The federal government’s use of user IDs and passwords for access to its applications could soon give way to more secure PKI-based credentials if more government entities follow the lead of the U.S. Department of Defense. The Defense Department is leveraging PKI to better protect its information systems, with the intent of making access much more secure than the old login system. The DOD’s Defense Technical Information Center (DTIC)  –  a DOD entity that serves the information needs of the defense community and maintains a large database of research information  –  announced that it would no longer enable users to access its secure websites by a user ID and password.

Instead, DTIC will rely on the use of one of three PKI-based digital credentials: a DOD Common Access Card, a Personal Identity Verification (PIV) credential or an External Certification Authority (ECA) certificate.

The Defense Department established the External Certificate Authority program years ago as part of an overall effort to provide a stronger and more secure authentication for accessing information systems. The agency launched the program to enable the issuance of DOD-approved certificates to contractors and other external entities that otherwise do not qualify for or need a DOD Common Access Card. ECA certificates can be software-based, stored within the user’s Internet browser, or hardware-based and stored on a smart card or USB token.

DTIC’s requirement of PKI-based credentials is one of the first known cases of a government entity requiring PKI in lieu of a user ID and password for access to systems. Industry leaders say that this use case could be the first of many for the government.

“There are hundreds, if not thousands of use cases for PKI that would solve a myriad of problems throughout the government space,” says Richard Jensen, director of government sales for IdenTrust, one of three contractors providing ECA certificates to DTIC. Jensen runs IdenTrust’s ECA program. Symantec and Operational Research Consultants also provide the certificates.

DTIC relies on several outside contractors to support its research and development work in science and technology. ECA certificates are of particular use to people who contract with the DOD but don’t receive a CAC card because they don’t require physical access to DOD facilities.

“Our industry partners are a critical component of how we perform work in the department. So making sure that they can get to information is important,” says Christopher Thomas, administrator of the Defense Technical Information Center.

DTIC set up its capability to accept ECA certificates in October and is requiring users to have PKI login credentials by early 2016. “We’re expecting to see a rush of people applying for certificates,” Jensen says.

ECA as an option for contractors

About a year and a half ago, IdenTrust received a call from one of the program managers at DTIC asking about the ECA program. DTIC had a database of research information that had been poorly protected. “As research is extremely valuable, one of DTIC’s goals was to do lock this down so that they had a better control over who was accessing the data and have more visibility into that,” Jensen says.

Thomas says DTIC’s move to the ECA credential for industry members who can’t get the CAC is a natural progression to make sure the program is securing access to the information, but still making sure people can get to it.

“We know that having a certificate gives us a higher assurance of who the person connecting to us is, and it will allow us to have more confidence in sharing the information,” Thomas says.

Companies that have already issued ECA credentials to employees for internal use are the most likely initial users, he explains. Companies that aren’t using the certificates will be slower to understand the benefits.

“We really are going to need to have communication and outreach to help other people understand it. I expect that it will take awhile for the full adoption,” Thomas says.

DOD cracks down on passwords as logins

At the outset of the ECA program, the DOD didn’t enforce the use of certificates for access to information systems. “Thus, it took a long time for adoption to really start,” Jensen says.

When the DOD first came up with its PKI-based certificate program and started issuing PKI credentials to its personnel, they did it through the Common Access Card. This created an issue for DOD systems that defense contractors needed to access, because the DOD had to issue CAC cards to these contractors. “It was a very time consuming and expensive endeavor to give CAC cards to people outside their own domain,” Jensen says.

In response, the DOD came up with the External Certificate Authority program to issue DOD-approved credentials to the defense contractor community. ECA certificates hold three functions for contractors: 1) logical access to DOD information systems, 2) digital signatures and 3) encryption.

About five years ago, the DOD started cracking down on entities that were still using user IDs and passwords and pushed to require that they enable their systems with PKI. “Slowly but surely, more and more systems are coming online,” Jensen says.

“Originally, we saw adoption of the ECA certificates for logical access to DOD information systems, and recently, we’ve seen more use for their digitally signing and encrypting emails. So it’s an easy way for them to protect what we call data in transit,” Jensen says.

There are a number of systems in the DOD realm that defense contractors need to access in order to do business with the department. One example is the Joint Personnel Adjudication System, or JPAS.

In order for defense contractors to have meetings discussing DOD business, they need to meet defense standards and assign what’s called a facility security officer, or FSO. An FSO is required to verify that whenever there’s a meeting involving DOD topics, every person attending meets security standards that have been validated in the JPAS system. To access the system, the officer needs to use an ECA certificate.

DTIC sets example with PKI use

Jensen believes DTIC’s use of PKI credentials, including ECA certificates, could serve as a best practice for other government applications. “Every agency in government and every agency in the DOD has use cases for this,” he says.

For example, pilots have to send their health information to the FAA to obtain their license. Much of this information is personal, yet the pilots submit it via fax. “It’s a very unsecure way to send this information, and people should be able to digitally sign it, encrypt it and send it,” he says.

Once people realize what can happen when systems are not properly secured, Jensen says the adoption rate will start to change. One of the main barriers is that there is no known enforcement behind this adoption, even though the DOD is telling agencies to follow these guidelines. “In the PKI world, the only time you really see rapid adoption is when there’s accountability, enforcement and use becomes mandatory,” he says.

Thomas says that people will appreciate the ease of using the certificates once they get through the registration process. “I know that for my own purposes, moving away from a login and password to a CAC made it a lot simpler for me because I didn’t have to constantly change my password and keep track of it on different systems,” he says.

As more organizations adopt the use of ECA certificates, people will be able to use one certificate for multiple purposes, instead of having to maintain different logins and passwords for each different system they use.

Jensen is confident that as more organizations start following the DOD guidelines information systems will be more secure and breaches minimized. “It’s really exciting when institutions like DTIC adopt certificates, because they see a lot of benefits,” he says.