Ready or not, DOD rolls out smartcards

Ready or not, DOD rolls out smartcards


The Defense Department next month will begin a 13-month rollout of Common Access smart cards to 4 million active military, reserve and civilian personnel.

'This is not going to be seamless and perfect,' said Mary Dixon, director of DOD's Access Card Office.

For one thing, interoperability specifications for cards and readers from different vendors are not final. Nor has the National Institute of Standards and Technology certified cards under a Federal Information Processing Standard. And the National Security Agency is still checking the quality of encryption keys generated by the cards.

But 'a mandate says we are going to roll them out,' Dixon said early this month at the RSA Conference 2001 in San Francisco, sponsored by RSA Security Inc. of Bedford, Mass.

It will be the government's first large-scale implementation of smart-card technology. Each card will carry a photo identification, as well as digital certificates and encryption keys for a public-key infrastructure. The cards will provide both physical and digital access to DOD systems.

'It has been extremely difficult for the government to get large-scale, smart-card programs going,' said Jim Dray, a technical adviser at NIST. 'There have been many pilots, but they have met with mixed success.'

Many hurdles

Developing an infrastructure to issue and manage the certificates is a challenge, as is ensuring that cards from different companies work with a variety of readers for multiple applications.
'This is what has plagued the smart-card industry for many years,' Dray said.

The smart-card rollout 'is not going to be seamless and perfect,' Defense's Mary Dixon says.
NIST is specifying a reader interface to eliminate the need for multiple card-specific software drivers. Meanwhile, the General Services Administration is developing interoperability standards as part of its Access Certificates for Electronic Services program.

Five prime vendors in the Common Access program will use the standards to create an interoperable model, but Dray called it a work in progress.

'We wish GSA had started that effort three years ago,' Dixon said.

Although smart cards promise economy and efficiency, the money savings have failed to materialize, she said. The cards also have fallen short as a medium for carrying all of an individual's data because of problems synchronizing with central databases.

'The killer app for us has become PKI,' Dixon said. Digital certificates and private keys for digital signatures can control online access, as well as transactions.

DOD lawyers, however, demanded hardware tokens for the certificates and keys to ensure nonrepudiation of digitally signed documents. That demand drove DOD's decision to roll out Common Access cards, Dixon said.

DOD personnel initially will get the Cyberflex Palmera card from Schlumberger Ltd. of New York, which uses the Java Card 2.1.1 run-time environment on a 32K chip. The card's FIPS certification should be completed by July, a company spokesman said.

DOD gets around the problem of card synchronization with databases by using it for Web access to data rather than storing data on the card itself. The approach also frees memory for multiple applications without requiring a larger chip, Dixon said.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected