CAC

CAC -- Common Access Card

The Common Access Card (CACCACIdentityUS DoD identification smart card.Click to view →) is the standard identification smart card issued by the United States Department of Defense to active-duty military personnel, reserve members, civilian employees, and eligible contractors. Serving as both a physical identification badge and a cryptographic credential, the CAC provides authenticated access to DoD buildings, computer networks, and secure communication systems.

Card Contents

Each CAC contains a dual-interface module with multiple X.509 certificates and RSA 2048-bit key pairs for identity authentication, digital signing, and email encryption. The chip stores the cardholder's personal data, an electronic photograph, and two fingerprint biometric templates for identity verification. The cards EEPROM holds multiple applets including a PIV-compatible applet (for interoperability with federal civilian systems) and a legacy CAC applet that supports the DoD's existing PKI infrastructure.

Security and Certification

CAC cards must meet stringent security requirements. The smart card chips are certified to Common Criteria EAL 5+ or higher, and cryptographic modules carry FIPS 140 Level 2 validation. All cryptographic operations -- key generation, signing, and decryption -- occur within the cards secure element, ensuring private keys never leave the chip boundary. The DoD's PKI hierarchy issues certificates through the DoD Root CA and subordinate CAs, with certificate revocation checking enforced through OCSP or CRL distribution points embedded in each certificate.

Lifecycle and Deployment

The DoD issues approximately 3.5 million CAC cards annually through the Defense Manpower Data Center (DMDC). Cards are personalized at RAPIDS (Real-time Automated Personnel Identification System) sites, where electrical personalization loads cryptographic keys and certificates while graphical personalization prints the cardholder photo, name, rank, and agency affiliation. Each card has a three-year lifecycle, after which re-issuance is required. The CAC middleware (ActivClient or similar) enables integration with Windows smart card login, email clients (S/MIME), and web browsers for CAC-authenticated access to DoD portals.