The Defense Department has used the common access card, or CAC, for more than 20 years now, and there's no sign, as of yet, that the department is planning on doing away with the ID card. But the director of the Defense Information Systems Agency said he thinks it might be time to look for better ways for department personnel to prove who they are to gate guards, computers and chow hall personnel.
During a conversation today as part of the 2021 Billington Cybersecurity Summit, Air Force Lt. Gen. Robert Skinner, who serves as both DISA director and commander of Joint Forces Headquarters, Department of Defense Information Networks, said that identity management — which the CAC now plays a significant role in — is one area where the department can look to industry for a way ahead.
"I have this notion of — this little mantra of — I want to kill the CAC as the primary authentication mechanism for the department," Skinner said, adding that it will be the defense industrial base, and the U.S. industrial base, who will play a big part in helping the department find better solutions.
"We have to have something that's better," he said. "Industry has been, I'll say, using other authentication mechanisms — other things for leveraging identity management, access control. I want to leverage that. We want to leverage that technology to be able to provide greater options, so it's not just two-factor authentication, but it's truly multi-factor — and it's with the individual, it's with the device."
Identity, credential and access management, or ICAM, Skinner said, is the foundation for everything he said must happen within the department to improve data security. Being able to prove that an individual is who they say they are, that they are using a secure access device, and that they have the right privileges to access the information they want to see is a big part of that.
Skinner said the department must leverage what's happening in industry, and undergo a change in culture, to get to a "data-centric" environment versus a "network-centric" environment.
It's an environment, he said, where the department is more concerned with making sure data is protected and secure and less concerned about the infrastructure itself. Getting there, he said, will require the department to lean more on industry.
"We're really looking at the future of the SIPRNET, and the secure environment and how we take advantage of technology today — how we take care of what industry is able to do — to really transform, not just modernize, but how do we transform so that we can truly have the multi-factor, multi-level security, multi-level environment, so that it doesn't matter where you're trying to go, that you can get access to it as long as you have the right privileges and accesses," he said.