GSA puts non-HSPD-12 smart-card implementations on hold

Agencies that have not begun implementing smart-card ID badges should not do so until vendor products that meet the National Institute of Standards and Technology's definition for cards and card readers are available.

Barbara Shelton, acting commissioner of the Federal Acquisition Service, issued a memo to CIOs, chief acquisition officers and chief financial officers outlining the steps agencies should take or not take in meeting the requirements of Homeland Security Presidential Directive-12. Agencies have until Oct. 27 to meet the first part of HSPD-12, called Personal Identity Verification I, which calls for setting up identity-proofing, registration and issuance processes.

'Federal agencies are required to purchase only approved products and services,' Shelton wrote. 'GSA will make federally approved products and services available that are compliant with [Federal Information Processing Standard] 201 and associated specifications to agencies.'

Agencies that began large-scale implementation of smart cards before July 2005 may acquire 'transitional products and services' as defined by NIST Special Publication 800-73.

To further ensure compliance with FIPS 201, GSA's Office of Governmentwide Policy also will review and approve all new task orders under existing governmentwide acquisition contracts for smart-card products and services, the memo said. The office also will review current task orders and decide whether they need to be modified or allowed to expire.

'GSA requires that all task orders in effect beyond Dec. 31, 2005, be modified by March 2006 to include language that ensures compliance with FIPS-201 and is in accordance with Federal Acquisition Regulation,' the memo said. 'GSA will report to the Office of Management and Budget on agency acquisitions pertaining to the standard.'

GSA plans to release a set of blanket purchase agreements to buy approved products. At a recent Interagency Advisory Board meeting, officials said there will be an aggregate buy for cards, printers, printing consumables, smart-card middleware, and contact and contactless readers. Officials said the procurement vehicle for the aggregate buy is expected to be awarded by December 2005 or January 2006.

Additionally, the IAB will provide training to meet FIPS-201. It will be online and available governmentwide with the first module covering PIV I roles and responsibilities scheduled for release Oct. 3, IAB officials said.

Other modules include PIV overview, privacy awareness, administrator and appropriate uses.

Finally, NIST is working to finalize product conformance testing. NIST's Ramaswamy Chandramouli said at the IAB meeting that the conformance testing will be for middleware and PIV card applications endpoint tests. For middleware, NIST's tests will include all nine functional areas outlined in Special Publication 800-73. It also will test for responses to all valid and error return codes, Chandramouli said.

The card application will focus on eight commands in the card command interface outlined in 800-73. A conformance testing toolkit is expected to be released in the next few months.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group