21 December 2014

Derived credentials to roll out across DoD by July 2015

By Aaron Boyd
December 18, 2014

Personnel in the Department of Defense Office of the Chief Information Officer are piloting the use of derived credentials to send secure emails on their mobile devices without having to go through the added steps of plugging in an authorized common access card (CAC), a system that could be rolled out across the component agencies by this summer.

Placing credentials on a user's mobile device — derived from their CAC — enables use of authorized personal identity verification (PIV) for secure communications without forcing the user to plug in a sled (extraneous device) to read their CAC.

Employees began using this system at the end of September and the DoD plans to expand utilization across the department's agencies and services by July 2015.

"We want to move away from CAC cards and move into some derived capabilities so that we can make it a better user experience," said Randall Conway, director of C4 and Information Infrastructure at DoD OCIO. "There's a way to take your existing CAC card that all of us DoD folks have and then do a software [certification] capability off that CAC card."

Acting DoD CIO Terry Halvorsen signed a memo in September offering "Interim Guidance on the Use of DoD Personal Identity Verification Derived Public Key Infrastructure Credential on Unclassified Commercial Mobile Devices," allowing for a pilot program for secure email among certain employees within the DoD.

A full rollout across the DoD could begin as early as July 2015, according to Mark Norton, senior systems engineer at OCIO.

By simplifying the process, DoD is "hoping more mobile users will be encrypting and securing their emails," Norton said.

"We're trying to embrace the 'latest technologies' and at the same time integrate our security pillars that we require to make it safe," Norton said. "As we move from the hard tokens to derived credentials it's going to require a new supporting infrastructure and will most likely require upgrades to the middleware software that links the credentials to the applications."aa

Norton noted that it took the department five years to get the CAC PIV cards established throughout DoD and it will probably take another few years before derived credentials fully take hold across all the agencies.

"We believe we have a technical way forward that's secure, now the question is how we roll it out," he said.

The method is not meant to replace physical CACs but rather derive the credentials from them using a native key store.

"Possession of a CAC provides proof that face-to-face in-person verification was completed," the September DoD memo explains. "Derived PKI [public key infrastructure] credentials will identify the possessor of the CAC by asserting the same Common Name as the PKI certificates on the requestor's CAC."

The National Security Agency performed a risk assessment on the key store earlier this year and cleared it for storing derived credentials and securing unclassified information.

The National Institute for Standards and Technology (NIST) also issued a draft guidance document in March, outlining the process for issuing derived credentials and what should be done if either the CAC or mobile device is lost or stolen.


If the device is lost or stolen, the derived credentials can be rescinded from a central location. If the physical card is no longer in the authorized user's possession, credentials can be revoked or adjusted remotely.

"The ability to use the derived PIV credential is especially useful in such circumstances because the PIV card is unavailable, yet the subscriber is able to use the derived PIV credential to gain logical access to remote federally controlled information systems from his/her mobile device," NIST points out. "Similarly, the derived PIV credential is unaffected by the revocation of the PIV authentication certificate."

"Right now we're going to take the credentials we paid for on the CAC, derive them and put them on the phone," Norton said. "We can do that without messing them up and not having a train wreck, where you don't get my credentials and I don't get them wrong."

No comments: