The wait for smart-card guidance leaves some projects in limbo

At least three agencies have put identification smart-card projects on hold until the Office of Management and Budget finalizes the timeframe for agencies to migrate to the Federal Information Processing Standard 201.

Agencies now are using the Government Smart Card Interoperability Standard 2.1.

Industry and government sources said NASA is the largest agency that has delayed its implementation and some experts believe the delay is creating unnecessary risk.

'NASA is among at least three agencies that are waiting to implement smart cards because they don't want to spend money on systems that could be obsolete very quickly,' said an industry source, who requested anonymity. 'A lot of agencies would rather sit back and wait. OMB understands it has to come out with a firm date of when GSCIS cards will have to go away.'

The sources said OMB's guidance is in final clearance and could be issued by the end of the summer. Administration officials issued draft guidance in April and sent out an updated version for agency comment in June.

President Bush issued Homeland Security Presidential Directive 12 on Aug. 27 last year, ordering the National Institute of Standards and Technology to produce by February of this year a federal standard for secure and reliable IDs for federal employees and contractors. The result is FIPS-201 with Personal Identity Verification I and II, laying out how the processes and technologies will work.

NIST has since issued separate publications'some in draft form'for biometric, card encryption and card interface technical specifications.

By Oct. 27, agencies must implement the first phase of FIPS-201. Called PIV I, the first phase includes setting up identity-proofing, registration and issuance processes.

Meanwhile, agencies need to decide whether to go forward with planned large-scale purchases of cards that don't comply with FIPS-201, or wait.

'Some agencies have invested in GSCIS 2.1 cards, but not deployed them,' said a federal official, who requested anonymity. 'They have to figure out what is the most cost-effective way to deploy the cards.'

An industry source said OMB should consider what NIST did in helping agencies move to 2,048-bit encryption from 1,024-bit. NIST set a target of 2008 for agencies to start using the new encryption and a 2010 deadline for all agencies to use the higher-security technology.

'This would help the departments of Defense, Veterans Affairs and others go ahead and issue cards that would be compliant in spirit with FIPS-201,' the industry source said. 'Then agencies could replace cards, which have 3-year-to-5-year lifecycles, when needed.'

In the meantime, agencies could depend on middleware and a data interface for GSCIS 2.1 cards to be read by FIPS-201 readers.

While OMB and a team of senior agency and technology experts figure out the compliance piece, the General Services Administration is preparing three blanket purchase agreements to help agencies prepare for PIV II, which requires agencies to begin implementing interoperable systems by Oct. 27 next year.
GSA last week also released a request for information'the second one for FIPS-201 this summer'to determine the commercial status of biometric products and 128K smart cards.

The RFI asked vendors 16 specific questions about cards, readers and fingerprint biometrics. The questions range from how soon could 128K dual-interface smart cards that are FIPS-201-compliant be developed, tested and available to the government to how will the move to 128K cards impact agencies using 64K cards.

'Most companies have a 128K card in the pipeline, but it must be validated through the FIPS-140 process,' said Jeremy Grant, enterprise solutions vice president at Maximus Inc., a systems integrator in Reston, Va. 'And that process tends to take a long time, and there will be a rush by vendors to get their product validated first. NIST will have to decide how that will be handled.'

The RFI also tries to further the ongoing debate among federal and industry experts about whether image or minutiae is best for capturing fingerprints on the cards. GSA also asked about cost, performance and the ability of cards to support both. Responses to the RFI are due Aug. 9.

Minutiae mission

'Minutiae is still too new and there are no open standards that are tested and deliver to the performance we need,' said a GSA official. 'NIST is testing minutiae and plans to be done by February.'

To help agencies get moving on their smart-card implementations, GSA plans by the end of summer to issue blanket purchase agreement contracts to update and modify the current Access Certificates for Electronic Services governmentwide acquisition contract, and for shared-service public-key infrastructure providers.

'ACES will meet all PIV I and PIV II standards and require vendors to provide approved products,' the GSA official said.

Right now, one agency, the Agriculture Department's National Finance Center, and two vendors, Cybertrust Inc. of Herndon, Va., and VeriSign Inc. of Mountain View, Calif., provide PKI certificates for the government.

A third BPA still is in the works and could be out as early as December for smart cards and card readers. But NIST must finish conformance testing for the cards and readers before the BPA will be issued, officials said.