Commerce set to give nod to smart-card specs this week
- By William Jackson
- Feb 18, 2005
As NIST readies ID standard, agencies face tight timetable for compliance
'It's a daunting task,' so GSA is creating a guidebook to help agencies comply with the smart-card standard by the October deadline, the agency's Judith Spencer says.
SAN FRANCISCO'If everything goes well, the Federal Information Processing Standard for personal identity verification will be signed this week. The new FIPS represents two years of work crammed into six months.
The truly hard part for government will begin after the Commerce Department ratifies FIPS-201, said Jim Dray, leader of NIST's Government Smart Card Program. Agencies must be in initial compliance with the standard by Oct. 25, which won't be easy, he said.
'I don't think its going to be possible for most agencies to continue doing business as usual and comply,' Dray said.
A panel of NIST officials gave a briefing on the new standard before a packed house last week at the annual security conference hosted by RSA Security Inc. of Bedford, Mass. They outlined the work done in developing the standard and what remains to be done in implementing it.
'There is nothing like a presidential directive to pack a room,' Dray joked, referring to the fact that FIPS-201 is the product of Homeland Security Presidential Directive 12. The directive, which President Bush signed in August, mandates that a common, interoperable, electronically verifiable identification card be developed for all federal employees and contractors.
The new card will be used for both physical and systems access, and the standard specifies a handful of technologies. The ID will be a smart card carrying a programmable chip and supporting both contact and contactless'or wireless'interfaces. It will use cryptographic tools for higher levels of security and will contain biometric data to verify identity.
Because biometric standards now exist only for fingerprints, FIPS-201 will call for fingerprints, although additional forms of biometrics could be added later.
The card also will contain a digital photo of its holder as well as a printed photo. Each card can also include a magnetic stripe or a bar code.
The physical specifications for the standard are outlined in NIST Special Publication 800-73, which closed its public comment period last week. Dray said the final version of the publication is set for release by March 1.
The presidential directive set out an ambitious timetable for adoption of the new standard. Agencies will have four months from issuance to submit a program to the Office of Management and Budget for compliance with the standard. Within another four months, agencies must be in initial compliance.
'It's a daunting task,' said Judith Spencer, chairwoman of the Federal ID Credentialing Committee at the General Services Administration.
The first phase of compliance tied to the October deadline calls for development of common ID and security requirements for applications that will use the new cards.
Within another year, the second phase of compliance will require agencies to begin issuing interoperable cards to employees and contractors. No deadline has been set for completing the issuing process.
To ease the transition, Spencer's credentialing committee is preparing a handbook for agencies that it will release once FIPS 201 is final.
William Jackson is freelance writer and the author of the CyberEye blog.