DISA inches closer to CAC alternative

The Defense Information Systems Agency is making strides toward employing a continuous verification capability.

people and data (Lightspring/Shutterstock.com)
 

The Defense Department's common access card has no shortage of critics, which is why the organization's tech agency is working on complementary alternatives.

Stephen Wallace, a systems innovation scientist who leads the Emerging Technologies Directorate at the Defense Information Systems Agency, said they're continuing to tweak Android mobile hardware and hope to have a viable product in the next year.

"Last year when we were here at forecast to industry, we talked about how we were working with a chipset manufacturer that integrates some of those capabilities into that chipset. From there, we've now pivoted to now working with a handset manufacturer to integrate those capabilities, working our way up the stack to make it available," he told reporters during a media roundtable at DISA's forecast to industry event Nov. 4.

Wallace said there's also a completely software-based prototype that's about nine months into its pilot cycle. Ultimately, the assured identity monitoring functionality with mobile devices will feed into desktops, integrating features in a new way, he said.

"I would hope that in about a year we'll be much further along and have that continuous authentication code in the background," Wallace said.

DISA has also taken up defending against online intrusions with web browser pilots that aim to isolate threats by putting an air gap between internet and enterprise networks.

"If you really look at a modern web page -- any old news site -- it's 6-, 8-, 10,000 lines of code that get downloaded with that machine," Wallace said. "At the same time, that browser may be talking to 60 other domains just [from] you trying to go to that website and that's what we're attempting to defend against."

The pilots scan the code for "anything malicious that's going on" while also monitoring the domains contacted by the user's browser, he said.

So far, the browser pilot programs cover about 15,000 end points to date, but the goal is to hit 100,000 in the next three to six months with the end game of transitioning the entire department to the solution, Wallace said. DISA also plans to down-select the vendors involved in the next four months but the initial focus is on testing.

DISA is also working on network slicing, an ability to dedicate a chunk of the network to specific needs such as separating traffic over certain VPNs as the Defense Department explores 5G. Wallace said there are interoperability challenges when slicing across vendors, and the agency is working with DOD as it experiments with the technology on military bases.