What is a Common Access Card (CAC)?
A Common Access Card (CAC) is a smart card issued by the Unites States Department of Defense for accessing DOD systems and facilities. The DOD issues four types of CACs as standard identification: those for active-duty military personnel, Selected Reserve personnel, DOD civilian employees and eligible contractor personnel. It enables such employees to access buildings, company data or facilities, such as elevators, copy rooms or server rooms, and it is roughly the size of a standard debit or credit card.
The DOD's CAC functions as both an ID card and an access card. As the latter, authorized personnel require one in order to physically access government buildings and controlled spaces and to electronically access the DOD's computer networks, systems, devices and accounts. The CAC also entitles the cardholder to certain benefits and privileges in accordance with DOD policies.
Individuals can be issued more than one CAC by the DOD if they have multiple personnel category codes. For example, a person who is both a reservist and a contractor is issued separate CACs for each category. However, no cardholder can hold multiple CACs under the same personnel category code.
Topology of DOD Common Access Card
A CAC has an embedded microchip that enables the encryption and cryptographic signing of email, as well as use of public key infrastructure (PKI) authentication tools. The microchip contains a digital image of the cardholder's face, two digital fingerprints, organizational affiliation, Social Security number, service or agency, card expiration date and PKI certificate.
The card also specifies additional details about the cardholder, such as the following:
- Pay grade.
- Blood type.
- Date of birth.
- DOD benefits number.
- Geneva Conventions category.
- DOD identification number, also known as Geneva Conventions number.
A color indicator on the CAC readily indicates category. A blue bar shows that the cardholder is a non-U.S. citizen, a green bar represents contractors and a white bar represents all other personnel.
Types of DOD Common Access Cards
The DOD issues four types of CACs.
Armed Forces of the United States Geneva Conventions Identification Card
The DOD issues this CAC to active-duty personnel, Selected Reserves, contracted Reserve Officer Training Corps cadets, employees of the National Oceanic and Atmospheric Administration (NOAA) and employees of the U.S. Public Health Services (PHS) in accordance with the requirements of the Geneva Conventions. The cardholder's service branch is printed on the card.
U.S. DOD and/or Uniformed Services Identification Card
The DOD issues this card to DOD and uniformed services civilian employees; eligible DOD, U.S. Coast Guard or NOAA contractors; and non-DOD civilian and federal employees. The cardholder for this variety of CAC may hold one of five affiliations:
- Senior Executive Service.
- Civilian affiliate.
- Federal affiliate.
- Military affiliate.
U.S. DoD and/or Uniformed Services Geneva Conventions Identification Card for Civilians Accompanying the Armed Forces
The DOD exclusively issues this CAC to emergency-essential civilian employees and contingency contractor personnel.
U.S. DoD and/or Uniformed Services Identification and Privilege Card
The DOD issues this card to DOD and uniformed services civilian employees, DoD contractors residing in foreign countries for at least 365 days, DOD presidential appointees, eligible foreign military personnel, and uniformed and nonuniformed personnel of the Red Cross.
How a Common Access Card works
When personnel insert a CAC into a smart card reader and enter the associated PIN, the card reader's software uses standard internet protocols to compare the information on the card's chip against data on a government server and then either grants or denies access. When an employee uses a CAC to access an electronic system, the card must stay in the reader for the duration of the session. Removing the card from the reader automatically ends the session, and the system remains inaccessible until the next user is validated with their CAC.
A CAC supports multifactor authentication to access DOD systems and facilities. In addition to entering their username and password, the cardholder must also present the CAC and a PIN. Since the physical card itself is required for login, it helps protect the user's account from spoofing and other types of security issues common to traditional password-only systems.
Background investigations before issuance of a Common Access Card
All individuals eligible for a CAC are subject to a thorough background check by the DOD. This process involves both a Federal Bureau of Investigation fingerprint check and a National Agency Check with Inquiries (NACI).
The latter can take up to 18 months to complete, so if the former returns a favorable result, the applicant may be issued the CAC ahead of time. However, if the NACI process returns an unfavorable result, the DOD might revoke the issued CAC.
Sponsor's role in the issuance of a Common Access Card
All CAC applicants must be sponsored by a DOD government official or employee. Said sponsor takes responsibility for verifying and authorizing the candidate's application for the CAC. They also initiate the applicant's background check.
This sponsor must also register the applicant in the Defense Enrollment Eligibility Reporting System (DEERS) before the DOD can issue a CAC. The applicant must re-register in DEERS if their role changes. After registering in DEERS, they must complete the final verification and processing on the Real-Time Automated Personnel Identification System (RAPIDS) site.
Verifying officials use RAPIDS to authenticate cardholders and confirm that every cardholder has a sponsor and is currently affiliated with the DOD. RAPIDS also captures uniquely identifying characteristics about the individual, such as digital photographs and fingerprints, that bind the individual to the information maintained about them in DEERS and on their issued CAC.
If the cardholder becomes no longer affiliated with the DOD or no longer meets the DOD's eligibility requirements for a CAC, it is the sponsor's responsibility to retrieve the CAC. They must also retrieve the CAC when it expires or if it is damaged or compromised. When the CAC is retrieved, its active status is revoked within DEERS and RAPIDS. Its PKI certificates are also revoked.
Learn about six e-signature software providers, three types of PKI certificates and their use cases and five common authentication factors. Explore multifactor authentication benefits and technology, as well as the differences of symmetric vs. asymmetric encryption.