Interior gets smart about security

Bureau of Land Management plans to give employees smart cards

The Interior Department's Bureau of Land Management has embarked on an ambitious plan to equip its 13,000 employees with smart identification cards.

The cards will provide access to the bureau's buildings and computer systems. BLM, which is responsible for managing more than 260 million acres of public land, has offices nationwide and its information technology infrastructure is highly dispersed.

The bureau and other Interior agencies have taken heat for a lack of network protection as part of a class-action lawsuit against the department. U.S. District Judge Royce Lamberth ordered Interior to disconnect from the Internet in December 2001 after a computer security firm was able to break into its systems.

BLM, which was allowed to go back online a year ago, hopes to strengthen its defenses with smart cards.

"Exposure to risks or exposure to liabilities regarding IT security will be minimized," said Bob Donelson, the agency's senior property management specialist. "It's basically a one-stop ID process," he said, describing the cards as easy to use and more secure.

BLM first turned to smart cards as a physical security solution — an effort enhanced after the Sept. 11, 2001, terrorist attacks — and later determined that adding logical access would bolster its business case, Donelson said.

Last year, the bureau launched a pilot project with 1,000 users at a BLM site in Nevada. The response was so positive that officials decided to go ahead with a full-scale deployment sooner than planned. Some workers went from 10 passwords to one; others cut their workload by 30 percent by reducing the amount of paperwork they had to handle.

"Our managers and employees created an expectation," Donelson said. The change in schedule was "customer- driven."

BLM is building its program on the platform used for the Defense Department's Common Access Card, the standard identification for the uniformed services, officials said. The CAC is embedded with a digital certificate that facilitates secure communications departmentwide. Digital certificates are electronic documents that contain information that helps verify an individual's identity.

For the certificate component of its program, BLM selected an integrated solution from VeriSign Inc. that relies on the company's managed public-key infrastructure. The managed PKI system encrypts, decrypts, signs and verifies the authenticity of information transmitted via the Internet. VeriSign's PKI is interoperable with the Federal Bridge Certification Authority, which was designed to link agencies and allow them to exchange data securely.

BLM's cards will store the certificates, which will give users access to several applications, including encrypted e-mail, authenticated Web portal access and digital signatures.

"I think the key benefit is much tighter control of access to their computer systems," said Barry Leffew, vice president of VeriSign's public-sector group.

In addition to security concerns, a driving force behind the initiative is the Government Paperwork Elimination Act's mandate that agencies must offer digital forms and accept electronic signatures by October.

BLM is slated to move more than 400 forms to the Web this year, Donelson said. In so doing, the agency will save money and make a quick return on investment for the smart card program, which received no special funding, he added.

Outsiders have taken note. Among civilian agencies, "BLM seems to be at the lead in terms of using smart cards with digital certificates," Leffew said. "We're seeing a number of pilots. Many agencies are watching this [program] in particular."

Bureau officials expect to issue the cards to all employees by the end of 2004.

***

Feds get carded

The Interior Department's Bureau of Land Management has decided to move forward on a smart identification card program after completing a pilot project.

BLM is not alone. Other civilian agencies that have begun testing or using the technology include:

* The State Department, which began distributing smart cards to employees last year for entry to its U.S. offices.

* The Transportation Security Administration, which has two regional pilot projects in the works for its Transportation Worker Identification Credential System that will provide employees at airports, ports, railways and other locations with secure access to buildings and systems.

NEXT STORY: HHS publishes HIPAA security rules