NIST draft specs spark do-over

NIST's Curt Barker says the FIPS 201 revision will minimize the changes agencies and vendors will have to make to cards to assure compliance.

Rick Steele

The verdict is in on the National Institute of Standards and Technology's month-old draft specifications for a governmentwide smart card. No thanks, agencies and industry have said overwhelmingly.

As a result, the government will revise the Federal Information Processing Standard 201 and Special Publication 800-73 detailing the specs for the personal identity verification (PIV) cards. The government issued drafts last month.

'When 800-73 and FIPS 201 came out, a lot of people felt pretty prickly' about significant differences between the new draft standards and the 2003 Government Smart Card Interoperability Specification 2.1, said Jeremy Grant, enterprise solutions vice president at Maximus Inc. of Reston, Va.

That specification represented 'a good five years of work invested by government and industry,' Grant said. Maximus is one of four contractors on the General Services Administration's Smart Access Common ID vehicle, awarded in 2000.

'Agencies looked at the new draft specs and said they would have to throw their work out the window,' Grant said. 'NIST heard a unanimous message: These were interesting ideas, but not realistically supported' by current products.

NASA computer scientist Tim Baldridge, chairman of the Government Smart Card Interagency Advisory Board's architecture working group, said products fitting FIPS 201 would be impossible to build in the time frame set by last August's Homeland Security Presidential Directive 12.

'Such an extensive change in direction would render current technology irrelevant' for new deployments and hurt vendors that have invested heavily to meet the GSC-IS 2.1 standard, Baldridge said. NASA itself would have to phase in necessary interoperability features for its Common Badging and Access Control Systems project, of which Baldridge is chief engineer.

NIST drafted FIPS 201 in response to the presidential directive, which mandated a secure, common credential. The first draft identified several minimum characteristics for PIV cards, including embedded contact and contactless chips, digital left and right index fingerprints, public-key infrastructure certificates and a cryptographic algorithm.

The Commerce Department, NIST's parent agency, still intends to issue the final versions of the special publication and standard by the Feb. 25 deadline mandated by the president's directive, said NIST's Curt Barker, co-chairman of the PIV project at NIST.

The Government Smart Card Interagency Advisory Board will help revise SP 800-73 by Jan. 20, and NIST will rework FIPS 201, Barker said.

The interagency board is 'working to come up with something more recognizable to vendors with large programs,' he said, to minimize changes required for compliance.

'Any software changes mean considerable expense,' Barker said. For example, vendors might have to rewrite their client and card management software or middleware.

The draft SP 800-73 described two models for the PIV card'file system-oriented and Java object-oriented'but it emphasized the first model, Barker said.

In contrast, many existing smart-card programs are Java-based, including those at the Defense, State and Treasury departments, as well as at GSA, NASA and the Transportation Security Administration, which recently began testing its biometric Transportation Worker Identification Credential.

The file system and object-oriented models in the draft SP 800-73 'use slightly different command terms, and ideally the FIPS should accommodate both,' Barker said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above