Browse Definitions :
Definition

Common Access Card (CAC)

What is a Common Access Card (CAC)?

A Common Access Card (CAC) is a smart card issued by the Unites States Department of Defense for accessing DOD systems and facilities. The DOD issues four types of CACs as standard identification: those for active-duty military personnel, Selected Reserve personnel, DOD civilian employees and eligible contractor personnel. It enables such employees to access buildings, company data or facilities, such as elevators, copy rooms or server rooms, and it is roughly the size of a standard debit or credit card.

The DOD's CAC functions as both an ID card and an access card. As the latter, authorized personnel require one in order to physically access government buildings and controlled spaces and to electronically access the DOD's computer networks, systems, devices and accounts. The CAC also entitles the cardholder to certain benefits and privileges in accordance with DOD policies.

Individuals can be issued more than one CAC by the DOD if they have multiple personnel category codes. For example, a person who is both a reservist and a contractor is issued separate CACs for each category. However, no cardholder can hold multiple CACs under the same personnel category code.

common access cards are about the same size as a credit card
Common Access Cards from the U.S. Department of Defense (DOD) are smart cards about the size of a standard credit card. They enable users to access DOD systems and facilities.

Topology of DOD Common Access Card

A CAC has an embedded microchip that enables the encryption and cryptographic signing of email, as well as use of public key infrastructure (PKI) authentication tools. The microchip contains a digital image of the cardholder's face, two digital fingerprints, organizational affiliation, Social Security number, service or agency, card expiration date and PKI certificate.

The card also specifies additional details about the cardholder, such as the following:

  • Rank.
  • Pay grade.
  • Blood type.
  • Date of birth.
  • DOD benefits number.
  • Geneva Conventions category.
  • DOD identification number, also known as Geneva Conventions number.

A color indicator on the CAC readily indicates category. A blue bar shows that the cardholder is a non-U.S. citizen, a green bar represents contractors and a white bar represents all other personnel.

common components of public key infrastructure
A microchip embedded in the Common Access Card enables the encryption and cryptographic signing of email, plus public key infrastructure authentication.

Types of DOD Common Access Cards

The DOD issues four types of CACs.

Armed Forces of the United States Geneva Conventions Identification Card

The DOD issues this CAC to active-duty personnel, Selected Reserves, contracted Reserve Officer Training Corps cadets, employees of the National Oceanic and Atmospheric Administration (NOAA) and employees of the U.S. Public Health Services (PHS) in accordance with the requirements of the Geneva Conventions. The cardholder's service branch is printed on the card.

U.S. DOD and/or Uniformed Services Identification Card

The DOD issues this card to DOD and uniformed services civilian employees; eligible DOD, U.S. Coast Guard or NOAA contractors; and non-DOD civilian and federal employees. The cardholder for this variety of CAC may hold one of five affiliations:

  1. Senior Executive Service.
  2. Civilian.
  3. Civilian affiliate.
  4. Federal affiliate.
  5. Military affiliate.

U.S. DoD and/or Uniformed Services Geneva Conventions Identification Card for Civilians Accompanying the Armed Forces

The DOD exclusively issues this CAC to emergency-essential civilian employees and contingency contractor personnel.

U.S. DoD and/or Uniformed Services Identification and Privilege Card

The DOD issues this card to DOD and uniformed services civilian employees, DoD contractors residing in foreign countries for at least 365 days, DOD presidential appointees, eligible foreign military personnel, and uniformed and nonuniformed personnel of the Red Cross.

How a Common Access Card works

When personnel insert a CAC into a smart card reader and enter the associated PIN, the card reader's software uses standard internet protocols to compare the information on the card's chip against data on a government server and then either grants or denies access. When an employee uses a CAC to access an electronic system, the card must stay in the reader for the duration of the session. Removing the card from the reader automatically ends the session, and the system remains inaccessible until the next user is validated with their CAC.

A CAC supports multifactor authentication to access DOD systems and facilities. In addition to entering their username and password, the cardholder must also present the CAC and a PIN. Since the physical card itself is required for login, it helps protect the user's account from spoofing and other types of security issues common to traditional password-only systems.

Background investigations before issuance of a Common Access Card

All individuals eligible for a CAC are subject to a thorough background check by the DOD. This process involves both a Federal Bureau of Investigation fingerprint check and a National Agency Check with Inquiries (NACI).

The latter can take up to 18 months to complete, so if the former returns a favorable result, the applicant may be issued the CAC ahead of time. However, if the NACI process returns an unfavorable result, the DOD might revoke the issued CAC.

Sponsor's role in the issuance of a Common Access Card

All CAC applicants must be sponsored by a DOD government official or employee. Said sponsor takes responsibility for verifying and authorizing the candidate's application for the CAC. They also initiate the applicant's background check.

This sponsor must also register the applicant in the Defense Enrollment Eligibility Reporting System (DEERS) before the DOD can issue a CAC. The applicant must re-register in DEERS if their role changes. After registering in DEERS, they must complete the final verification and processing on the Real-Time Automated Personnel Identification System (RAPIDS) site.

Verifying officials use RAPIDS to authenticate cardholders and confirm that every cardholder has a sponsor and is currently affiliated with the DOD. RAPIDS also captures uniquely identifying characteristics about the individual, such as digital photographs and fingerprints, that bind the individual to the information maintained about them in DEERS and on their issued CAC.

If the cardholder becomes no longer affiliated with the DOD or no longer meets the DOD's eligibility requirements for a CAC, it is the sponsor's responsibility to retrieve the CAC. They must also retrieve the CAC when it expires or if it is damaged or compromised. When the CAC is retrieved, its active status is revoked within DEERS and RAPIDS. Its PKI certificates are also revoked.

Learn about six e-signature software providers, three types of PKI certificates and their use cases and five common authentication factors. Explore multifactor authentication benefits and technology, as well as the differences of symmetric vs. asymmetric encryption.

This was last updated in July 2023

Continue Reading About Common Access Card (CAC)

Networking
  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • private 5G

    Private 5G is a wireless network technology that delivers 5G cellular connectivity for private network use cases.

  • NFVi (network functions virtualization infrastructure)

    NFVi (network functions virtualization infrastructure) encompasses all of the networking hardware and software needed to support ...

Security
  • virus (computer virus)

    A computer virus is a type of malware that attaches itself to a program or file. A virus can replicate and spread across an ...

  • Certified Information Security Manager (CISM)

    Certified Information Security Manager (CISM) is an advanced certification that indicates that an individual possesses the ...

  • cryptography

    Cryptography is a method of protecting information and communications using codes, so that only those for whom the information is...

CIO
  • IT project management

    IT project management is the process of planning, organizing and delineating responsibility for the completion of an ...

  • chief financial officer (CFO)

    A chief financial officer (CFO) is the corporate title for the person responsible for managing a company's financial operations ...

  • chief strategy officer (CSO)

    A chief strategy officer (CSO) is a C-level executive charged with helping formulate, facilitate and communicate an ...

HRSoftware
  • HR automation

    Human resources automation (HR automation) is a method of using software to automate and streamline repetitive and laborious HR ...

  • compensation management

    Compensation management is the discipline and process for determining employees' appropriate pay and benefits.

  • HR technology (human resources tech)

    HR technology (human resources technology) is an umbrella term for hardware and software used to automate the human resource ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close