Browse Definitions :

Common Access Card (CAC)

What is a Common Access Card (CAC)?

A Common Access Card (CAC) is a smart card issued by the Unites States Department of Defense for accessing DOD systems and facilities. The DOD issues four types of CACs as standard identification: those for active-duty military personnel, Selected Reserve personnel, DOD civilian employees and eligible contractor personnel. It enables such employees to access buildings, company data or facilities, such as elevators, copy rooms or server rooms, and it is roughly the size of a standard debit or credit card.

The DOD's CAC functions as both an ID card and an access card. As the latter, authorized personnel require one in order to physically access government buildings and controlled spaces and to electronically access the DOD's computer networks, systems, devices and accounts. The CAC also entitles the cardholder to certain benefits and privileges in accordance with DOD policies.

Individuals can be issued more than one CAC by the DOD if they have multiple personnel category codes. For example, a person who is both a reservist and a contractor is issued separate CACs for each category. However, no cardholder can hold multiple CACs under the same personnel category code.

common access cards are about the same size as a credit card
Common Access Cards from the U.S. Department of Defense (DOD) are smart cards about the size of a standard credit card. They enable users to access DOD systems and facilities.

Topology of DOD Common Access Card

A CAC has an embedded microchip that enables the encryption and cryptographic signing of email, as well as use of public key infrastructure (PKI) authentication tools. The microchip contains a digital image of the cardholder's face, two digital fingerprints, organizational affiliation, Social Security number, service or agency, card expiration date and PKI certificate.

The card also specifies additional details about the cardholder, such as the following:

  • Rank.
  • Pay grade.
  • Blood type.
  • Date of birth.
  • DOD benefits number.
  • Geneva Conventions category.
  • DOD identification number, also known as Geneva Conventions number.

A color indicator on the CAC readily indicates category. A blue bar shows that the cardholder is a non-U.S. citizen, a green bar represents contractors and a white bar represents all other personnel.

common components of public key infrastructure
A microchip embedded in the Common Access Card enables the encryption and cryptographic signing of email, plus public key infrastructure authentication.

Types of DOD Common Access Cards

The DOD issues four types of CACs.

Armed Forces of the United States Geneva Conventions Identification Card

The DOD issues this CAC to active-duty personnel, Selected Reserves, contracted Reserve Officer Training Corps cadets, employees of the National Oceanic and Atmospheric Administration (NOAA) and employees of the U.S. Public Health Services (PHS) in accordance with the requirements of the Geneva Conventions. The cardholder's service branch is printed on the card.

U.S. DOD and/or Uniformed Services Identification Card

The DOD issues this card to DOD and uniformed services civilian employees; eligible DOD, U.S. Coast Guard or NOAA contractors; and non-DOD civilian and federal employees. The cardholder for this variety of CAC may hold one of five affiliations:

  1. Senior Executive Service.
  2. Civilian.
  3. Civilian affiliate.
  4. Federal affiliate.
  5. Military affiliate.

U.S. DoD and/or Uniformed Services Geneva Conventions Identification Card for Civilians Accompanying the Armed Forces

The DOD exclusively issues this CAC to emergency-essential civilian employees and contingency contractor personnel.

U.S. DoD and/or Uniformed Services Identification and Privilege Card

The DOD issues this card to DOD and uniformed services civilian employees, DoD contractors residing in foreign countries for at least 365 days, DOD presidential appointees, eligible foreign military personnel, and uniformed and nonuniformed personnel of the Red Cross.

How a Common Access Card works

When personnel insert a CAC into a smart card reader and enter the associated PIN, the card reader's software uses standard internet protocols to compare the information on the card's chip against data on a government server and then either grants or denies access. When an employee uses a CAC to access an electronic system, the card must stay in the reader for the duration of the session. Removing the card from the reader automatically ends the session, and the system remains inaccessible until the next user is validated with their CAC.

A CAC supports multifactor authentication to access DOD systems and facilities. In addition to entering their username and password, the cardholder must also present the CAC and a PIN. Since the physical card itself is required for login, it helps protect the user's account from spoofing and other types of security issues common to traditional password-only systems.

Background investigations before issuance of a Common Access Card

All individuals eligible for a CAC are subject to a thorough background check by the DOD. This process involves both a Federal Bureau of Investigation fingerprint check and a National Agency Check with Inquiries (NACI).

The latter can take up to 18 months to complete, so if the former returns a favorable result, the applicant may be issued the CAC ahead of time. However, if the NACI process returns an unfavorable result, the DOD might revoke the issued CAC.

Sponsor's role in the issuance of a Common Access Card

All CAC applicants must be sponsored by a DOD government official or employee. Said sponsor takes responsibility for verifying and authorizing the candidate's application for the CAC. They also initiate the applicant's background check.

This sponsor must also register the applicant in the Defense Enrollment Eligibility Reporting System (DEERS) before the DOD can issue a CAC. The applicant must re-register in DEERS if their role changes. After registering in DEERS, they must complete the final verification and processing on the Real-Time Automated Personnel Identification System (RAPIDS) site.

Verifying officials use RAPIDS to authenticate cardholders and confirm that every cardholder has a sponsor and is currently affiliated with the DOD. RAPIDS also captures uniquely identifying characteristics about the individual, such as digital photographs and fingerprints, that bind the individual to the information maintained about them in DEERS and on their issued CAC.

If the cardholder becomes no longer affiliated with the DOD or no longer meets the DOD's eligibility requirements for a CAC, it is the sponsor's responsibility to retrieve the CAC. They must also retrieve the CAC when it expires or if it is damaged or compromised. When the CAC is retrieved, its active status is revoked within DEERS and RAPIDS. Its PKI certificates are also revoked.

Learn about six e-signature software providers, three types of PKI certificates and their use cases and five common authentication factors. Explore multifactor authentication benefits and technology, as well as the differences of symmetric vs. asymmetric encryption.

This was last updated in July 2023

Continue Reading About Common Access Card (CAC)

  • SD-WAN security

    SD-WAN security refers to the practices, protocols and technologies protecting data and resources transmitted across ...

  • net neutrality

    Net neutrality is the concept of an open, equal internet for everyone, regardless of content consumed or the device, application ...

  • network scanning

    Network scanning is a procedure for identifying active devices on a network by employing a feature or features in the network ...

  • virtual firewall

    A virtual firewall is a firewall device or service that provides network traffic filtering and monitoring for virtual machines (...

  • cloud penetration testing

    Cloud penetration testing is a tactic an organization uses to assess its cloud security effectiveness by attempting to evade its ...

  • cloud workload protection platform (CWPP)

    A cloud workload protection platform (CWPP) is a security tool designed to protect workloads that run on premises, in the cloud ...

  • Regulation SCI (Regulation Systems Compliance and Integrity)

    Regulation SCI (Regulation Systems Compliance and Integrity) is a set of rules adopted by the U.S. Securities and Exchange ...

  • strategic management

    Strategic management is the ongoing planning, monitoring, analysis and assessment of all necessities an organization needs to ...

  • IT budget

    IT budget is the amount of money spent on an organization's information technology systems and services. It includes compensation...

  • ADP Mobile Solutions

    ADP Mobile Solutions is a self-service mobile app that enables employees to access work records such as pay, schedules, timecards...

  • director of employee engagement

    Director of employee engagement is one of the job titles for a human resources (HR) manager who is responsible for an ...

  • digital HR

    Digital HR is the digital transformation of HR services and processes through the use of social, mobile, analytics and cloud (...

Customer Experience
  • chatbot

    A chatbot is a software or computer program that simulates human conversation or "chatter" through text or voice interactions.

  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.