n an age of heightened security demands and rapidly evolving mobile technologies, the Department of Defense is re-evaluating and updating its Identity and Access Management (IdAM) strategy to strengthen network access protection without placing undue burdens on authorized users.

"We've looked at a number of different solutions, from biometrics to different kinds of encryption; there's a whole spectrum of solutions out there," said Michael McCarthy, director of operations and program manager for the Army's Brigade Modernization Command, based in Fort Bliss, Texas.

Yet, even as research into promising IdAM technologies moves forward, common access cards (CACs) and personal identity verification (PIV) cards, the current IdAM mainstays, are not going away any time soon. "They are still important for physical access, and will be used in smart card readers on larger devices, particularly desktop computers," said Steve Taylor, a solution architect for Intel Federal in Fairfax, Virginia.

While CAC/PIV readers will continue to be used with laptop and desktop PCs, the next-generation mobile devices now being adopted by DoD organizations require a fresh IdAM approach. "The PIV card works quite well with laptops and desktops, but now we have new mobile computing devices that can't use the PIV card very easily," said Hildegard Ferraiolo, PIV program lead at the National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland. "These devices don't have built-in readers, so you have to have a bulky and cumbersome 'sled' to use a PIV card with it," she said.

McCarthy agreed. "I have an iPhone that has a little [external] plug-in reader," he said. "I can slide my CAC in and use it just like I do on my desktop computer." Yet McCarthy acknowledged that using a mobile device with an external reader in the field is inconvenient at best and dangerous at worst. "Most soldiers are carrying something in one of their hands — call it a weapon — and it causes them to be distracted," he said. "If they fail to enter the correct passcode after a certain number of times, the device locks up."

The Defense Information Systems Agency (DISA) currently operates two mobile security programs: the Defense Department Mobile Unclassified Capability for managing unclassified smartphones and the Defense Mobile Classified Capability program to approve secret and top-secret classified smartphone communications, said Tony Crawford, director of C4ISR solutions for IT services provider CACI in Arlington, Virginia.

"The creation of these programs allows industry to develop working mobile device solutions capable of meeting the stringent security requirements for mobile device access to DoD enterprise networks, because they have published government security standards/specifications," Crawford said. "This saves time and money both for industry and the government client; ensures security controls are considered during the entire systems engineering process; and reduces systems development to fielding timelines to keep pace with a very dynamic operational environment."

Derived credentials

DoD has struggled over the years to bring IdAM to mobile devices in a usable and cost-effective form. "Only in the past six months to a year have they really made great strides by looking at replacements for traditional smart cards to bridge the gap between their IdAM infrastructure and their mobile devices," said Eugene Liderman, public sector product management director for mobile security company Good Technology, located in Sunnyvale, California. "[DoD] spent years pushing for smart card integration in conjunction with mobile devices, starting with BlackBerry, followed by Windows Mobile, then with iOS and Android," he said. The agency then evaluated a variety of alternative form factors, including Secure Elements microSD cards. "The Defense Manpower Data Center [DMDC] did a pilot using NFC-enabled smart cards," Liderman said. "Now they are looking at derived credentials, which will be stored on the [mobile] device."

A derived credential is a certificate that's generated after a user has validated his or her identity using another type of certificate, typically a CAC or PIV card. "Derived credentials is ... the process of creating this additional certificate derived from the certificate on the CAC or PIV and provisioning this derived certificate to the device, which is then used for certificate-based device and user authentication without the need for a CAC/PIV reader on the device," Taylor said.

Using a soft certificate or derived credential eliminates the need to have a reader either mounted on or attached to the mobile device. "This lowers costs, improves usability, lowers the total weight of the solution the user carries and increases the battery life of the device," Taylor said.

"In the short term, we will have a hybrid environment where the CAC will be used for physical access to buildings, logical access to computers and network access from a computer," Liderman said. Derived credentials, he observed, will likely be used for logical access into the devices and/or applications on the devices, as well as for network access to backend resources via mobile devices. "Ultimately, I believe we will see a convergence where the mobile device will replace the Common Access Card for traditional physical, logical and network access as [chip-based security technologies] like Trust Zone and Trusted Execution Environment become more ubiquitous," he said.

According to Liderman, a great deal of work has already been completed in the effort to establish a path toward integrating IdAM technology directly into mobile devices. "We have the DoD CIO memo around the use of derived credentials, as well as NIST SP 800-153, which covers the best practices around implementing a derived credential," he said. "As a result, there are now multiple officially sanctioned pilots evaluating the approaches and techniques to distributing these derived credentials."

Taylor noted that DoD is currently running a one-year, 500-device soft certificates pilot, giving users access to NIPRNet, the unclassified but sensitive Internet Protocol router network. "These devices will use soft certificates to do native signing and encryption, native browser authentication, Exchange ActiveSync and VPN authentication," he said.

Taylor predicted that DoD organizations will eventually implement a process that validates a user to his or her CAC/PIV card to create a new certificate for the user's device and then provisions the certificate to the device. "The user will then use the new certificate from the device for various use cases, such as authenticating to the VPN or signing and encrypting email, using the new certificate on the device as per policy and usages established by the agency," he said. "For the most part, the infrastructure to support this, mainly certificate authorities, exists in the enterprise today."

McCarthy observed that DoD's overall network security efforts are already encouraging the adoption of a wide range of commercial off-the-shelf mobile devices.

"Commands are starting to purchase iPhones and iPads and Android phones and tablets because they are now able to operate in a secure environment," McCarthy said. "Four years ago I had DISA tell me they would never let a mobile device on a government network; today, I've got a DISA iPad that's a standard, off-the-shelf iPad, but I can go in and view my enterprise email, which is not classified, but it's sensitive."


Biometric technologies, such as fingerprint and iris readers, have long been touted as potentially useful IdAM methods. Yet DoD isn't even close to approving any type of biometric-based IdAM specifications or guidelines.

"We have looked at those technologies, but they're not quite ready for prime time," McCarthy said. "It's possible that as the technology improves we might move to biometrics, because then we will be able do multiple levels of authentication on a single device," he said.

"Biometrics may play a critical role with derived credentials as an additional factor of authentication, especially with people complaining that a derived credential on its own is not an adequate form of two-factor authentication," Liderman said. He noted that biometric technology could "layer in nicely" to help mitigate any perceived risk as an additional authentication factor. "The question is going to be whether policy will allow biometrics or prohibit it," he said.