NIST: Standardize smart card policy
- By William Jackson
- Apr 23, 2004
Technical standards in the rapidly evolving smart-card industry fall short in the areas of security and interoperability. But the real barrier to widescale use is policy conflict, a government report said today.
The National Institute of Standards and Technology examined the gap between government smart-card requirements and current capabilities.
'There appears to be no consensus from the user community for additional technical standards,' the NIST report concluded. Its contributors, however, said more policy-related standards and regulations are essential to true interoperability and efficient integration.
The report grew out of a 2003 report from the General Accounting Office that called on NIST to look at smart-card standards. The agency held a workshop last July and surveyed government users about their needs. The 101-page report is online
'Although building blocks are in place to support interoperable, secure identification systems, management and policy decisions limit the opportunities for interoperability,' NIST found.
Two major contributors to the study were the Defense Department, which has handed out millions of Common Access Cards, and the State Department, which is adopting smart chips for travel documents.
NIST pointed out these technical shortfalls:Existing standards do not cover multiapplication platforms with multiple security domainsNo standards exist for placement of different technologies such as smart chips, magnetic stripes and printing on cardsThere are no common standards for interpreting biometric dataThere are no ways to compare effectiveness of optical features such as holograms and diffraction gratings.
But the real impediment to widescale use of the cards for logical and physical access within an agency, and across agencies, is policy.
'Policies regarding what personal information may be stored need to be coordinated among agencies, and where necessary, codified in law,' NIST said. 'Just as importantly, responsibilities and infrastructures for entering and maintaining personal data on the cards need to be established.'
DOD and State have found that the subjective nature of privacy and security made interoperability difficult.
'When agencies accept credentials from each other, they may have to do so in an environment that requires them to avoid sharing too much privacy-sensitive cardholder data,' DOD told NIST.
Standardization also can pose security problems because 'widely available technologies are more attractive to attackers,' NIST said.
William Jackson is a Maryland-based freelance writer.