GSA readies the gauntlet for agencies' smart cards

'We want to apply rigor to the testing program, but we want to move quickly through it.'

'GSA's David Temoshok

Laurie DeWitt

Will extensive plans for FIPS-201 testing delay compliance?

With a deadline for having interoperable smart cards a year away, most agency officials expected the General Services Administration to set up a lab to test cards and card readers. But the breadth of GSA's initial plan'51 separate products and services'surprised even the most ardent sup- porters of Homeland Security Presidential Directive-12.

In addition to this wide-ranging list, GSA has developed a 41-page draft requirements traceability matrix that defines all the potential functionalities that could be tested.

The extent of GSA's lab and matrix has caused some industry and agency officials to worry that meeting the requirements under HSPD-12 to have interoperable smart identification cards by Oct. 27 next year will be impossible.

'I have 353 days until Oct. 27 and I am reminded of that daily,' said a Commerce Department employee at a recent Interagency Government Smart Card Advisory Board meeting in Washington. 'We've got to put this stuff together.'

Without the approval of the interoperability labs, agencies will not have any products or services to choose from to build their systems to meet Federal Information Processing Standards-201, Personal Identity Verification II by next fall.

The deadline calls for agencies to begin to implement interoperable systems by Oct. 27, but experts said that means departments must have the infrastructure in place to issue new cards or renew existing cards that are PIV II compliant.

'A lot of things have to happen in a very short amount of time,' said Jeremy Grant, an enterprise solutions vice president at Maximus Inc., a systems integrator in Reston, Va. 'We have customers who have put all their smart-card implementation work on hold until there are approved products.'

GSA is aware of the short time frame and hopes to have the labs in place by spring, said David Tem- oshok, GSA's director of identity policy and management.

The agency will contract with third-party laboratories to set up facilities to test products and services, similar to the way the Na- tional Institute of Standards and Technology tests for FIPS-201 conformance.

And over the next three months, GSA hopes to work with private-sector companies to determine which parts of the requirements traceability matrix haven't already been tested by industry and what functions just need to be confirmed, Temoshok said.

'There is no testing program like this,' Temoshok said. 'We laid out a straw man and we want the working group to take the straw man and figure out what should be done by the testing facility.'

Dallas Bishoff, a senior vice president for Authsec Inc. of Co- lumbia, Md., said GSA also must define what interoperability testing means.

'When you are dealing with components that have to be integrated, you have a lot of pieces that have to fit together,' Bishoff said. 'You have to have the right card with the right card profile, and with that there are versioning issues and configuration aspects. Just because all the products meet FIPS-201, it doesn't mean they will work together.'

Temoshok said GSA's interoperability testing is one piece of the larger PIV II-compliant system, and that other products and services will be available via a blanket purchase agreement in early 2006. GSA will add products and services to the BPA as they are approved, he added.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above