The wait for smart-card guidance leaves some projects in limbo

 

Connecting state and local government leaders

At least three agencies have put identification smart-card projects on hold until the Office of Management and Budget finalizes the timeframe for agencies to migrate to the Federal Information Processing Standard 201.

At least three agencies have put identification smart-card projects on hold until the Office of Management and Budget finalizes the timeframe for agencies to migrate to the Federal Information Processing Standard 201.

Agencies now are using the Government Smart Card Interoperability Standard 2.1.

Industry and government sources said NASA is the largest agency that has delayed its implementation and some experts believe the delay is creating unnecessary risk.

'NASA is among at least three agencies that are waiting to implement smart cards because they don't want to spend money on systems that could be obsolete very quickly,' said an industry source, who requested anonymity. 'A lot of agencies would rather sit back and wait. OMB understands it has to come out with a firm date of when GSCIS cards will have to go away.'

The sources said OMB's guidance is in final clearance and could be issued by the end of the summer. Administration officials issued draft guidance in April and sent out an updated version for agency comment in June.

President Bush issued Homeland Security Presidential Directive 12 on Aug. 27 last year, ordering the National Institute of Standards and Technology to produce by February of this year a federal standard for secure and reliable IDs for federal employees and contractors. The result is FIPS-201 with Personal Identity Verification I and II, laying out how the processes and technologies will work.

NIST has since issued separate publications'some in draft form'for biometric, card encryption and card interface technical specifications.

By Oct. 27, agencies must implement the first phase of FIPS-201. Called PIV I, the first phase includes setting up identity-proofing, registration and issuance processes.

Meanwhile, agencies need to decide whether to go forward with planned large-scale purchases of cards that don't comply with FIPS-201, or wait.

'Some agencies have invested in GSCIS 2.1 cards, but not deployed them,' said a federal official, who requested anonymity. 'They have to figure out what is the most cost-effective way to deploy the cards.'

An industry source said OMB should consider what NIST did in helping agencies move to 2,048-bit encryption from 1,024-bit. NIST set a target of 2008 for agencies to start using the new encryption and a 2010 deadline for all agencies to use the higher-security technology.

'This would help the departments of Defense, Veterans Affairs and others go ahead and issue cards that would be compliant in spirit with FIPS-201,' the industry source said. 'Then agencies could replace cards, which have 3-year-to-5-year lifecycles, when needed.'

In the meantime, agencies could depend on middleware and a data interface for GSCIS 2.1 cards to be read by FIPS-201 readers.

While OMB and a team of senior agency and technology experts figure out the compliance piece, the General Services Administration is preparing three blanket purchase agreements to help agencies prepare for PIV II, which requires agencies to begin implementing interoperable systems by Oct. 27 next year.
GSA last week also released a request for information'the second one for FIPS-201 this summer'to determine the commercial status of biometric products and 128K smart cards.

The RFI asked vendors 16 specific questions about cards, readers and fingerprint biometrics. The questions range from how soon could 128K dual-interface smart cards that are FIPS-201-compliant be developed, tested and available to the government to how will the move to 128K cards impact agencies using 64K cards.

'Most companies have a 128K card in the pipeline, but it must be validated through the FIPS-140 process,' said Jeremy Grant, enterprise solutions vice president at Maximus Inc., a systems integrator in Reston, Va. 'And that process tends to take a long time, and there will be a rush by vendors to get their product validated first. NIST will have to decide how that will be handled.'

The RFI also tries to further the ongoing debate among federal and industry experts about whether image or minutiae is best for capturing fingerprints on the cards. GSA also asked about cost, performance and the ability of cards to support both. Responses to the RFI are due Aug. 9.

Minutiae mission

'Minutiae is still too new and there are no open standards that are tested and deliver to the performance we need,' said a GSA official. 'NIST is testing minutiae and plans to be done by February.'

To help agencies get moving on their smart-card implementations, GSA plans by the end of summer to issue blanket purchase agreement contracts to update and modify the current Access Certificates for Electronic Services governmentwide acquisition contract, and for shared-service public-key infrastructure providers.

'ACES will meet all PIV I and PIV II standards and require vendors to provide approved products,' the GSA official said.

Right now, one agency, the Agriculture Department's National Finance Center, and two vendors, Cybertrust Inc. of Herndon, Va., and VeriSign Inc. of Mountain View, Calif., provide PKI certificates for the government.

A third BPA still is in the works and could be out as early as December for smart cards and card readers. But NIST must finish conformance testing for the cards and readers before the BPA will be issued, officials said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.