Ready or not, DOD rolls out smartcards

Ready or not, DOD rolls out smartcards

BY WILLIAM JACKSON | GCN STAFF

The Defense Department next month will begin a 13-month rollout of Common Access smart cards to 4 million active military, reserve and civilian personnel.

'This is not going to be seamless and perfect,' said Mary Dixon, director of DOD's Access Card Office.

For one thing, interoperability specifications for cards and readers from different vendors are not final. Nor has the National Institute of Standards and Technology certified cards under a Federal Information Processing Standard. And the National Security Agency is still checking the quality of encryption keys generated by the cards.

But 'a mandate says we are going to roll them out,' Dixon said early this month at the RSA Conference 2001 in San Francisco, sponsored by RSA Security Inc. of Bedford, Mass.

It will be the government's first large-scale implementation of smart-card technology. Each card will carry a photo identification, as well as digital certificates and encryption keys for a public-key infrastructure. The cards will provide both physical and digital access to DOD systems.

'It has been extremely difficult for the government to get large-scale, smart-card programs going,' said Jim Dray, a technical adviser at NIST. 'There have been many pilots, but they have met with mixed success.'

Many hurdles

Developing an infrastructure to issue and manage the certificates is a challenge, as is ensuring that cards from different companies work with a variety of readers for multiple applications.
'This is what has plagued the smart-card industry for many years,' Dray said.


The smart-card rollout 'is not going to be seamless and perfect,' Defense's Mary Dixon says.
NIST is specifying a reader interface to eliminate the need for multiple card-specific software drivers. Meanwhile, the General Services Administration is developing interoperability standards as part of its Access Certificates for Electronic Services program.

Five prime vendors in the Common Access program will use the standards to create an interoperable model, but Dray called it a work in progress.

'We wish GSA had started that effort three years ago,' Dixon said.

Although smart cards promise economy and efficiency, the money savings have failed to materialize, she said. The cards also have fallen short as a medium for carrying all of an individual's data because of problems synchronizing with central databases.

'The killer app for us has become PKI,' Dixon said. Digital certificates and private keys for digital signatures can control online access, as well as transactions.

DOD lawyers, however, demanded hardware tokens for the certificates and keys to ensure nonrepudiation of digitally signed documents. That demand drove DOD's decision to roll out Common Access cards, Dixon said.

DOD personnel initially will get the Cyberflex Palmera card from Schlumberger Ltd. of New York, which uses the Java Card 2.1.1 run-time environment on a 32K chip. The card's FIPS certification should be completed by July, a company spokesman said.

DOD gets around the problem of card synchronization with databases by using it for Web access to data rather than storing data on the card itself. The approach also frees memory for multiple applications without requiring a larger chip, Dixon said.

inside gcn

  • cyber hygiene (Lucky Business/Shutterstock.com)

    Cleaning up cyber hygiene

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group