Standards for federal smart cards are on the way

Standards for federal smart cards are on the way

The National Institute of Standards and Technology is preparing a new Federal Information Processing Standard for an interoperable governmentwide ID.

FIPS 201 is expected to be released for public comment Nov. 8. The deadline for final approval is Feb. 28.

The Personal Identity Verification program was mandated by Homeland Security Presidential Directive 12. NIST has responsibility for developing technical standards and has given the program an 'extremely high priority.'

'The consequences of not accomplishing this task or missing the Feb. 28, 2005, deadline are continued lack of interoperability and mutual acceptance,' the agency wrote in a project briefing. 'Moreover, vulnerability of exposure to penetration of federal facilities by terrorists and other criminals will continue.'

HSPD-12 requires development of a single set of standards for a new card that will go to all federal employees and contractors. The card will be used for access to physical facilities and selected IT systems. Agencies will continue to issue their own ID cards, but interoperability would mean that one card could be accepted across multiple agencies.

Agencies must have programs in place to bring their IDs into conformance with FIPS 201 within four months of the standard's approval. Applications to be protected by the card must be identified within six months of approval, and those applications must be in compliance with the standard two months after that.

Access for each facility or application will be mapped to one of four levels of security established by NIST. Agencies will determine the appropriate levels of security for each.

National security applications will not be covered by FIPS 201.

NIST has identified a handful of essential technologies for the card, including an integrated circuit chip with contact and contactless interfaces, capable of storing and processing biometric data, probably either fingerprints or facial images. The chips also must contain digital certificates and private keys and be able to handle cryptographic processing.

The cards also may use magnetic stipes and bar codes.

'The departments and agencies should realize that there is no single mechanism adequate with respect to postulated threats,' NIST warned. 'Departments and agencies should also recognize that there is no completely foolproof solution to security challenges. However, FIPS 201 will improve the current situation.'

NIST expects to accept public comment on the draft standard through Dec. 23 and present the finished standard for approval by the secretary of Commerce by Feb. 4.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected