Federal agencies scramble to meet security deadline

Two years ago President George Bush ordered the federal government to be ready by this Oct. 27 to issue a standards-based identity card that federal employees and government contractors would use for computer and building access.

The intention of the order, known as the Homeland Security Presidential Directive 12 (HSPD-12), was to usher in a new generation of encryption-based smart cards with biometrics and photos to be used government-wide for physical and logical access. The Personal Identity Verification (PIV) program, as it's come to be called, has federal agencies scrambling to issue PIV identity cards by the deadline, but it is unclear if they will be able to meet that goal.

For one, the $104 million HSPD-12 services contract, awarded last month by the General Services Administration (GSA) to systems integrator BearingPoint to provide PIV enrollment services and identity cards, is up in the air. Competitors Lockheed Martin, Xtec and Electronic Data Systems filed legal protests two weeks ago. When a contract is protested - a common occurrence in the world of government - the work usually stops. But not this time.

To meet the Oct. 27 deadline, the GSA - designated by the White House Office of Management & Budget (OMB) last year as the executive agent for government-wide acquisitions of HSPD-12-related IT- is plowing on.

The GSA says BearingPoint has been instructed to go ahead as planned and open PIV enrollment centers in Washington, D.C., New York, Atlanta and Seattle.

"The whole intent is to improve the security of the U.S.," says Michel Kareis, PIV program manager at the GSA. "The GSA is setting these centers up as a shared services solution so agencies don't have to set them up on their own."

Kareis says she expects about 400,000 government employees to get their PIV cards from these services by appearing in person with proof of identity, and have their photo and fingerprints taken.

The GSA, which hopes to see the government resolve the protests against BearingPoint by the end of the month, intends to add 100 service centers in the United States, probably at government-owned facilities that it runs.

Under the OMB guidelines, federal agencies have to acquire the PIV products and services from GSA-approved lists, and high-tech contractors have been lining up seeking approval.

That process requires vendors to have products tested in government labs to see if they meet technical requirements, says Scott Price, group senior vice president in General Dynamics' IT group. General Dynamics was approved in July as an HSPD-12 system provider.

Defining the PIV technology has been no small matter. Two years is scant time to establish government standards and conformance testing of products, including smart cards, readers, biometrics, middleware and public-key encryption.

But the National Institute of Standards and Technology (NIST) has issued the necessary standard, known as the Federal Information Processing Standard 201, and lined up about a dozen labs to test FIPS 201 conformance for vendor PIV products.

These third-party test facilities include Atlan Laboratories, BKP Security Labs, BT Crytographic Module Testing Laboratory, Coact, Cybertrust's ICSA Labs and InfoGard Laboratories.

But here, too, it is down to the wire, because the labs aren't yet officially accredited. "The labs are in a probation period," says Bill MacGregor, NIST PIV program manager, about the dozen facilities undergoing the accreditation process. MacGregor says he expects the process to be finalized by the end of the month.

In the meantime, NIST is publishing prevalidation product lists that include offerings from Oberthur Card Systems, Gemalto (formerly Gemplus), ActivIdentity, SETECS, ImageWare Systems, Sagem and RSA Security. "In the middleware testing, we basically define an API for commercial products for PIV cards," MacGregor says.

Ed MacBeth, senior vice president for marketing and business development at ActivIdentity, says the NIST test-validation process has involved a "self-certification process" that entails running products - such as ActivIdentity's ActivClient, which is smart-card middleware - through testing process and procedures that NIST has published.

"It's like submitting a drug for approval by the FDA," MacBeth says. "You exhibit your results."

The NIST test regimen won't involve testing every line of code in PIV applications, because this isn't required under the FIPS 201. "FIPS 201 doesn't standardize on back-end interfaces," MacGregor points out.

The NIST PIV standard is based on the most recent ANSI card and biometrics standards. The FBI has been testing the fingerprint biometrics conformance in PIV products in FBI labs.

The whole PIV technical effort constitutes "a makeover of the marketplace," MacGregor says, adding that the government PIV push should bring interoperability to smart-card-based identity management. "Much of the biometrics products have been based on proprietary matching methods and storage methods," he points out.

The PIV cards, readers and middleware should allow for "government card portability," MacGregor says. The goal is that any PIV card that's good at one agency should be able to be used in any PIV application at another agency that's PIV-compliant to the extent that applications define themselves closely by middleware.

But will the gear be interoperable? To find out, NIST last May invited PIV product vendors to NIST headquarters in Gaithersburg, Md., to discuss their products and demonstrate how well they worked together.

About four dozen companies supplying PIV cards, enrollment and identity management systems, issuance and printing, contact readers, contactless readers and physical-access control systems, PKI and biometrics showed up.

According to MacGregor, a month-long examination left him fairly optimistic. However, he noted it did prompt NIST to release a short "interoperability definition" of two pages defining further card-to-reader recommendations.

How PIV is to connect into any legacy systems is outside the scope of the FIPS 201 standard and will have to be addressed by agencies and their vendor partners, MacGregor says.

The Department of Defense, which over several years has issued millions of its own Common Access Cards (CAC) which are not FIPS 201-compliant, won't have to meet the Oct. 27 deadline the same way other agencies must. That's because the Defense Department, along with a handful of other agencies, including the Department of Veterans Affairs (VA), has received special exemption from the OMB, though it must submit a plan for migration.

But the Defense Department is expected to add FIPS 201 support to the CAC card in order to share necessary identity data with PIV applications. "Defense Department would be the first to admit they are not compliant with FIPS 201, but they're working toward it," says Tom Greco, vice president at Cybertrust, which is providing public-key infrastructure and certificate management as part of the BearingPoint team.

Handheld reader

Some vendors are building products to support the Defense Department and FIPS 201-based cards. CoreStreet, for example, last week announced Pivman System, a handheld mobile device intended as a PIV and Defense Department card reader to be used by government personnel responding to emergencies.

"If there's a disaster or emergency, there will be a lot of people going to the scene to render help," says Phil Libin, CoreStreet's president. "The question is, who gets admittance?"

The Pivman handheld device can be used to check identity of personnel based on the holder's PIV card, with authentication provided directly through Pivman and with additional information stored in remote databases that can be accessed over a Wi-Fi or General Packet Radio Service network.

If needed, the Pivman mobile device can supply information obtained from back-end databases about the card holder based on role, such as firefighter or medical personnel. The Department of Homeland Security is said to be testing the Pivman System.

ActivIdentity, whose card-management software supports the CAC and the Government Smart Card Interoperability Standard, an earlier government standard said to be used in a half-million smart cards at the VA, views PIV as an evolution.

"PIV establishes a rigorous process for identity verification," Macbeth says. PIV also will touch the private sector, such as Northrup Grumman, because government contractors will have to use it, he points out. But it's uncertain how quickly it would be adopted by companies in the private sector not falling under the HSPD-12 mandate.

The transition from any older technologies used for physical or logical access is going to be a slow process, according to many.

"It can't all be done on Day One," MacGregor says. "There's a transition that has to occur, and it will take a long time to move from older magnetic-strip cards that some agencies use for physical access to PIV."

A short history of Personal Identity Verification cards

The deadline is looming for agencies to meet a presidential mandate issued in 2004.
August 2004President Bush issues Homeland Security Presidential Directive (HSPD-12) mandating federal agencies be prepared to issue a standards-based identity card for physical and logical access control by Oct. 27, 2006.
February 2005The National Institute of Standards and Technology issues Federal Information Processing Standard 201 (FIPS 201) and later establishes the NIST Personal Identity Verification (PIV) program to test and validate PIV components and subsystems.
August 2005The White House Office of Management & Budget issues implementation guidance for federal department and agencies, and in June designates the General Services Agency (GSA) as the executive agency for government-wide acquisitions of IT related to HSPD-12.
August 2006The GSA sets up the HSPD-12 Managed Services Office as a source to acquire FIPS 201-compliant equipment, software and services in order to leverage the collective buying power of the government.

Learn more about this topic

Federal agencies need to improve Wi-Fi controls

07/06/05

Govt. braces for key security standard

02/28/05

Banks scramble on security deadline, Google's software bundle, an update on wireless since ...

09/05/06

Join the discussion
Be the first to comment on this article. Our Commenting Policies