Self-funded PKI

'I'm shutting down a forms warehouse and getting rid of the expense and headache.'

' BLM's Bob Donelson

Susan Whitney-Wilkerson

Land Management makes the business case for smart cards

The government is a slowpoke at building public-key infrastructures.

The General Accounting Office recently found that agencies have undertaken 89 PKI projects at a cost of about $1 billion, but only 35 are operational. Six projects have been terminated, mostly because of funding problems.

But the Interior Department's Bureau of Land Management is incorporating digital certificates for PKI in an agency-wide smart-card program, and doing it without a budget.

'We didn't get any extra money for this. We're taking it out of our hide,' said Bob Donelson, BLM's senior property manager. 'We're readdressing internal resources, and the program pays for itself.'

The difference between the BLM program and many others is that the business side of the agency initiated it, rather than the IT side. IT shops often run into roadblocks when they seek funding for new programs, Donelson said. He undertook his program because he wanted to save, not spend.

'It's amazing how easily they say yes when you approach them without asking for money,' he said.

A property manager might seem like an unlikely candidate to undertake a smart-card and PKI program. But it turned out to be a good match.

'I'm responsible for all the assets, including things like buildings and forms,' Donelson said.
Buildings and forms both require access controls and identity authentication'jobs that can be done by smart cards and digital certificates.

The program began with building access. 'We did some early work in 2000' at a BLM office in Reno, Nev., and a training center in Phoenix, he said.

The training center had been bombed in 1993, and its physical access systems needed replacement. Thousands of visitors were coming and going each year, many needing keys of some kind.

'The administration of keys is a nightmare and a big cost,' Donelson said.

Smart cards were an attractive alternative because credentials issued at one location would work at others, easing the management burden.

The next logical step was to add digital certificates to the cards so users could access and digitally sign business forms.

'I own forms,' Donelson said. 'I have 600 forms' to cover everything from cutting Christmas trees to leasing oil and gas on federal lands.

Most forms, however, are for internal use. 'We have a tremendous amount of paperwork inside the organization,' he said.

With their digital certificates, BLM employees can access and sign the forms online.
'I'm shutting down a forms warehouse and getting rid of the expense and headache,' Donelson said.

Make the case

BLM's program started with a business case that would pay for the technology, said Greg Dicks, government business director for ActivCard Corp. of Fremont, Calif.

ActivCard is involved in several smart-card pilots in addition to BLM's. 'I believe this is the front end of what is going to be a wave of activity,' Dicks said.

BLM did need some help in making the move from physical to logical access control. 'We couldn't have done it without DOD,' Donelson said.

The Defense Department's Common Access Card dominates federal PKI activity, accounting for $823 million of the total estimated $1 billion cost of existing programs.

More than nine out of every 10 digital certificates are planned for government issuance via the CAC program.

The military had expertise in using smart cards for logical access, 'and they needed someone with experience on the physical side,' which BLM had, Donelson said. The partnership was the root of the Government Smart Card Interagency Advisory Board.

The biggest difference between the BLM and CAC programs is that DOD has separate organizations responsible for physical and logical security, said Dicks, whose ActivCard is involved in both programs.

'CAC is also much larger,' Dicks said. DOD eventually will issue 4.3 million certificates, compared with about 13,000 for BLM, 'so how it is architected is a little different, although the technology is not too different.'

One element BLM adopted from DOD is rigorous identification verification at the time the smart card and digital certificate are issued.

BLM uses the enterprise-level ActivCard ID Management System to issue and manage cards, install applets and bind cards to PKI certificates. Its digital certificates come from VeriSign Inc. of Mountain View, Calif. ActivCard Gold desktop middleware interfaces between the smart-card readers and applications.

ActivCard built a VeriSign connector into its AIMS software to download the digital certificates to the cards. 'It wasn't a big challenge, but it did require that we cooperate at a pretty deep technical level,' Dicks said.

Donelson said he expects to issue the card and credential to all BLM employees in a matter of months. 'We've been asked to carry it across Interior,' he said, as well as to Forest Service employees who share some office space with BLM.

Internal use of digitally signed forms started in December.

'We're getting ready to turn on the external program,' Donelson said. 'We've finished the accreditation.'

Once the program is turned on, outside users can digitally sign and submit documents with any certificate that has Level 3 security compatible with the Federal Bridge Certification Authority.

The biggest challenge was getting agreement on the business architecture. 'Technologically, it was almost simple,' Donelson said. The electronic forms reside on an agency Web site in a so-called demilitarized zone outside the firewall.

The savings from doing away with password resets alone paid for the implementation, he said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above