OMB’s Evans: Agencies will meet PIV I by Oct. 27

Agencies have about two-and-a-half weeks to make sure their processes to issue federal identity cards and register employees meet the requirements outlined in Federal Information Processing Standard 201-Personal Identity Verification I (PIV I). And Karen Evans, the Office of Management and Budget’s administrator for e-government and IT, said she expects all agencies to reach that milestone.“We have no choice but to meet the dates,” Evans said last week at the Identity Management Conference in Arlington, Va., sponsored by the Information Technology Association of America. “We are aware they are aggressive dates and there are risks associated with it. But the improvements since Sept. 11 are marginal, and it is necessary to have aggressive dates.”Agencies then will have until Oct. 26, 2006, to begin implementing PIV II, which calls for interoperable systems and issuing credentials that use these applications. Experts agreed this is the more difficult part of .Many agencies, experts said, are modifying their current processes to issue credentials to meet PIV I. But for PIV II, OMB still must work out a number of issues, including the type of biometric on the card, and approving vendor products and services.Evans said OMB anticipates the first set of products and services certified to meet FIPS-201 by January 2006.“We want at least two or three products or services certified so there is competition going forward,” she said. “If we can’t meet that date, we will adjust accordingly. But all indications are that the National Institute of Standards and Technology will meet the date to get the products and services certified.”In the meantime, the General Services Administration — which put all non-FIPS-201-compliant smart card implementations on in August — designated the e-authentication/e-government project office the program management office for FIPS-201 implementation, said David Temoshok, GSA’s director of identity policy and management.The office will develop and publish procedures for vendors to be listed on the blanket purchase agreements that GSA will establish for approved FIPS-201 products and services.“The office will define prerequisite qualifying requirements, application procedures, evaluation procedures and ongoing qualifying procedures,” he said. “All authentication lines will go through the IT schedule under a specific special item number with five or six subcategories.”One of the biggest issues still to be resolved is how the employee’s biometric fingerprint will be stored on the card. Jeanette Thorton, an OMB senior policy analyst, said NIST is considering three options: image, minutiae and one of each.Some experts believe that the minutiae option is too new, and there are no open standards that have been tested for it. NIST currently is testing minutiae to determine if it can meet agency needs.“We might use minutiae when you come and go within your own agency and use image when you go to another agency,” Thorton said. “We hope to make a decision soon.”GSA a request for information earlier this summer to determine whether there are smart cards on the market that can support minutiae or image biometrics, and which is best.Thorton also said NIST has established and soon will finish interoperability testing procedures.“We will communicate to industry soon how this will work,” she said. “Conformance and interoperability testing will be our focus over the next few months.”