Smarter cards control access at Treasury

• By Mary Mosquera
• Feb 03, 2004

Treasury Department employees no longer show a laminated photo identification card to Secret Service agents to enter department headquarters. Now they simply swipe a smart card through readers installed on turnstiles at the building's entrance.

The cards, which contain a digital photo, fingerprint biometrics, public-key credentials and an access code, also have replaced the passwords that got users into their Treasury networks.

The Electronic Treasury Enterprise Card project, which began Jan. 5, is the only government smart-card project intended for departmentwide physical, computer and network access, Treasury CIO Drew Ladner said. 'Our card is shooting for single sign-on,' he said.

Treasury ran its first test in early 2003, issuing 7,000 cards to users at six bureaus to evaluate a variety of technologies for physical access. The department issued 2,000 more cards at headquarters from June through September to test IT access.

The CIO Council is working with the department on phasing in the program at remote bureaus. The Bureau of Engraving and Printing and the Alcohol and Tobacco Tax and Trade Bureau, both in Washington, will next deploy E-trec. The bureaus have each completed a pilot, and Engraving and Printing already has more than 200 cards in use, said Trung Nguyen, E-trec program manager in the Office of the Treasury CIO.

E-trec has more functionality than other federal smart cards because it combines fingerprint biometrics, radio-frequency identification and public-key credentials so it can be used for both physical and electronic access, he said. It conforms to the current National Institute of Standards and Technology smart-card interoperability specification.

The card has a digitized signature, embedded proximity antenna, bar code and magnetic stripe, Nguyen said. Bureaus can pick and choose among the smart-card capabilities, although there is a baseline of requirements that everybody uses, he said.

Treasury committed to a departmentwide security governance framework and architecture after the Sept. 11, 2001, terrorist attacks, Ladner said. Treasury's physical assets are more distributed now, making physical and electronic access more of a business problem. 'It makes sense to integrate a solution that attacks both the physical and logical access. It's cheaper, and it makes for better security,' he said.

Critical to security

An integrated program that pulls together different facets of physical and electronic authentication is considered critical to securing the department. 'This card helps us leap forward in doing that,' Ladner said.

For example, when a new worker joins the department or someone leaves, Treasury's human resources office makes the necessary security modifications to personnel records, either adding or deleting the person's authentication.

Treasury does not incorporate personal information into the card, only access control information such as biometrics and digital certificates. 'Its purpose is just to make sure who is here and who is entering and exiting,' Nguyen said.

'It's about authenticating that people who get on the network should be getting on the network, and doing that in an efficient way,' Ladner said. Making the process more efficient cuts costs on password-related activities and boosts security.

Maximus Corp. of Reston, Va., manages the cards, and Trinity software from ActivCard Corp, of Fremont, Calif., manages the biometrics and single sign-on. Entrust Inc. of Dallas provides public-key credentials, digital signatures and encryption.