OMB stands tough on deadline for federal smart cards
- By Jason Miller
- Dec 09, 2004
With final specifications not due until late February, agencies will have to make a mad scramble to meet the White House mandate to use standard identification cards for building and network access by Oct. 25.
'Agencies are under pressure,' said Mary Mitchell, the General Services Administration's deputy associate administrator for e-government and technology. 'There are a lot of policies and processes that need to be taken care of, and only a few agencies, such as the Defense Department, have them in place.'
President Bush included the smart-card OMB stands tough on deadline for federal smart cards mandate in his Homeland Security Presidential Directive 12, issued in August. The National Institute of Standards and Technology is spearheading the effort to complete federal standards for smart cards and how agencies use them by Feb. 25.
Even though NIST standards and guidance aren't available yet'the drafts came out last month'the administration argues that agencies should have been preparing for the creation of common IDs for more than a year, based on memos the Office of Management and Budget first issued in 2003.
'If agencies have been doing everything based on the OMB guidance, they should be well-positioned for the upcoming year,' said Karen Evans, OMB's administrator for IT and e-government.
But agency managers counter that without the specifications from NIST, they have had little hard information to use to define necessary resources and develop policies.
'Right now we have a lot of questions, and nowhere to go for answers,' said a government procurement official who requested anonymity. 'The Interagency Smart Card Board is working on these answers, but how long will it take to move down to the agencies? We are working on something that is not built into our budgets.'
By June 25, agencies must draft implementation plans that spell out:
- How they will pay for the new programs
- How they will issue cards to employees and contractors
- How will they issue cards to part-time or seasonal employees
- How many cards they need for federal and vendor work forces
- How they will track the cards.
Federal procurement and policy officials agree with industry ex- perts that the timeline for planning, procurement, distribution and use of the cards will require a degree of coordination and rapid implementation rarely seen in government.
'If agencies haven't started a program yet, it will be a challenge to meet the deadlines,' said Randy Vanderoof, executive director of the Smart Card Alliance, a Princeton Junction, N.J., industry association of card makers and integrators. 'Typically, it takes a year or more of planning before agencies can even start issuing cards. It will be tough for many agencies.'Card trick
Seven agencies'the departments of Defense, Homeland Security, Interior, State and Veterans Affairs, and General Services Administration and NASA'either have smart-card programs in place or are in the advanced planning stages.
To help agencies just beginning their efforts, GSA has extended its smart-card governmentwide acquisition contract.
GSA had planned to let the GWAC expire in 2008. The contract has been extended until 2010, Mitchell said. The four contractors'BearingPoint Inc. of McLean, Va., EDS Corp., Maximus Inc.
of Reston, Va., and Northrop Grumman Corp.'will modify their contracts to reflect the coming standards.
'We need an acquisition vehicle that everyone can buy the right stuff off of,' Mitchell said. 'The goal is to be able to have this vehicle in place when the final guidance comes out.'
GSA also will update its smart-card implementation guidance to include the new standards and policies, she said.
Even with help from GSA, many agencies will face steep challenges to complete their smart-card programs by the deadline, Mitchell said.
But OMB's Evans cited two Bush administration memos to help agencies prepare for the change. A July 2003 memo warned that agencies planned to spend $160 million in 2003 and 2004 'on inconsistent or agency-unique authentication and identity management infrastructure.' Evans said that money should be redirected toward standardization efforts. The second memo, in December 2003, gave agencies a Dec. 15, 2004, deadline to assign an assurance level to all major transaction systems.