All about Common Access Cards
Common Access Card (CAC) usage has caused concern and confusion for many long-time Army Knowledge Online (AKO) users. People call the AKO Help Desk and ask, "Will I still be able to use AKO from home?" Or, "If I am a retiree or a family member, will I still be able to use AKO?"
In an attempt to clear up the confusion, AKO officials have useful information to help users through the transition period. They would like users to understand why CAC usage is important, how you use your CAC with AKO and where you can go for help or more information.
There are also some common myths about CACs, the most prevalent of which, is that certain users will be denied the ability to use AKO. This is not true. While there may be restrictions on what certain users may access, all AKO users will retain their AKO accounts and their ability to use AKO.
Myth: I heard that family members and retirees will soon be denied access to AKO!
Myth Busted: Not true. AKO will continue to support family members, retirees and other members of the AKO user community who are not currently issued CACs. Members of these communities will still be able to access AKO's services, both now and in the future. There may be content they do not have access to. Non-CAC holders will be granted access to AKO content commensurate with their need to know and in accordance with Army guidelines.
Family members: This means that your Family Readiness Group (FRG) Web sites are safe on AKO. Retirees: AKO will continue to provide services to you, including reunion Web sites. (To learn how to create an FRG or a reunion Web site on AKO, go to the Inside AKO page, click on the Training & Tutorials link in the top navigation bar, and look for AKO 102 - Creating and Managing a Site. You can also click to visit a sample FRG site).
Myth: How can this work? Everyone will need a CAC to log in to AKO.
Myth Busted: No! The AKO username and password is still available. AKO users will need a CAC to access certain content on AKO or to perform certain functions, but other content will remain available no matter how you log in.
Myth: CAC readers cost $100 each Ð that's way too expensive!
Myth Busted: CAC readers vary in price depending on how many you buy, but you can find them for less than $29. Visit the Army Small Computer Program (ASCP) Smart Card Readers and Software Information Web site for more information.
Myth: This is so inconvenient - I will need to have a CAC reader at home to log in to AKO!
Myth Busted: No! You will still be able to log in to AKO from home without a CAC reader.
How Has AKO Changed to Support CACs?
Change #1: Account Sponsorship
All Active, Guard, Reserve, and DA Civilians either must log in to AKO with a CAC to sponsor guest accounts or will soon be required to do so. After your date passes, you will no longer be able to sponsor or renew guest accounts if you have logged in to AKO with your username and password.
Change #2: Password Resets
All Active, Guard, Reserve, and DA Civilians must log in to AKO with a CAC to reset their passwords or will soon be required to do so. After the dates listed below, it will be a requirement for the following account types to log in to AKO with a CAC to change their password: Active Army: July 1, National Guard/Reservists: Aug. 26.
Note: If your password expires during a period when you are away from a CAC reader, such as over a weekend or when you are traveling, you may click the "Password Problems" link on the splash page of AKO to reset your password without a CAC session. However, when you reset your password without a CAC session, it will expire in three days. At some point during those three days, you must log in with a CAC to reset your password to ensure that your password does not expire for the standard 150 days.
Change #3: Access to AKO Pages & Files
Rest assured that no part of the AKO user population will be isolated or unable to use AKO. While these changes may affect the content you access on AKO or the way you perform certain actions, they will not restrict your ability to carry out your required functions in the performance of your duties. Additionally, family members and retirees will continue to have access to the AKO content that they need. How will that be accomplished?
AKO has always allowed you to restrict the information you place on AKO based on individual users and/or groups of users. As of July 1, AKO will provide a new security feature that allows you to restrict the information you place on AKO based on how a person logged in to AKO - username/password or CAC/PIN.
When you create a new page, or change the discoverability of an existing page, you will be asked to choose the users who can see it. Look for a special "CAC Only" option that will allow you to restrict your information to users who have logged in with a CAC. This same option will be available for channels on your page, the knowledge centers where you keep your documents, and the forums where you discuss relevant issues. Remember that the choice is yours - but make sure to protect the information that you keep on AKO!
How to Register Your CAC with AKO
If you have a CAC (that is - if you are Active Army, National Guard, Army Reserve, DA Civilian, most Army contractors, or a member of another service), you should register your CAC on AKO and start using it to log in immediately. To learn how, see the CAC Registration and Troubleshooting Guide for Internet Explorer document (also available from the AKO CAC Resource Center), or review the instructions below for a quick summary of what you will need to do.
CAC Registration Summary. The CAC registration process has two parts. You need to register your CAC with your computer's Web browser (Part 1) and with AKO (Part 2).
Part 1. First, make certain that your PC has a card reader. You must then have special software installed on your PC which allows it to work with the card reader. For information on the software, see your DOIM (Director of Information Management) or IMO (Information Management Officer). If you're uncertain about this, contact your local system administrator.
Part 2. To register with AKO, log in to AKO and click on the "CAC Registration" link in the left navigation bar (under the search area). If your CAC is already registered or if you are not required to possess a CAC, you will not see this link in the left navigation bar. Refer to the troubleshooting guide for the detailed steps of the process. It's fairly easy and quick to register your CAC.
How to Log in to AKO with your CAC
On the AKO Login Welcome page (https://www.us.army.mil), click on Log in using my CAC. You will be presented with a "Choose a digital certificate" window. If you've registered the CAC successfully with your computer, you will see the certificate listed in the window. Click on it and click OK. You will be prompted to enter your PIN. Enter your PIN and click OK. You will be in AKO momentarily. You'll know you have successfully logged in as a CAC session because at the top right you will see "Welcome, John Smith (CAC session)."
Question: What is a CAC?
Answer: A CAC, or Common Access Card, is "the standard ID card for active duty members of the Uniformed Services, Selected Reserve, DoD civilian employees, and eligible contractor personnel. The CAC will also eventually be the principal card used to enable physical access to buildings and controlled spaces and for logical access to the Department's computer networks and systems." In short, the CAC replaced the old DD Form 2 military ID card. The full description statement and additional general information about the CAC may be seen on the DoD CAC Web site.
Question: Why is AKO focusing so much attention on CAC authentication?
Answer: Through Homeland Security Presidential Directive #12, President Bush mandated the creation of a "Federal standard for secure and reliable forms of identification," and the CAC became this standard. The resulting DoD and Army directives mandated CAC authentication for all DoD network domains and systems.
As one of the Army's largest systems, AKO must be compliant with these directives. Due to the size and the unique nature of AKO (government and civilian users), compliance must be accomplished in phases. The first phases focus on password changes and sponsorship, and additional phases focus on content restrictions.
Question: What is a CAC or AKO session?
Answer: A session is simply an instance of a person being logged in to AKO whether it is a CAC session or a normal User ID/password session.
Question: What does CCL mean?
Answer: CCL stands for CAC Cryptographic Logon. This is the term used to describe the process of logging in to an Army system utilizing the CAC.
Question (for techies): Does CAC authentication work with AKO Single Sign-on (SSO)?
Answer: Yes! Systems using AKO SSO will be able to leverage AKO's CAC authentication. Why is this useful? In the Army, users often have to remember multiple User IDs and passwords for various systems. Choosing to use AKO authentication means users only need to remember the one AKO username and password.
Taking this one step further and using AKO CAC authentication results is a win for both the users and the system administrators. First, the users only need to remember their CAC PIN to access additional systems. Second, by switching to AKO SSO, (as opposed to LDAP Authentication or their own additional authentication scheme) administrators of outside systems are meeting the CAC authentication mandate.
The SSO topic itself is beyond the scope of this article, but to read more about SSO, go to the Inside AKO page and click on the Single Sign-on (SSO) link in the top navigation bar.
Training and Wizards
To help administrators leverage the new CAC groups and restrict their content to users logged in with a CAC, the wizards used to create AKO content have been updated. Furthermore, the following training presentation has been created to walk users through restricting content to users logged in with a CAC: Restricting AKO Content to CAC-Only Users (https://www.us.army.mil/suite/doc/5770413).
While logging in to AKO (or your network) with a CAC and all of the associated preparation may be confusing, we can't lose sight of the advantage that CAC authentication provides the Army. CAC login ensures that you will soon log in to multiple systems/applications with just one method (you will only need to remember a PIN Ð not multiple passwords). CAC login also makes the systems and information that we all work with much more secure.
These changes are being incorporated into AKO in response to DoD security mandates - they are not designed to cause AKO users inconvenience. AKO will continue to provide you with advance notice and excellent support as it endeavors to become compliant with new and improved security standards. We encourage you to post your comments and concerns to the CAC Discussion Forums. Don't let the CAC implementation make you nervous.
Col. Thomas S. Rickard
Public Affairs Officer
Chief, Command Information
Assistant Editor & Senior Writer
General Advertising Inquiries