850 sites worldwide where the department currently issues ID cards and add over 150 new issuance stations at many existing and new sites. As the equipment is installed, local officials will then begin issuing Common Access Cards.
DoD does not plan to convert the ID cards of family members, retirees, members of the Inactive Guard and Inactive Ready Reserve or disabled veterans because no requirement has been identified to justify the expense, DoD officials noted. Each card costs about $8.
"It does not mean that we will never issue those cards," Dixon said. "Just imagine, for example, if the Defense Finance and Accounting Service wants to conduct business with retirees online, and they want to do it securely and make sure it's the right person doing the business. They are going to want the people to have a smart card."
For more information on the common access card, including a picture of a mock card, visit www.dmdc.osd.mil/smartcard.