Since 2001, the Common Access Card (CAC) has reigned as the government-wide standard for network and system security access control. Servicemembers, federal employees, and government contractors are all too familiar with this Department of Defense (DoD) ID card. And while the CAC represents “a” standard, it appears that few of its recipients would call it the “gold” standard. If you read the comments posted on social media by soldiers, they usually refer to CACs as something else—most commonly, “a pain in the ass.” Their words; I’m just quoting here. U.S. soldiers aren’t the only people experiencing pains in their hindquarters from these problematic pieces of plastic. CACs, despite being so deeply entrenched in the federal workflow, are a nightmare for administrators and a tedious burden for users, including contractors. But now, Air Force Lt. Gen. Robert Skinner has declared that he wants to “kill the CAC.” Cue the fanfare.
Common Grievances for Common Access Cards
I always considered CAC a poorly thought-out acronym. It sounds like “cack,” which, as an intransitive verb, means to vomit. As a noun, it’s defined as dung. I’m not making this up. It’s been in the vernacular since the 15th century. But the card with the unfortunate sounding name has managed to earn an unfortunate reputation, though the ID remains an inescapable presence in the daily lives of government personnel. You want to enter the base and report for duty? Have your CAC ready. Logging onto military computers? Not without your CAC. Heading to the mess hall for chow? You’ll need your CAC. Trying to place your people onsite at a major project you were awarded as a federal contractor? None of these folks are knocking out tasks until they receive their CACs.
“The CAC has become a cultural touchstone among service members who find common ground over the trials and tribulations of having one’s life tied to a 3.375 inch-by-2.125 inch piece of plastic,” wrote David Roza for Task & Purpose. “There’s the folly of accidentally sticking your credit card into the CAC reader; the struggle of taking a decent CAC picture; the anguish of forgetting your CAC at the base gate; and the surprise of finding your CAC doodled all over after you left it unattended all night.”
But one DoD official has set his sights on eliminating the cumbersome card.
“I have this notion of — this little mantra of — I want to kill the CAC as the primary authentication mechanism for the department,” said Air Force Lt. Gen. Robert Skinner, the director of the Defense Information Systems Agency and the commander of Joint Forces Headquarters, Department of Defense Information Networks.
Surprisingly, this isn’t the first time a Defense higher-up has floated the idea of bidding farewell to the CAC. In 2016, as reported by Federal News Network’s Jason Miller, Terry Halvorsen, then Chief Information Officer for the DoD. said he wanted to phase out CACs within two years:
“We will not eliminate public-key infrastructure. We will not eliminate high security. But frankly, CAC cards are not agile enough to do what we want,” Halvorsen said at the FedForum 2016 sponsored by Brocade in Washington. “We may still use them to get into a building or something, but we will not use them on our information systems. We will use true multi-factor that actually does a couple of things for me — gets me more agile because there is an overhead for CAC cards, not just cost overhead, but a time overhead and in my business it’s a location overhead. It’s really hard to issue a CAC card when people are dropping mortar shells on you and you need to get into your systems. It just doesn’t work well.”
A Better, More Secure Way
During his address at the 2021 Billington Cybersecurity Summit, Lt. Gen. Skinner—who serves as both DISA director and commander of Joint Forces Headquarters, Department of Defense Information Networks—proposed capitalizing on the cybersecurity advances that commercial enterprises have pioneered:
"We have to have something that's better," he said. "Industry has been, I'll say, using other authentication mechanisms — other things for leveraging identity management, access control. I want to leverage that. We want to leverage that technology to be able to provide greater options, so it's not just two-factor authentication, but it's truly multi-factor — and it's with the individual, it's with the device."
Skinner believes that identity, credential, and access management must become the foundation for all data security efforts at the department. He suggested that the government look more closely at the developments occurring within industry and prepare for a cultural change that embraces data-centric environments over network-centric ones. In other words, Skinner envisions an environment where the emphasis is on data security and protection rather than infrastructure that provides it. This kind of philosophical paradigm shift, however, comes with its challenges.
Nicolas Chaillan, the Air Force’s first chief software engineer, resigned in September because of frustrations with military leadership’s reluctance to fix the “most basic information technology issues,” including Zero Trust systems like two-factor authentication.
“We are running in circles trying to fix transport/connectivity, cloud, endpoints, and various basic IT capabilities that are seen as trivial for any organization outside of the U.S. Government,” explained Chaillan in his resignation announcement on LinkedIn.
Future Opportunities
Skinner’s primary concern involves the future of the Secret Internet Protocol Router Network (SIPRNet), a system of interconnected computer networks used by the DoD and the State Department to transmit classified information by packet switching over the “completely secure” environment. Transformation will require not just modernization but the implementation of a truly “multi-factor, multi-level security, multi-level environment, so that it doesn't matter where you're trying to go, that you can get access to it as long as you have the right privileges and accesses.”
The Lt. General didn’t offer specifics or a proposed plan to accomplish these goals. And that’s probably because the department hasn’t conceived of any. But his application of pressure and his sense of urgency illustrate the growing worry about increasingly sophisticated methods of cyberattacks, ransomware, and an infrastructure not updated enough to continue preventing them.
There are, however, two big upsides for federal contractors. First, CACs could disappear sooner rather than later. And that’s a logistical relief for those struggling to simply staff a contract. But to achieve the ends Skinner idealizes will require government to lean heavily on industry and leverage the innovations its businesses keep producing at a rapid pace. Federal contractors capable of supporting these IT and cybersecurity needs will likely become more instrumental as the government’s modernization efforts grow.