Standards for federal smart cards are on the way

Standards for federal smart cards are on the way

The National Institute of Standards and Technology is preparing a new Federal Information Processing Standard for an interoperable governmentwide ID.

FIPS 201 is expected to be released for public comment Nov. 8. The deadline for final approval is Feb. 28.

The Personal Identity Verification program was mandated by Homeland Security Presidential Directive 12. NIST has responsibility for developing technical standards and has given the program an 'extremely high priority.'

'The consequences of not accomplishing this task or missing the Feb. 28, 2005, deadline are continued lack of interoperability and mutual acceptance,' the agency wrote in a project briefing. 'Moreover, vulnerability of exposure to penetration of federal facilities by terrorists and other criminals will continue.'

HSPD-12 requires development of a single set of standards for a new card that will go to all federal employees and contractors. The card will be used for access to physical facilities and selected IT systems. Agencies will continue to issue their own ID cards, but interoperability would mean that one card could be accepted across multiple agencies.

Agencies must have programs in place to bring their IDs into conformance with FIPS 201 within four months of the standard's approval. Applications to be protected by the card must be identified within six months of approval, and those applications must be in compliance with the standard two months after that.

Access for each facility or application will be mapped to one of four levels of security established by NIST. Agencies will determine the appropriate levels of security for each.

National security applications will not be covered by FIPS 201.

NIST has identified a handful of essential technologies for the card, including an integrated circuit chip with contact and contactless interfaces, capable of storing and processing biometric data, probably either fingerprints or facial images. The chips also must contain digital certificates and private keys and be able to handle cryptographic processing.

The cards also may use magnetic stipes and bar codes.

'The departments and agencies should realize that there is no single mechanism adequate with respect to postulated threats,' NIST warned. 'Departments and agencies should also recognize that there is no completely foolproof solution to security challenges. However, FIPS 201 will improve the current situation.'

NIST expects to accept public comment on the draft standard through Dec. 23 and present the finished standard for approval by the secretary of Commerce by Feb. 4.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected