Federal bodies approving contractors’ wares, with little time to spare
By Marisa Torrieri, Contributing Editor
Where FIPS 201-compliant smart cards are concerned, summer’s hot and anything but lazy. The U.S. government is taking action on several fronts to help federal agencies get Personal Identity Verification (PIV) card systems in place. From giving the thumbs up to smart card parts contractors to testing contractors’ wares, all of the pieces are coming together, with Oct. 27 looming. That’s the deadline set for federal agencies to issue new, interoperable smart cards based on the FIPS 201 specification to all federal employees.
“For the last year, everything sort of dried up. Agencies were waiting, no one wanted to move because they didn’t know where to go,” says Kevin Kozlowski, vice president of government division of FIPS 201 systems integrator XTec, which is working with the State Department and others to meet deadlines. “Now, there’s a mad rush. We’re starting to see RFPs to come out like crazy.”
The PIV card initiative is mandated by Homeland Security Presidential Directive 12 (HSPD-12), signed by President Bush in August 2004. HSPD-12 calls for a number of measures to put into place more secure networks and communication systems across Federal agencies, including the new PIV ID card, which is capable of granting secure access to designated buildings and services.
NIST works to approve applications and middleware
As of July, The National Institute of Standards and Technology (NIST) is continuing conformance testing of the smart card software against the established standards, while the General Services Administration (GSA) is coordinating with vendors to test for interoperability between the smart cards, readers, middleware and other components.
Additionally, NIST is on the brink of releasing the final publication of “Special Publication 800-85B, PIV Data Model Conformance Test Guidelines.”
The document, for which a draft was posted May 25 calling for a four-week comment period through June 22, provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card (for all specifications outlined in SP 800-73-1, SP 800-76, and SP 800-78). It also outlines tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in the FICC-SSP subcommittee document, according to NIST.
SP800-85B defines test procedures for characteristics that are already normatively standardized in FIPS 201-1, SP800-73-1, SP800-76, SP800-78, and several other standards, explained NIST’s William MacGregor (Mr. MacGregor recently took over Curt Barker’s post as NIST’s Personal Identity Verification Program Manager). Thus, the primary users of SP800-85B will be developers of issuance systems, and agencies performing Certification and Accreditation (C&A) processes on PIV Card issuers, Mr. MacGregor notes.
Other PIV-related NIST draft publications, including SP800-96 (card-reader interoperability & performance), and draft SP800-78-1 (PIV cryptographic algorithms) are simultaneously undergoing changes, and moving along toward final publication.
OMB and GSA work to approve vendors and products for agency use
Meanwhile, the Office of Management and Budget issued a press release July 5, drawing attention to the “government approved” list of vendors whose PIV-card components and solutions are ready to put in place. The General Services Administration, designated as the OMB’s Executive Agent for the Acquisition of Products and Services to implement HSPD-12, is working alongside NIST to test the PIV infrastructure. The list has grown several-fold in the last few months as more companies’ PIV card systems and components become available for federal agencies to use.
The July 5 announcement is the official designation of FIPS 201 product and service availability, an OMB spokeswoman says.
The floodgates are opening …
Despite looming deadlines, many federal agencies didn’t want to implement until the official go-ahead.
“I think there’s an inconsistency in the level of knowledge each agency has,” says James Jasinski, executive vice president, Cogent Systems, which makes biometric template generators and matchers for the PIV cards, among other things, and has a number of FIPS 201-approved products on the GSA’s approved vendors list. “Until now, nothing was given the clearing. Now that it’s all been approved, the agencies can go through the process of achieving the original objective that was announced back in August.”
Although approval is finally formal, Cogent and others have been busy courting agencies with their solutions and following up on RFPs issued by various agencies.
“I think the focus is one, making sure our product is certified, second, that those products have been validated as being top of the line products,” says Mr. Jasinski. “Once we get that accomplished, we’re making sure we interface with as many systems integrators and agencies as possible.”
Want to see which vendors have been validated by NIST? Check out http://csrc.nist.gov/npivp/. The Web site provides both validation and pre-validation lists for PIV Cards and middleware.
The list of approved vendors and products from the GSA Evaluation Program are online at http://fips201ep.cio.gov/.
To view approved providers for other services not covered under the GSA or NIST Evaluation Programs, visit http://idmanagement.gov/.
In addition, the “MINEX Compliant List” lists the validated template generation and matching packages.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.