Smarter cards control access at Treasury

Who's in charge

Drew Ladner

CIO


Mike Parker

Deputy CIO


Tim Hurr

Chief Information Security Officer


Steve Bryant

Director of IT Governance and Budget


Gayle Bracy


Director of Policy and Planning

Top contractors

(in millions, Fiscal 2000)


Computer & Hi-Tech Management

$144.1


Northrup Grumman Corp.

$95.5


Computer Sciences Corp.

$93.0


IBM Corp.

$32.2


Booz Allen Hamilton Inc.

$30.1


Accenture LLP

$25.6


Paradigm Solutions Corp.

$18.0


Unisys Corp.

$17.5


Presidio Corp.

$15.8


ITS Services Inc.

$10.3


Total

$482.1



Sources for Inside Treasury include the Treasury Department and Input of Reston, Va.

'It's about authenticating that people who get on the network should be getting on the network, and doing that in an efficient way.'

'Treasury CIO Drew Ladner

Henrik G. de Gyor

Treasury Department employees no longer show a laminated photo identification card to Secret Service agents to enter department headquarters. Now they simply swipe a smart card through readers installed on turnstiles at the building's entrance.

The cards, which contain a digital photo, fingerprint biometrics, public-key credentials and an access code, also have replaced the passwords that got users into their Treasury networks.

The Electronic Treasury Enterprise Card project, which began Jan. 5, is the only government smart-card project intended for departmentwide physical, computer and network access, Treasury CIO Drew Ladner said. 'Our card is shooting for single sign-on,' he said.

Treasury ran its first test in early 2003, issuing 7,000 cards to users at six bureaus to evaluate a variety of technologies for physical access. The department issued 2,000 more cards at headquarters from June through September to test IT access.

The CIO Council is working with the department on phasing in the program at remote bureaus. The Bureau of Engraving and Printing and the Alcohol and Tobacco Tax and Trade Bureau, both in Washington, will next deploy E-trec. The bureaus have each completed a pilot, and Engraving and Printing already has more than 200 cards in use, said Trung Nguyen, E-trec program manager in the Office of the Treasury CIO.

E-trec has more functionality than other federal smart cards because it combines fingerprint biometrics, radio-frequency identification and public-key credentials so it can be used for both physical and electronic access, he said. It conforms to the current National Institute of Standards and Technology smart-card interoperability specification.

The card has a digitized signature, embedded proximity antenna, bar code and magnetic stripe, Nguyen said. Bureaus can pick and choose among the smart-card capabilities, although there is a baseline of requirements that everybody uses, he said.

Treasury committed to a departmentwide security governance framework and architecture after the Sept. 11, 2001, terrorist attacks, Ladner said. Treasury's physical assets are more distributed now, making physical and electronic access more of a business problem. 'It makes sense to integrate a solution that attacks both the physical and logical access. It's cheaper, and it makes for better security,' he said.

Critical to security

An integrated program that pulls together different facets of physical and electronic authentication is considered critical to securing the department. 'This card helps us leap forward in doing that,' Ladner said.

For example, when a new worker joins the department or someone leaves, Treasury's human resources office makes the necessary security modifications to personnel records, either adding or deleting the person's authentication.

Treasury does not incorporate personal information into the card, only access control information such as biometrics and digital certificates. 'Its purpose is just to make sure who is here and who is entering and exiting,' Nguyen said.

'It's about authenticating that people who get on the network should be getting on the network, and doing that in an efficient way,' Ladner said. Making the process more efficient cuts costs on password-related activities and boosts security.

Maximus Corp. of Reston, Va., manages the cards, and Trinity software from ActivCard Corp, of Fremont, Calif., manages the biometrics and single sign-on. Entrust Inc. of Dallas provides public-key credentials, digital signatures and encryption.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above