Challenges Confront Federal Smart Card

Michael Gips

3/1/2006 March 2006

FEDERAL AGENCIES are gearing up to roll out new ID cards for employees and contractors as required by President Bush in 2004 under Homeland Security Presidential Directive 12 (HSPD-12). Designed to create a common identification standard for all federal employees and contractors, the new smart cards are expected to be more secure and efficient than the current versions and to be less susceptible to fraud.

Agencies must begin to issue these credentials—called personal identity verification cards, or PIV cards—by October 27, 2006. Though government officials say they are on schedule to meet this deadline, industry experts point out that various challenges threaten timely issuance.

Technical requirements for the smart cards, which will be used for accessing buildings and computers, are laid out in Federal Information Processing Standard Publication (FIPS) 201, drafted by the National Institute of Standards and Technology (NIST). The cards must be cryptographically enabled and use a biometric identifier. But NIST did not settle on a biometric technology until last December, when it announced that PIV cards must use fingerprint minutiae as the biometric standard. Thus, card manufacturers were held in abeyance and may have difficulty now getting ready for this year’s October deadline.

The FIPS 201 standard also calls for smart cards to have both a contact-based and contactless functionality (generally, contactless for physical access control, contact for computer applications), and agencies have been asking for a card with a single chip that performs both functions.

“That’s quite a challenge,” notes Neville Pattinson, director of government affairs for Axalto, formerly known as SchlumbergerSema, a major supplier of smart cards. Cards typically have separate chips for these two features, he says.

Government agencies will also need the infrastructure to accommodate these cards. “They need to accept both physical and logical access and be interoperable among agencies,” says Pattinson.

That’s a tall order not just for agencies but also for card suppliers, system installers, and integrators.

Still, Pattinson and other experts are confident that vendors will be prepared in time to provide cards. “I believe that the industry is going to respond with solutions in that time frame,” says Randy Vanderhoof, executive director of the Smart Card Alliance.

He foresees a different problem: Vendors cards must all be certified and approved. “There’s still work to be done in getting certification labs set up,” points out Vanderhoof.

Another concern is that the whole PIV program is on the radar screen of high-level government officials, but known to few lower-level IT managers and others who will have to implement it. A recent survey by Hewlett-Packard showed that half of federal IT professionals hadn’t even heard of HSPD-12, and of those who had, more than half couldn’t state what their agencies were required to do by the deadline to begin implementing PIV cards.

Agencies “may have put out a FIPS policy at a high level, and someone lower down is not aware,” says Rob Zivney of Hirsch Electronics, who chairs the PIV working group formed by the Security Industry Association.

Meanwhile, the Office of Management and Budget’s Alex Conant says that the PIV program “is on course for a successful implementation.” Even so, the course is far from clear. “No one has a Rosetta stone,” says Zivney.