The Defense Department is planning to accept a European-developed identification standard that will allow allied military personnel and contractors to access secure military networks under specific circumstances.
Multinational access considerations are part of a draft memo from DOD chief information officer Teresa Takai, said Paul Grant, director of cybersecurity policy in the DOD CIO’s office.
Speaking at a recent enterprise architecture conference in Washington, D.C., he said the memo outlines the card access roles and needs for DOD and civilian contractors and considers steps to expand authentication to allied government and commercial personnel to support U.S. foreign military sales. Grant noted that this aspect came out of the need for close multinational cooperation to support the massive Joint Strike Fighter program.
The Netherlands Ministry of Defence (MOD) has created a highly secure public key infrastructure that is cross-certified across multiple nations. U.S. foreign military sales personnel want to use the Dutch PKI system because it is more strongly bound to the individual user, its security and because there is no cost for U.S. users to maintain as it is already managed by the Netherlands MOD.
This will be the first cross-certified non-U.S. government entity added to the DOD’s list of trusted identity providers, Grant said.
The Dutch system also sets an example for what the U.S. wants its allies to do for identification accreditation. When the PKI system is accepted, Grant hopes that it is used to help manage the JSF program’s equipment and software lifecycles because this decades-long effort will require close communication and cooperation between governments and defense contractors.
The DOD is very interested in these cross-certified credentials because they are an opportunity to issue more flexible identification to foreign military personnel and contractors.
The Defense Security Cooperation Agency currently issues one-time passwords to foreign military partners procuring U.S. equipment for foreign military sales. There aren’t many of these users, but they are scattered across the planet, Grant said. The DOD wants to expand this process to make strong credentials that work with allied governments around the world, he added.
The U.S. government already bases its cards, the DOD’s Common Access Card (CAC)
and the civilian agency Personal Identification Verification (PIV) card on a British security model, Grant said. The U.S. model uses four security levels ranging from one (no access to sensitive data) to four (access to classified information). He added that the DOD has been accepting level four credentials from external partners (allied nations and civilian U.S. agencies) since 2008.
Level two and three credentials extend to businesses working with the DOD and active and retired military personnel to access benefits.
The government also issues Personal Identification Verification-Interoperability (PIV-I) cards for private sector contractors. Grant notes that PIV-I cardholders cannot access certain types of data, but the cards do provide physical site access and some pre-approved data privileges.
One of the major challenges facing the government is harmonizing access and credential recognition between the various civilian and national security organizations, Grant said. He noted that 95% to 97% of the things done by all federal organizations are the same and this should be reflected in common access security standards for the majority of ID cards.
There is currently a joint DOD working group tasked with continuity monitoring that is coordinating cross-agency authentication and identity recognition efforts, he said.
The working group is hashing out plans for enforcing strong dynamic access identity and credential management. There is a need to share data across the services and this must be coordinated to work seamlessly, Grant said. As a part of this effort, the DOD is also developing dynamic policy based access management that will automatically change for a range of situations and variables based on the user’s access privileges.