This week marks the deadline for every agency to submit to the White House Office of Management and Budget plans for making electronic identity cards available to all employees and contractors, under the Homeland Security Presidential Directive 12 signed in August. The federal government's push for extensive implementation of smart cards containing cryptographic keys and biometric data will help bring such technologies closer to the mainstream.
The level of implementation differs widely among federal agencies. Some already use smart cards for building access, but many haven't yet extended that capability to computer-network access. To help agencies comply, OMB recommended that the CIO and heads of physical security and human resources at each agency develop a plan. All federal employees are expected to have electronic identity cards for facilities and network access by Oct. 27, 2006.
Smart cards are required to be machine readable and hard to duplicate, and must have a photo and biometric data.
Compliance with the directive will be a significant test as to how well smart-card systems scale, and the measure of its success will be important to both the public sector and the business world, says Bob Wilberger, senior executive for Northrop Grumman Corp.'s identity-management solutions business and a board member of the Smart Card Alliance, a not-for-profit group of tech vendors that promotes smart-card technology.
While smart cards aren't new to the federal government, this is the first time all agencies have been told to develop consistent technologies and processes. Since 2001 the Defense Department has issued more than 6 million smart cards as part of its Common Access Card program for facilities and computers, says Neville Pattinson, director of technology and government affairs for Axalto Inc., a maker of microprocessor-embedded smart cards that has helped with the implementation.
But smart cards won't eliminate security challenges. The weakest link in the smart-card security chain may very well be in issuing them. Birth certificates, driver's licenses, and other key documents used to verify a person's identity differ from state to state, and that lack of consistency creates opportunities for tampering.
The infrastructure needed to support issuing and reading smart cards also must be put in place, Wilberger adds. This includes systems that validate identifying documents, scan fingerprints, perform criminal background checks, take digital photos, manage card distribution, and read the cards.