Smart cards: A step ahead, or a step backward?

OMB's E-Authentication page

A set of new policies, standards and acquisitions designed to get interoperable smart cards into the pockets of federal employees and contractors could have just the opposite effect, according to some industry insiders.

Daniel Turissini, president of Operational Research Consultants Inc. of Chesapeake, Va., is among those who are taking issue with the new public-key infrastructure (PKI) encryption and smart card proposals before the CIO Council. In an interview, Turissini said the success of the Defense Department's Common Access Card program, which has fielded 4 million cards, is proof that the ingredients of a

solid program are already at hand.

Last September, Turissini told a House Government Reform Committee subcommittee, "Instead of continually reinventing the mousetrap, we need to use the mousetrap we have and continually enhance that trap to remain one step ahead of the mice." He said last week he stands by that

statement.

A governmentwide program is ready to go but needs funding and a mandate to proceed, he said. "We can get 80 [percent] to 90 percent of the requirements done this year," Turissini said. Implementation of existing smart card and PKI technology would do much to protect the government's networks and sensitive information, he added.

An executive of another company, who declined to be named because his company sells smart cards to the government, questioned why the government is trying to line up two dozen new service providers that will issue PKI identity certificates and smart cards to agencies.

Two General Services Administration contracts, Access Certificate for E-Services and the Smart Access Common ID contract, provide similar services already, the executive said. Business has picked up recently on the Smart Access contract, he added.

GSA officials, however, were not available to comment on why the agency plans to create another contract vehicle as a new category of the GSA schedules. The GSA official who leads the interagency Federal Identity and Credentialing Committee was traveling out of the country and could not be reached for comment, an agency spokeswoman said.

This month the committee approved draft policies containing requirements for agencies that want to use PKI-enabled smart cards. The policies go to the CIO Council for review and, if approved there, could be adopted as policy by the Office of Management and Budget.

Ensuring agencies' ID cards are interoperable is a major goal of the draft policies, which fall under OMB's E-Authentication initiative, one of the Bush administration's e-government projects. According to the E-Authentication Web site, "Not undertaking a consolidated authentication approach would cost an additional $200 million in development costs, $26 million in acquisition costs and would delay implementation of the e-government initiatives to 2005 and beyond."

The draft policy does not include deadlines for agency action, but it states that "agencies should begin planning for migrating their current access control systems, both physical and logical, in order to conform to this policy."

Karen Evans, OMB's administrator of e-government and information technology, described the new policies approved by the committee as "a first step toward simplifying the system development time and costs for those agencies who have made the business case to implement smart cards for their employees and contractors."

Randy Vanderhoof, executive director of the Smart Card Alliance Inc., a consortium of card suppliers and users, said "the government is going about this the right way" by working simultaneously on the technical, policy and acquisition issues.

Eventually, smart cards will not only allow employees to access federal facilities but also provide a more reliable form of ID than the passwords currently used for logging on to federal systems and networks.

PKI-enabled smart cards can provide assurance that individuals are who they claim to be, whether online or at an entry gate.

Meanwhile, GSA issued an official solicitation for bids to supply smart card services that comply with the federal standards and certificate policy. That solicitation is expected to result in a list of qualified bidders by the end of June. The next step will be a set of GSA schedule contracts, according to the announcement.

Agencies are increasingly turning

to smart cards to serve as employee IDs. One of the most recent to do so is NASA, which is beginning to deploy a new One NASA card to 90,000 employees and contractors at 15 space centers and other

facilities. A pilot program will be conducted at the Marshall Space Flight Center

in Alabama before the cards are issued agencywide.

"When I got here almost three years ago, the ID pass had not been changed in almost eight years," said David Saleeba, assistant administrator for security management and safeguards at NASA, adding that the industry standard for smart card changeovers is five years. n

Ferris is a freelance writer in Chevy Chase, Md. She can be reached at ferrisn@att.net.