UFC 4-021-02NF
27 September 2006
change 1, 23 October 2006
smart card operates at 13.56 MHz, which is more than a hundred times faster than the
data exchange rate of 125kHz proximity cards. There are also hybrid cards available,
which have either both types of smart card chips in one plastic body or have both
cards can store enormous amounts of data such as access transactions, licenses held
by individuals, qualifications, safety training, security access levels, and biometric
templates. One principal security advantage of smart cards is that cryptographic
capabilities can be used to send card information to legitimate readers and encrypts that
transmission such that the system remains immune from replay attacks. It is difficult to
copy security credential information onto a forged card. For more information on the
federal standard for electronic smart cards, refer to NIST FIPS 201.
3-4.7.5 Common Access Card (CAC). The CAC is a credential used by the DoD to
allow access to DoD computers and physical locations worldwide. For each individual,
one card works for all access to computers and physical locations. The CAC is a JAVA-
based smart card. It can store a number of personal demographic data elements. It
supports multiple bar codes and a magnetic stripe for legacy applications, making the
card extremely versatile. A standard developed by the Security Equipment Integration
Working Group, SEIWG-012, provides details on the formatting of the information to be
encoded on track two (2) of the magnetic stripe of the CAC. SEIWG's intent is to ensure
that cards can store enough data to determine information such as the individual
cardholder, the branch of the military from which the card was issued, and the base
from which the card was issued.
Per DoD Directive 8190.3, the CAC should be "the principal card enabling physical
access to buildings, facilities, installations, and controlled spaces. This policy does not
require DoD components to dismantle immediately current access systems, or preclude
the continued use of supplemental badging systems that are considered necessary to
provide an additional level of security not presently afforded by the CAC (e.g., such as
entrance into a SCIF or other high security space). The DoD plan is to migrate to the
CAC for general access control using the CAC's present or future access control
capabilities. In the future, CACs will be contactless (13.56 MHz) compliant with ISO
14443 and NIST 6887 (Government Smart Card Interoperability Specification). This
technology is proposed to be included in the next generation of CAC. For more
information on the Government smart card program, refer to Http://smartcard.nist.gov/.
Since the CAC is not fully implemented, an additional badge may be required for
dependants, contractors, temporary employees, host-nation workers or when an
additional card provides an added capability not currently provided by the CAC.
3-4.7.6 Operational Strategies. Operational strategies for badge policy such as
where the badge is worn, the type of photograph (if required), backgrounds for area
authorization, rules of challenge, penalties for not wearing, and losing are important but
are not within the scope of this design guide.
3-4.7.7 Card Reader/Card Type Recommendation. New projects should consider
new technology smart cards and the CAC. Magnetic stripe readers used with the CAC
38