VA smart-card rollout begins with a trickle
- By Mary Mosquera
- Oct 22, 2004
Agency takes it slow, waits for standards, holds off on biometrics for now
The Fayetteville pilot will give the department 'a pretty good sampling of day-to-day activity,' VA's IT security chief Pedro Cadenas Jr. says.
The Veterans Affairs Department is pinning its plans to roll out smart cards to all users on a test it just began at a small hospital in Fayetteville, Ark.
The department last week distributed 950 OneVA identification cards to employees at the Fayetteville VA Medical Center for the first phase of its Authentication and Authorization Infrastructure Project. The plan is to give cards to all 500,000 of its employees by 2006.
'Fayetteville is important because from an enterprise approach, we'll have a better understanding and feel of what is required and what some of our challenges are to better equip our multiple teams for deployment,' said Pedro Cadenas Jr., VA's deputy associate deputy assistant secretary for cyber and information security.
The smart cards for the pilot, which runs until February, will provide building and computer access. The cards contain chips with digital certificates for use in a public-key infrastructure.
'Because all the users are going to be using it for physical access control and logical access control, we should get a pretty good sampling of day-to-day activity,' Cadenas said.
After the pilot, VA officials will huddle to assess early use lessons and make any needed adjustments in plans for deploying the cards to the next group of users, a procedure Cadenas said VA will follow after each deployment. 'There's always something unique with each site, and we're not going into this with our eyes closed,' he said.
The plan calls for VA to distribute the cards through regional networks of Veterans Health Administration facilities, because these groupings are largely self-contained.
Through the project'which relies on smart cards, an enterprise PKI application, and an identity and access management infrastructure'VA wants to be able to authenticate users and oversee access to systems departmentwide.
The OneVA ID smart cards ultimately will replace several hundred different ID cards in use throughout the department.
VA has been a lead agency in the government's smart-card working groups and has incorporated re- quirements of the National Institute of Standards and Technology as the standards-setting agency releases them.
Because of its early adoption of standards, the department is also about 12 months ahead in meeting the requirements for common federal ID cards as mandated by Homeland Security Presidential Directive 12.
The department took its time in preparing to deploy the smart cards. VA waited until federal standards were set so the department wouldn't have to reconfigure its program, Cadenas said.First in line
VA was the first agency to take advantage of PKI services offered by the Shared Service Providers qualified bidders list from the Federal Identity Credentialing Committee, which the General Services Administration sponsors.
The cards contain only information that is used for access, similar to data collected for key card access. The VA seal, the employee's picture and an imprinted name are visible on the card.
The department expects the shift to a common card will ease systems management. VA has several hundred thousand users of systems, many with their own separate accounts and passwords. 'This creates a tremendous account and password burden on VA to operate systems day-to-day,' VA CIO Robert McFarland said.
The cards will streamline password management and tighten security, he said. VA also has established criteria to implement single sign-on software.
VA bought its smart cards through GSA from Axalto Inc. of Owings Mills, Md., and Gemplus SA of Luxembourg. Each card has a chip made by SCM Microsystems of Fremont, Calif., and two antennas that will work with both legacy and new systems.
VA will add biometrics to the card when NIST and other agencies have established standards. 'But until that time, we don't want to go out on our own,' he said.
VA does not know which biometrics it will use. Whichever identifier the department adopts, the cards will have space for biometric data. 'The last thing we want to do is reissue cards,' he said.
After February, VA will deploy cards in large numbers by stages, but the department is limited in how many cards it can buy. 'Because of the other programs going on now, we have to get in line at GSA,' he said.
Mary Mosquera is a reporter for Federal Computer Week.