The Department of Defense's Business Case for Smart Card Technology.The Department of Defense (DoD) 4 is implementing smart card technology as its identification (ID) card for active duty uniformed services The Army, Navy, Air Force, Marine Corps, Coast Guard, National Oceanic and Atmospheric Administration, and Public Health Services. See also Military Department; Military Service. personnel, members of the Selected Reserve Those units and individuals within the Ready Reserve designated by their respective Services and approved by the Joint Chiefs of Staff as so essential to initial wartime missions that they have priority over all other Reserves. All Selected Reservists are in an active status. , DoD civilian A Federal civilian employee of the Department of Defense directly hired and paid from appropriated or nonappropriated funds, under permanent or temporary appointment. Specifically excluded are contractors and foreign host nationals as well as third country civilians. employees, and eligible contractors. The new ID card is called the Common Access Card, or CAC See Consumer Advisory Council. . Beta testing (programming) beta testing - Testing a pre-release (potentially unreliable) version of a piece of software by making it available to selected users. This term derives from early 1960s terminology for product cycle checkpoints, first used at IBM but later standard throughout the of CAC issuance and functionality is currently taking place in over 16 locations, both in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. and at overseas installations. First and foremost, the CAC is an approved and authorized DoD ID card. Some versions of the CAC also serve as the U.S. Geneva Conventions Geneva Conventions, series of treaties signed (1864–1949) in Geneva, Switzerland, providing for humane treatment of combatants and civilians in wartime. ID card. Current uniformed services Geneva Conventions ID cards will be replaced by CACs as the current cards expire or as replacement otherwise becomes necessary. Figure 1 shows a sample, front and back, of the new Armed Forces of the United States A term used to denote collectively all components of the Army, Navy, Air Force, Marine Corps, and Coast Guard. See also United States Armed Forces. Geneva Conventions ID card. Because of supporting identification, physical access, and logical access functions, the CAC looks different from previous identification cards. First, it is white, not green. (But certain populations will receive CACs with color stripes for visual identification.) Second, the front has a vertical orientation Vertical orientation is a 3:4 aspect ratio, rotated 90 degrees from a NTSC television's standard 4:3 aspect ratio. It has been used primarily for arcade games (especially during the early 1980s) and for art projects, including a music video by The Shamen. with a color photograph. Third, the CAC contains a lot of media: a traditional bar code, a two-dimensional bar code, a magnetic stripe A small length of magnetic tape adhered to credit cards, badges, permits, passes and tokens. The tape is read by magnetic stripe readers incorporated into ATMs, identification readers and payment terminals. , and an integrated circuit integrated circuit (IC), electronic circuit built on a semiconductor substrate, usually one of single-crystal silicon. The circuit, often called a chip, is packaged in a hermetically sealed case or a nonhermetic plastic capsule, with leads extending from it for chip. The bar code media provide backward compatibility See backward compatible. (jargon) backward compatibility - Able to share data or commands with older versions of itself, or sometimes other older systems, particularly systems it intends to supplant. for existing ID-card-enabled applications. The magnetic stripe is intended primarily for physical access (in support of DoD's physical access standard), but could also be used for financial applications. The intent is, in the future, to migrate applications supported by bar code and stripe media to the chip- while developing additional applications primarily to interface with the chip. One of the most immediate challenges is ensuring that this card becomes recognized worldwide as the valid DoD ID card. This conversion is a formidable undertaking with aggressive goals and objectives. Not only is the CAC being issued to populations that didn't previously receive a standard DoD identification card, but also the technologies on and supporting the CAC are significantly advanced. The functionality provided by the GAG goes beyond the traditional role of identification (to include delivery and receipt of benefits and privileges). It serves as the primary token for DoD's Public Key Infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ) [1] digital certificate rollout, and it functions as a badge that can be used for physical access to buildings and controlled areas. In supporting these multiple functions (especially the PM) on a single platform, the CAC is the centerpiece of DoD's business case for smart card technology. Combining the three core functions of identification, physical access, and logical access on a single platform breaks new ground within DoD. It also demands approaches to development and funding different from those used in the past. What Are Smart Cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. ? Smart cards are credit-card-size devices normally for carrying and use by personnel. The cards contain one or more embedded integrated circuit chips (ICC ICC See: International Chamber of Commerce ). They may also employ one or more of the following technologies: magnetic stripe, bar codes (linear or two-dimensional), noncontact and radio frequency transmitters, biometric information, encryption and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. , and photo identification. The chip essentially is a small computer, without a monitor or power supply, that is capable of storing and processing several thousand bytes of information. Smart cards have been around since the 1970s and have seen significant popularity and growth in Europe and Asia, first primarily as (public) phone (stored monetary value) cards, and today as an integral component of the Global Subscriber Mobile (GSM) market, known as the Subscriber Identity Module (telecommunications, wireless communications) Subscriber Identity Module - (SIM or "SIM card") A component, usually in the form of a miniature smart-card, that is theoretically tamper-proof and is used to associate a mobile subscriber with a mobile network subscription. (SIM). The GSM is the predominant mobile communication standard in those areas of the world. The SIM provides access control to networks, service personalization, branding and advertising to subscribers, carrying information between different mobile phones, if desired. Other applications for smart cards today include financial (banking), mass transit mass transit, public transportation systems designed to move large numbers of passengers. Types and Advantages Mass transit refers to municipal or regional public shared transportation, such as buses, streetcars, and ferries, open to all on a , health card, identification/authentication, and electronic benefits transfer. Smart cards have experienced recent growth in the United States in the credit card industry--first with American Express's Blue and later with a Visa-sponsored smart card implementation. Fielding a smart card infrastructure (especially card readers and/or point-of-sale devices) is a large and expensive undertaking for which, until recently, there has been no business case. Smart cards can add security for transactions that take place with a card not physically present at the point of sale, for instance, Internet shopping. In a recent study, over 50 percent of credit card fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. reportedly took place over the Internet, which accounted for only 2 percent of total transaction revenue. [2] Moreover, the risk is higher for merchants conducting business over the Internet. A July 2000 survey on Internet e-tailing by the Gartner Group (company) Gartner Group - One of the biggest IT industry research firms. Address: Connecticut, USA. [a technology and research firm] found that 2.6 percent of Internet transactions result in charge-backs to merchants from either customer disputes or fraud. Further, the survey found that merchants pay fees that are 66 percent higher for Internet transactions than they pay for in-store transactions. Under the card-not-present rules that govern Internet transactions, merchants absorb the full costs of charge-backs. In addition, it generally is understood that a technology upgrade is needed from the current magnetic-stripe-based credit and debit cards used extensively in the United Stares in order to enhance security and deploy a platform that can provide a better dynamic capability over rime. Smart cards generally have followed Moore's Law "The number of transistors and resistors on a chip doubles every 18 months." By Intel co-founder Gordon Moore regarding the pace of semiconductor technology. He made this famous comment in 1965 when there were approximately 60 devices on a chip. with increasing memory and processing power. [3] Today, smart cards have grown from basic data storage devices to capable computing platforms and are supported by Microsofr, Sun Microsystems Sun Microsystems, Inc. (NASDAQ: JAVA[3]) is an American vendor of computers, computer components, computer software, and information-technology services, founded on 24 February 1982. , and the MasterCard/MAOSCO Consortium, all of which have developed specific operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. for smart cards (that is, Windows for Smart Cards, JavaCard [TM] and MULTOS MULTOS Multimedia Office Server , respectively). Visa is also linked closely with smart card technology, given its support of the Global Open Platform, an open specification for secure financial applications and card management with smart cards. Smart card standards and specifications have evolved slowly, but are now at a point where large-scale implementations are taking place. One of the largest smart card implementations to date in the United States, DoD's CAC is an advanced smart card with a 32K Java [TM] Virtual Machine and cryptologic cryp·tol·o·gy n. The study of cryptanalysis or cryptography. cryp  to·log co-processor ICC capable of generating
private keys that never leave the CAC. This is a strong security model
for the protection of digital certificates, providing clear advantages
over software-based tokens, such as floppy diskettes that must have the
information transported and downloaded onto them.
Though not currently employed on the CAC, contactless smart cards A smart card that uses radio frequencies to provide a wireless connection to the reader. The transmission range is only a couple of inches, but allows the card to be quickly passed by a reader in applications such as secured entrances. See smart card and UltraCard. are also available that do not need to be inserted into a reader--they simply can be waved in the proximity of a reader to conduct a transaction, such as a purchase or gaining access. Smart cards that have biometric sensors on the card, capable of comparing a human feature--such as one's fingerprint--to a known template, also are in development. Smart Card Pilot Applications in DoD DoD has been conducting demonstrations, pilots, and studies of smart card and other automated information technologies for several years. In those evaluations, smart cards clearly have shown cost savings, mission enhancements, and improvements in quality of life for Service members. Early applications have included manifesting and tracking of personnel, food service, deployment readiness, property and weapons issuance and control, attendance and mustering, training and qualifications, immunizations, stored (monetary) value, and dental treatment. Most of these applications have been tested at the Service level in specific locations, such as initial-entry training facilities and on the island of Oahu, Hawaii. Oahu was selected because of the proximity of installations of all Services that offered a ready-made joint environmenr for testing. These demonstrations also have illustrated the innovation of personnel, at the installation level, who have developed applications by reengineering current business processes. Many of these demonstration sites have self-funded the continued use of smart card applications beyond their pilot periods, indicating strong user loyalty and acceptance. DoD has learned a great deal from conducting these pilots and demonstrations. Among the benefits of smart card technology over other automated information technologies are its support by industry and its general worldwide acceptance. This has spawned an increase in card capabilities, with prices of cards and supporting peripheral equipment (such as card readers) decreasing over time. Experience has proven that the key ingredient for a successful smart card application is using the technology as an enabler for business process reengineering See reengineering. . Without this business-based approach, the deployment of smart cards basically would be a technology insertion, providing little or no added value Added value in financial analysis of shares is to be distinguished from value added. Used as a measure of shareholder value, calculated using the formula:
Take, for example, the food service application that has been piloted. The first step in using smart cards for food service was to provide a patron's authorization to eat in a government dining facility This was done using a meal entitlement code, which basically identifies whether the individual is entitled to eat at government expense. This smart card application automated the check-in process, significantly decreasing and even eliminating the long lines In communications, circuits that are capable of handling transmissions over long distances. that previously formed because each individual was required to manually enter information and sign a registration form for each meal. Some dining facilities are considering using smart-card-enabled turnstiles for completely automated access. Also previously supporting this process was a local infrastructure to create, issue, and manage a meal card for those personnel entitled to eat at government expense. So, initially, smart card technology was used to automate the entrance/verification process. It quickly was realized that this application could build an automated headcount and automatically complete the forms that previously were manual. No longer did the forms have to be picked up after each meal and manually entered into a food management information system; they could be electronically interfaced, thereby automating much of the back-office functions for meal attendance and accountability. The new smart-card-enabled process made data more accurate (eliminating reliance on handwritten hand·write tr.v. hand·wrote , hand·writ·ten , hand·writ·ing, hand·writes To write by hand. [Back-formation from handwritten.] Adj. 1. sign-in information) and more reliable for managing inventories and receiving reimbursement for meals served. In fact, information could be relayed to a display in the kitchen in real time, streamlining food preparation and minimizing waste. An added feature of the smart card that benefits the Service member, the dining facility, and the finance office is that members can authorize the deduction of funds from their pay accounts to cover the cost of their meals. With the addition of a personal identification number (PIN), this security feature enables users to authorize "cashless" payments. The adoption of smart card technology for the food service application highly automated diner check-in and back-office data entry and reduced cash management and the need for added security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security for cash collections. Dining facility employees thus can direct more attention to food preparation and quality and customer service. Although individual applications (like food services food services Hospital services A 24/7 department in a hospital that provides for the nutritional needs of inpatients–eg, those needing special diets, preparing meals and transporting them to the floor and, through the cafeteria, the hospital staff and ) have provided significant benefits, no single application by itself could demonstrate sufficient return on investment to offset the cost of an entire DoD smart card infrastructure. However, by supporting multiple applications, the cost of the support infrastructure (especially issuance) is lowered per application. The use of smart cards for multiple applications makes the best business case for DoD. But it also makes card management more challenging, as there are many more functional owners and decision makers involved. Early applications primarily used a data-centric approach; that is, a lot of information regarding an individual was placed on the card. As such, the card can be used as a portable data carrier in the absence of connectivity. It also enabled a number of off-line transactions and processes. However, in a multi-application environment, the large amount of on-card data made card management difficult, since individuals would be carrying a separate database that needed to be kept up to date. In implementing the CAC DoD-wide, DoD has moved toward minimizing data on the card, which is called a Web-centric approach. In this approach, the (AC is the authentication device needed to access the server or system-based data. This approach alleviates the challenge of maintaining large amounts of information on the CAC. It also supports DoD goals and a vision of moving to broad information access, faster exchange, and more ubiquitous connectivity. DoD may not be able to do everything and meet all of its requirements with a single smart card. For example, there are significant policy issues and industry practices to consider before placing a stored (monetary) value application, which may be sponsored by a financial institution, on a DoD identification card. However, as evidenced by the food service pilot application, financial applications can be enabled with a PIN and the CAC's digital certificates. These issues will be evaluated on a case-by-case basis as requirements are identified. DoD's Public Key Infrastructure The strategy that underlies DoD Information Assurance (IA) is "Defense in Depth," in which layers of defense are used to achieve security objectives. The DoD PKI is a supporting layer of this strategy; providing a vital element for a secure IA posture for the Defense Information Infrastructure. Security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the provided by DoD's PM include the following: * Identification and authentication * Data integrity * Confidentiality of information and transactions * Nonrepudiation to facilitate missionrelated and e-business transactions internal to DoD and with external organizations The last service is a key point. PKI can enable electronic commerce and electronic business by providing a strong and secure sense of who did what, and when (that is, a binding transaction). The CAC is the DoD-designated hardware token for certificates and their accompanying private keys for use on unclassified un·clas·si·fied adj. 1. Not placed or included in a class or category: unclassified mail. 2. networks. Certificates are instruments used to convey trust. The DoD PKI issues identity, e-mail signing, server (device), and encryption certificates. To achieve common certificates across the entire DoD, the DoD PKI identity, e-mail signing, server (device), and encryption certificates have a minimum/common set of attributes, based on open standards Specifications for hardware and software that are developed by a standards organization or a consortium involved in supporting a standard. Available to the public for developing compliant products, open standards imply "open systems;" that an existing component in a system can be replaced and specifications. In simpler terms, the CAC enables individuals to authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. themselves over networks, including the Internet, digitally sign e-mail, and encrypt e-mail--in other words, conduct secure transactions that no one can deny having conducted (nonrepudiation). DoD Smart Card Governance The U.S. Congress has been a strong supporter of smart card technology within DoD, including designating the senior DoD decision-making body for smart card technology as the Smart Card Senior Coordinating Group (SCSCG SCSCG Smart Card Senior Coordinating Group (DoD) ). The SCSCG has been chartered to develop and implement DoD-wide interoperability standards for use of smart card technology and to craft a plan to exploit smart card technology as a means for enhancing readiness and improving business processes. The DoD Chief Information Officer has been assigned overall responsibility for smart card technology within DoD. As a technology-based tool, smart cards don't fit a long procurement cycle, such as that of a major weapons system. Requirements and technology change too fast to plan five or seven years in advance. Applications should be easy and quick to develop, and interfacing to the CAC should be made as easy as possible. The decision to implement smart card technology DoD-wide was made in the fall of 1999. Following congressional direction provided in the Fiscal Year 2000 Defense Authorization Act, the Deputy Secretary of Defense mandated that smart card technology would be implemented as the CAC, with mandatory functions of identification, physical access, and logical access (that is, access to DoD's networks and computer systems). Moving Forward with the CAC Many organizations have had to review their requirements and reach compromise on the appearance and content of the CAC, since it first must meet basic identification card (for example, Geneva Conventions) needs. The CAC crosses several policy and functional boundaries in DoD. It also supports both a centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. and a distributed architecture, meaning that some information and functions will be standard on all CACs, while the Components (the military services, DoD agencies, and warfighter commanders-inchief) may determine the supplemental applications deployed on CACs carried by their assigned personnel. Existing processes and procedures have been challenges to CAC development and fielding. The CAC offers a dynamic capability for both its magnetic stripe and chip that must be managed and properly controlled. It is actually a challenge to write hard-and-fast requirements for smart cards; just think of doing that for your personal computer 10 or 20 years ago. There are a lot of existing rules and regulations that will need to be reevaluated and revised to frilly frill n. 1. A ruffled, gathered, or pleated border or projection, such as a fabric edge used to trim clothing or a curled paper strip for decorating the end of the bone of a piece of meat. 2. support and use the CAC across DoD. Furthermore, DoD has not made extensive use of the media provided on previous versions of its identification cards. The traditional "teslin" ID cards have contained two bar codes for over seven years, yet few applications have been developed or enabled to use the bar code interface. The CAC, however, has a stronger driving force for automated interface: mandated PM milestones for DoD moving to completely signed electronic mail and secure log-on to DoD networks and computer systems. Many Components also have aggressive time lines for public key enabling their existing applications and systems, using the certificates on the CAC. Conclusion The CAC is here! Even so, change in large organizations takes time, so it will take some time before the entire DoD is fully using the CAC technology. Combining an identification card with a PM token and an access badge An access badge is the identification used to gain entry to the office or other places that have automated access controlled entry points. Entry points may be doors, turnstiles, parking gates or other controlled entry points. is a monumental challenge both procedurally and technically, especially for a target population of over four million recipients with varying needs and requirements. DoD has been able to field an operating test issuance station in less than one year, thus proving that the technical capability exists. Beta resting also has shown that the card issuance process requires extensive communications with multiple issuing sites, and adjustments are being made to improve scalabiity and continuity of communications as testing is expanded. Underlying these technical issues is a basic need for bandwidth, and the Internet is being used to the maximum extent practicable to support CAC issuance. An additional challenge is that of the "last mile," where existing installation-level telecommunication infrastructures may need to be upgraded to minimize the time needed for card issuance. DoD is moving to an automated interface with its new ID cards, and the use of available commercial off-the-shelf Commercial off-the-shelf (COTS) is a term for software or hardware, generally technology or computer products, that are ready-made and available for sale, lease, or license to the general public. products has accelerated CAC technical development and implementation. Not only does the CAC offer stronger security; but it can also facilitate better uses of existing infrastructure. The CAC soon will be in everyone's hands--enabling business process reengineering, cutting through some of the inefficiencies of filling out forms and standing in lines, moving manual, paper-based transactions to automation--and accelerating the transition of time-wasting face-to-face transactions to the virtual realm! Mary Dixon (aka Mary Snavely-Dixon) is currently the Director of the DoD Access Card Programs and DEERS/RAPIDS Operations, responsible for the implementation of smart card technology in the Department of Defense. Over the course of her career, Mary worked for the Navy in manpower (determination of military and civilian requirements) and in Program Analysis and Evaluation (PA&E) in the Office of the Secretary of Defense The Office of the Secretary of Defense (OSD) is part of the United States Department of Defense and includes the entire staff of the Secretary of Defense. It is the principal staff element of the Secretary of Defense in the exercise of policy development, planning, resource . In 1977, she was appointed the Deputy Assistant Secretary of the Navy Assistant Secretary of the Navy (abbrev. "ASN") is the title given to certain senior officials in the U.S. Department of the Navy. They serve as chief assistants to the Secretary of the Navy (SECNAV). (Manpower), where she was responsible for military manpower, personnel, and training policy and issues within the Department. Mary also worked as a consultant addressing a wide range of manpower personnel, and training issues throughout the DoD and FEMA FEMA, n.pr See Federal Emergency Management Agency. . She returned to the federal government at the Defense Manpower Data Center The Defense Manpower Data Center (DMDC) serves under the Office of the Secretary of Defense to collate personnel, manpower, training, financial, and other data for the Department of Defense. in 1998. Mary holds a master's degree master's degree n. An academic degree conferred by a college or university upon those who complete at least one year of prescribed study beyond the bachelor's degree. Noun 1. in business administration-operations research from George Washington University George Washington University, at Washington, D.C.; coeducational; chartered 1821 as Columbian College (one of the first nonsectarian colleges), opened 1822, became a university in 1873, renamed 1904. . Endnotes (1.) Deputy Secretary of Defense Memorandum, subject "Smart Card Adoption and Implementation," November 10, 1999. (2.) According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. an Unterberg Towbin study in 1998, more than 50 percent of disputed (or potentially fraudulent) charges at the Visa European division came from Internet transactions. However, Internet transactions represented only 2 percent of the division's total transaction volume. (3.) Moore's Law according to Encyclopedia Brittanica: In 1965, for a special issue of the journal Electronics, Moore was asked to predict developments over the next decade. In reviewing past increases in the number of transistors per silicon chip, Moore formulated what became known as Moore's Law: The number of transistors per silicon chip doubles each year. In 1975, as the rate of growth began to slow, Moore revised his time frame to two years. His revised law was a bit pessimistic; over roughly 40 years from 1961, the number of transistors doubled approximately every 18 months. Magazines regularly referred to Moore's Law as though it were inexorable--a technological law with the assurance of Newton's laws of motion Newton's laws of motion: see motion. Newton's laws of motion Relations between the forces acting on a body and the motion of the body, formulated by Isaac Newton. . Only time will tell if Moore's Law will be repealed. Moore's Law according to Webopedia: In subsequent years, the Years, The the seven decades of Eleanor Pargiter’s life. [Br. Lit.: Benét, 1109] See : Time pace slowed down a bit, but data density has doubled approximately every 18 months, and this is the current definition of Moore's Law, which Moore himself has blessed. Most experts, including Moore, expect Moore's Law to hold for at least another two decades. TM Java and JavaCard are trademarks of Sun Microsystems. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion