HSPD-12 mandated ID cards will be ready for new federal employees by October
By Marisa Torrieri, Contributing Editor, AVISIAN Publishing
Come mid-Autumn all new federal employees can expect to be issued a state-of-the-art smart card capable of granting secure access to designated buildings and services.
However, it may be several years before every single existing federal employee gets new powerful plastic with standardized high-security specs, say the agencies in charge of developing the card in accordance with the Homeland Security Presidential Directive 12 (HSPD-12).
HSPD-12, signed by President Bush in August 2004, calls for a number of measures to ensure more secure networks and communication across Federal agencies. Among these is a new Personal Identity Verification (PIV) ID card. The standards for the PIV cards have been in development since HSPD-12’s release, guided by the National Institute of Standards and Technology (NIST).
The HSPD-12 mandate requires all federal agencies to switch to these PIV cards to raise the level of identity verification and security across government. But getting all agencies to implement the new cards, mandated for new employees by Oct. 27, is proving to be a major undertaking.
The General Services Agency, designated as the government’s Executive Agent for the Acquisition of Products and Services to implement HSPD-12, is working alongside NIST to test the PIV infrastructure.
While NIST is testing conformance of the smart card software against the established standards, GSA is coordinating with vendors to test for interoperability between the smart cards and readers. “NIST is basically testing smart cards and middleware for conformance to the standards,” largely within 10 laboratories, says Curt Barker, the personal identity verification program manager at NIST.
But getting the PIV card and system components up and running, as well as imposing a timeline on developers, is a difficult challenge – so much so that the General Accounting Office (GAO) has issued numerous reports citing these challenges, David Temoshok, director for identity policy and management for the GSA, tells SecureIDNews.
“We don’t envision that we’re going to flick a switch in October of 2006 and all agencies will immediately replace their current badges,” says Mr. Temoshok. “That’s going to take several years. Implementing HPSD-12 is not about buying the right cards, it is about deploying systems across multiple government organizations that can be trusted and interoperate.”
Existing government-issued smart cards close but not entirely PIV
Some agencies have been issuing smart cards for employee identification for some time. For example, the Department of Defense (DoD) has issued more than 8.8 million smart cards called Common Access Cards (CAC) across the military branches, and there are currently 3.2 million active CACs in the field, says a DoD spokeswoman. But, according to Mr. Barker, there are certain aspects of the CAC card that made them a no-go for a national, all-agency implementation, per the HPSD-12 mandate.
“It really wasn’t that the common access card was deficient,” says Mr. Barker. “It was something that was designed for one department and was useful for some others, but we needed to specify something that met the needs and constraints of all the departments.”
Subtle differences include the commands used to read the information on the card, and some elements of the information itself. In other words, there is employee information on the DoD’s CAC card that other agencies might not want to put on their employee access cards, such as military rank, says Mr. Barker.
Another issue, adds Mr. Barker, is that “the PIV standard was designed so that any of the smart card architectures could meet it. The CAC card was more tailored to some of the manufacturers than others.” Additionally, he says, “the DoD has a highly automated human resources database to go with the common access card. Not all agencies have that.”
For the government-wide deployment to be possible, a few adjustments were necessary, including the additional features such as the ability to read biometric data and contactless interfaces for physical access purposes.
With the next deadline just months away, serious challenges remain
Key challenges to deployment include the tight timeframes for NIST, GSA, and the vendor community to conduct testing and complete development on products that adhere to the government’s standards. In addition, the sheer magnitude of the project – from each agency designing its own interface to getting all issuing centers to replace old cards with new – is keeping NIST and GSA conservative in their timeline estimates.
“It’s about implementing a secure and standardized identity management system across the whole government,” says Mr. Temonshok. “The (key is) having the right and approved products that will interoperate with multiple readers but also integrate the systems across the back end.”
Though the effort required is obviously substantial, the cards will vastly improve security, says Mr. Temonshok. Government workers going from one federal building to another, for example, often have to get new security clearance and a visitor’s badge. Under HSPD-12, Federal employees and contractors will be granted trusted access to facilities and networks based on the PIV card.
“If you have the PIV card, then you know that employee has gone through background checks, and the badges can be trusted across government,” says Mr. Temonshok. “In order to have that trust, you have to read the card – so machine readability and interoperability is fundamental.”
Because the PIV card contains digital credentials – fingerprint biometric, digital certificate, PIN – that are used to validate the cardholder to the card, card-theft will not necessarily breach security, he adds.
Agency ‘To Do’ list for HPSD-12 compliance long but flexible
The Federal Information Processing Standard 201 (FIPS 201) specifies the technical and operational requirements for the PIV system and cards. The title of FIPS 201 is “Personal Identity Verification for Federal Employees and Contractors” and it was approved on Feb. 25, 2005. In essence, it is the standards document that details procedures for the issuance of PIV cards to meet the HSPD-12 mandate.
According to NIST, the primary requirements for implementing FIPS 201 include the “issuance of identity credentials that consist of public key infrastructure (PKI) and biometrics technology on a smart card.” They suggest that the high-level agency requirements include:
- Identify the facilities, systems, and other applications that will use the PIV standard
- Obtain the services of an accredited PIV card issuer
- Review and revise procedures for PIV card applicants to provide acceptable identity, source documents (i.e., OPM I-9) and complete PIV card application
- Obtain services for capturing biometric information as specified in the FIPS 201
- Obtain PIV card readers with biometric readers as needed
- Procure cards, readers, and PKI services conforming to FIPS 201
- Enable applications to use the PIV card
- Operate and maintain a PIV card authentication and personal identity verification system.
While cards must conform to certain standards outlined in HPSD-12 and accompanying standards published by NIST, agencies have a certain amount of flexibility in how they want the cards to look and what information the cards should contain.
For security purposes, cards will have a preset lifecycle.
“The key information changes every three years because you don’t want to rely on the same variable information for too long because there are other ways, besides computationally breaking it, that it can be lost or exposed,” Mr. Barker says.
“We’re trying to design electronic aspects of the card so if an adversary knows the design, they still won’t be able to exploit that knowledge,” Mr. Barker says. “The cryptographic algorithms have to be strong enough that even if the other person has the algorithm, without private key variable information, they can’t take advantage of that knowledge.”
To read NIST’s outline for agencies implementing FIPS 201, click here.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.