GAO flags smart card challenges

Progress in Promoting Adoption of Smart Card Technology

Although 18 agencies have launched projects using smart cards to identify people or control access to buildings and systems, the technology remains difficult to implement and is gaining traction slowly, according to a General Accounting Office report.

The credit card-size smart cards use computer chips to store and process data, enabling them to interact with computers.

Prepared for Rep. Tom Davis (R-Va.) chairman of the Government Reform Committee, the report said that the 18 agencies have initiated 62 smart card projects among them. Most of them were small-scale demonstrations until the past two years. Since then, some agencies — notably the Defense Department — have launched much larger implementations.

"While the technology offers benefits, launching smart card projects — whether large or small — has proved challenging to federal agencies," the report states.

The major challenges include:

* Sustaining executive level commitment. DOD's Common Access Card project has succeeded because the department has a mandate to implement it, the report said. Other agencies have encountered executive-level resistance and cost concerns that lead to programs being delayed or canceled.

* Recognizing resource requirements. Some projects have faltered because agencies didn't grasp the costs involved, which can include information technology infrastructure upgrades to install card readers, for example, the report said.

* Integrating physical and logical security practices across organizations. Because smart cards can address physical and data security needs of an organization, people involved in each area need to cooperate more extensively than they may be used to, the report said.

* Achieving interoperability among smart card systems. The report recommends developing standards to make sure that smart cards, card readers and related technologies deployed by each agency are compatible with one another.

* Maintaining the security of smart card systems and privacy of personal information. The report notes that smart card systems are not invulnerable, and their security must be addressed when agencies plan smart card projects.

The General Services Administration is responsible for promoting smart card use and guiding agencies, the report notes, adding that GSA's effectiveness has been "mixed." GAO found that GSA has not established standards in the use of smart cards as a component of federal building security processes.

GAO also noted that the Office of Management and Budget, which along with the National Institute of Standards and Technology should be guiding agencies in smart card use, has not issued any policies specifically related to smart card use since designating GSA to take the lead in promoting the technology in 1996.