Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 11/22/04 issue

New standard could reshuffle smart cards

By Susan M. Menke, GCN Staff

Agencies might have to upgrade millions of cards to meet FIPS 201’s proposed specs

Nearly 4 million smart cards in use by government do not match the specifications set out this month in a proposed standard for a governmentwide identification card.

That means agencies potentially will have to upgrade millions of cards to comply with the Federal Information Processing Standard 201 when it becomes final in February.

The draft FIPS 201 from the National Institute of Standards and Technology describes requirements for a governmentwide personal identity verification (PIV) card for federal employees and contractors.

Agencies must have programs in place to bring their IDs into conformance with the standard within four months of its approval.

The impact is potentially significant:
  • The Defense Department has distributed its Common Access Card to 3.5 million personnel.
  • The Homeland Security Department is well into issuing the first 200 of its DHS access cards (DACs), with dual embedded chips and multiple digital certificates.
  • NASA is modifying in midstream its plans for credentialing 20,000 federal employees and 70,000 contractors with a Java card.
None of these smart card programs mesh perfectly with the proposed FIPS 201 regulations.

“We didn’t anticipate having to capture fingerprints and pictures at registration,” Tim Baldridge, a computer scientist at NASA’s Marshall Space Flight Center, said at last week’s Inside ID Conference and Expo in Washington. “We’re modifying the enrollment procedures to recredential everybody without having to send the entire workforce to the security office twice.”

NIST drafted FIPS 201 in response to August’s Homeland Security Presidential Directive 12 mandating a secure, common credential. The draft identifies several minimum characteristics for PIV cards, including embedded contact and contactless chips, digital left and right index fingerprints (10 prints for contractors), public-key infrastructure certificates and a cryptographic algorithm.

NIST will accept comments on the proposed specs until Dec. 23. The plan is to push through final approval by late February.

DOD’s existing CAC has only one chip and uses contact transmission. But the program incorporates elements currently optional under FIPS 201 guidance, such as a personal ID number, magnetic stripe and bar code.

More news on related topics: Biometrics, IT Management, IT Security