New standard could reshuffle smart cards
- By Susan M. Menke
- Nov 19, 2004
Agencies might have to upgrade millions of cards to meet FIPS 201's proposed specs
FIPS 201 is a work in progress. We are working with NIST to make it the best implementation possible.'
' DOD's Mary Dixon
Nearly 4 million smart cards in use by government do not match the specifications set out this month in a proposed standard for a governmentwide identification card.
That means agencies potentially will have to upgrade millions of cards to comply with the Federal Information Processing Standard 201 when it becomes final in February.
The draft FIPS 201 from the National Institute of Standards and Technology describes requirements for a governmentwide personal identity verification (PIV) card for federal employees and contractors.
Agencies must have programs in place to bring their IDs into conformance with the standard within four months of its approval.
The impact is potentially significant:
- The Defense Department has distributed its Common Access Card to 3.5 million personnel.
- The Homeland Security Department is well into issuing the first 200 of its DHS access cards (DACs), with dual embedded chips and multiple digital certificates.
- NASA is modifying in midstream its plans for credentialing 20,000 federal employees and 70,000 contractors with a Java card.
None of these smart card programs mesh perfectly with the proposed FIPS 201 regulations.
'We didn't anticipate having to capture fingerprints and pictures at registration,' Tim Baldridge, a computer scientist at NASA's Marshall Space Flight Center, said at last week's Inside ID Conference and Expo in Washington. 'We're modifying the enrollment procedures to recredential everybody without having to send the entire workforce to the security office twice.'
NIST drafted FIPS 201 in response to August's Homeland Security Presidential Directive 12 mandating a secure, common credential. The draft identifies several minimum characteristics for PIV cards, including embedded contact and contactless chips, digital left and right index fingerprints (10 prints for contractors), public-key infrastructure certificates and a cryptographic algorithm.
NIST will accept comments on the proposed specs until Dec. 23. The plan is to push through final approval by late February.
DOD's existing CAC has only one chip and uses contact transmission. But the program incorporates elements currently optional under FIPS 201 guidance, such as a personal ID number, magnetic stripe and bar code.
DOD is supportive of the presidential directive's mandate, said Mary Dixon, director of the CAC Program Office in the Defense Manpower Data Center. 'We think it's a good thing for the federal government. FIPS 201 is a work in progress. We are working with NIST to make it the best implementation possible.'
Likewise, NASA's employee access card is 'a little different from FIPS 201,' said Baldridge.
NASA undertook credentialing its workers several years ago, after a survey of its 15 sites found each was issuing 15 to 30 different badge types to federal employees, contractors, support staff, foreign visitors and remote users.
'There were more than 300 templates,' Baldridge said. 'We decided we had to knock off about 150 of the types' and make a common one that would work across all NASA locations.
Plans were already under way for the Java card's registration, verification, validation and issuance before the presidential directive came out.
DHS, on the other hand, feels it is in good shape when it comes to complying with the forthcoming FIP 201 requirements.
Joe Broghamer, director of authentication technologies and senior security architect in the CIO's office, said the DHS card builds in single sign-on, physical identification, e-mail encryption, digital signatures and virtual private network access.
'We want the token to work for both classified and unclassified information,' Broghamer said. 'We think it's doable. And we're looking at high-resolution digital cameras' for possible addition of facial-recognition biometrics.
The DAC, which incorporates separate digital certificates for user ID, document signing and encryption, 'takes only five minutes to issue,' Broghamer said. 'All our employees have a keyboard with an integrated fingerprint reader. If the card is removed, the system locks up.'
Asked the cost of a DAC, Broghamer estimated $8.50 each. 'The most expensive part is proprietary biometric software,' he said. Middleware costs about $2, and the built-in Certificate Authority software in Microsoft Windows 2000 Server and XP is free.
'We store the print template on the card. If the biometric fails, we allow PIN use,' Broghamer said.