U.S. Agencies Face Smart-Card Deadlines

As the business world struggles with data-security lapses and intrusions, federal agencies are preparing for strict new standards to protect their facilities and information systems.

This week marks the deadline for every agency to submit to the White House Office of Management and Budget plans for making electronic identity cards available to all employees and contractors, under the Homeland Security Presidential Directive 12 signed in August. The federal government's push for extensive implementation of smart cards containing cryptographic keys and biometric data will help bring such technologies closer to the mainstream.

The level of implementation differs widely among federal agencies. Some already use smart cards for building access, but many haven't yet extended that capability to computer-network access. To help agencies comply, OMB recommended that the CIO and heads of physical security and human resources at each agency develop a plan. All federal employees are expected to have electronic identity cards for facilities and network access by Oct. 27, 2006.

Smart cards are required to be machine readable and hard to duplicate, and must have a photo and biometric data.

Consistency is key. The White House wants a common definition of how the cards will work and has tapped the secretary of commerce to work with the State, Defense, and Homeland Security departments and the National Institute of Standards and Technology to meet that challenge. A standard delivered in February, called the Federal Information Processing Standard 201, stipulates that the electronic IDs must be designed to verify a person's identity while being difficult to illegally duplicate; they also have to be machine-readable and issued only through an official accreditation process. The standard also specifies that smart cards contain a photograph, cryptographic keys, and biometric data so that a cardholder's identity can be verified either by security personnel or an automated card reader.

Compliance with the directive will be a significant test as to how well smart-card systems scale, and the measure of its success will be important to both the public sector and the business world, says Bob Wilberger, senior executive for Northrop Grumman Corp.'s identity-management solutions business and a board member of the Smart Card Alliance, a not-for-profit group of tech vendors that promotes smart-card technology.

While smart cards aren't new to the federal government, this is the first time all agencies have been told to develop consistent technologies and processes. Since 2001 the Defense Department has issued more than 6 million smart cards as part of its Common Access Card program for facilities and computers, says Neville Pattinson, director of technology and government affairs for Axalto Inc., a maker of microprocessor-embedded smart cards that has helped with the implementation.

But smart cards won't eliminate security challenges. The weakest link in the smart-card security chain may very well be in issuing them. Birth certificates, driver's licenses, and other key documents used to verify a person's identity differ from state to state, and that lack of consistency creates opportunities for tampering.

The infrastructure needed to support issuing and reading smart cards also must be put in place, Wilberger adds. This includes systems that validate identifying documents, scan fingerprints, perform criminal background checks, take digital photos, manage card distribution, and read the cards.