A Common Access Card (CAC) issued by the United States Department of Defense (DOD) is a smart card used to access DOD systems and facilities. It is available in four different types, catering to active-duty military personnel, Selected Reserve personnel, DOD civilian employees, and eligible contractor personnel. This card serves as both an identification and access card, allowing authorized personnel to enter government buildings, controlled spaces, and access computer networks, systems, devices, and accounts.
The CAC is approximately the size of a standard debit or credit card and contains an embedded microchip. This microchip enables encryption, cryptographic signing of emails, and use of public key infrastructure (PKI) authentication tools. The card also includes a digital image of the cardholder’s face, two digital fingerprints, organizational affiliation, Social Security number, service or agency, card expiration date, and PKI certificate. Additionally, the card provides information such as rank, pay grade, blood type, date of birth, DOD benefits number, Geneva Conventions category, and DOD identification number.
To indicate the cardholder’s category, the CAC includes a color indicator. A blue bar signifies that the cardholder is a non-U.S. citizen, a green bar represents contractors, and a white bar represents all other personnel.
The DOD issues four types of CACs:
1. Armed Forces of the United States Geneva Conventions Identification Card: This CAC is issued to active-duty personnel, Selected Reserves, contracted Reserve Officer Training Corps cadets, employees of the National Oceanic and Atmospheric Administration (NOAA), and employees of the U.S. Public Health Services (PHS) in accordance with the Geneva Conventions.
2. U.S. DOD and/or Uniformed Services Identification Card: This card is issued to DOD and uniformed services civilian employees, eligible DOD, U.S. Coast Guard, or NOAA contractors, and non-DOD civilian and federal employees. The cardholder may hold one of five affiliations: Senior Executive Service, civilian, civilian affiliate, federal affiliate, or military affiliate.
3. U.S. DoD and/or Uniformed Services Geneva Conventions Identification Card for Civilians Accompanying the Armed Forces: This CAC is exclusively issued to emergency-essential civilian employees and contingency contractor personnel.
4. U.S. DoD and/or Uniformed Services Identification and Privilege Card: This card is issued to DOD and uniformed services civilian employees, DOD contractors residing in foreign countries for at least 365 days, DOD presidential appointees, eligible foreign military personnel, and uniformed and nonuniformed personnel of the Red Cross.
When using a CAC, personnel insert it into a smart card reader and enter their associated PIN. The card reader’s software compares the information on the card’s chip against data on a government server. Access is granted or denied based on this comparison. For electronic system access, the card must remain in the reader throughout the session. Removing the card ends the session, and the system remains inaccessible until the next user is validated with their CAC.
The CAC supports multifactor authentication by requiring the user’s username, password, CAC, and a PIN. This additional layer of security helps protect the user’s account from spoofing and other common security issues. The background check process for obtaining a CAC involves a Federal Bureau of Investigation fingerprint check and a National Agency Check with Inquiries (NACI). Individuals are subject to this thorough investigation to ensure their eligibility for a CAC. The sponsor is responsible for verifying and authorizing the applicant’s CAC application and initiating the background check. They also register the applicant in the Defense Enrollment Eligibility Reporting System (DEERS). The final verification and processing are completed on the Real-Time Automated Personnel Identification System (RAPIDS) site, which captures unique identifying characteristics of the individual, such as digital photographs and fingerprints.
If a cardholder is no longer affiliated with the DOD or fails to meet eligibility requirements, it is the sponsor’s responsibility to retrieve the CAC. The CAC’s active status is revoked in DEERS and RAPIDS, and its PKI certificates are also revoked.