BIG DEAL: DOD puts millions of smart cards in play
Common Access Card leads the way toward a new deal for smart-card use
Mary Dixon, director of the Access Card Office, says DOD will have 4 million cards issued by the end of the year'but the department won't stop there
The Defense Department has about 2.4 million Common Access Cards in use and is issuing about 10,000 more daily.
'DOD is leading in identity management,' said Brett Michaels, head of government sales for RSA Security Inc. of Bedford, Mass., speaking at a recent conference in San Francisco. 'Their effort, funding and conviction have blazed a trail for the rest of the public sector.'
The CAC program is 'far and away the largest U.S. government application of smart-card technology,' said Dave Ludin, North American vice president of sales and solutions at Gemplus Corp. of Redwood City, Calif. 'It has spurred interest throughout the government. You can see it in the Transportation Security Administration,' which is testing a Transportation Worker ID Credential, or TWIC.
Ludin said smart cards would be among the technologies tested this year for the Transportation Workers ID Credentials at the Philadelphia-Wilmington port on the East Coast and the Los Angeles'Long Beach port on the West Coast. Gemplus will be supplying cards for the pilot program. He said the cards probably would be used in contact mode, in which they are inserted in a reader, for access to networks and databases; and in contactless mode, using radio frequencies, for physical access to buildings and sites.
In addition to TWIC, the Treasury and State departments also are rolling out smart-card programs using the same card stock as the Common Access Card, said Neville Pattinson, director of business development and technology for Schlumberger Ltd. of New York.
'Many other government agencies are using the experience of the DOD and the Common Access Card Office,' Pattinson said.Watershed event
Smart cards for years have been on the brink of acceptance in the United States, but have been slow to catch on. DOD's decision to forge ahead with the cards, with plans to integrate multiple applications on IDs held by about 4 million service members, contractors and civilian employees, was a watershed for the industry.
Rolling out the Common Access Card required innovations in both the physical card and in the technology inside it. The card uses the Java Card run-time environment on a 32K chip. Before DOD could put it into use it had to be certified as meeting FIPS 140-1 Level 2 cryptographic requirements. The certification process took seven months, Pattinson said.
Creating the card that holds the chip also was a challenge. There has traditionally been little personalization beyond an embossed name and account number when commercial smart cards are issued. But almost all of the information on the Common Access Card'photo, personal information and bar codes'has to be printed on the card when it is issued.
The blank cards contain a liquid crystal variable image of the DOD seal and are laminated on only the front because there is a magnetic strip on the back. That created a another minor challenge. Cards laminated on one side 'tend to bend like a banana,' Pattinson said; Schlumberger had to develop a card that would stay flat.
Eight months after receiving a CAC contract in December 2000, cards were ready for issuing.
Military personnel enroll and are issued cards at 900 sites around the world. The number of sites speeds up the issuing process, but creates major management challenges. TSA is looking at a more centralized system to save money, Pattinson said.
Transportation workers, including truck drivers and port and airport employees, would be able to enroll for TWIC locally, although the cards probably would be issued from a central location.
Even before the TWIC pilot is complete, DOD will begin issuing its first round of replacement Common Access Cards late this year. Options for the next-generation cards could include contactless chips to replace magnetic stripes on current cards and biometrics, Pattinson said.
One lesson learned from the Common Access Card is that 'there still are opportunities to do it better,' Ludin said.
One of the most obvious improvements would be to tie together back-end systems for physical and logical access, he said.
If the same card is used to enter a base or a building and to log onto a network, integrating the systems that control access to both would allow more complete tracking and improved security, he said.
Industry and government representatives are in the process of writing standards that would allow integration of the two kinds of systems.