- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
The National Institute of Standards and Technology last week raced to meet a weekend deadline to issue a smart-card standard that will be the basis for products that give federal employees and contractors secure access to networks and buildings.
President Bush imposed the deadline last August in a directive aimed at improving government security by having a common access technology adopted by next year.
The arrival of the Federal Information Processing Standard (FIPS) 201 is being met with a mix of optimism and anxiety. If it works out, the standard could provide a framework for adoption outside the federal government. But more immediately, government agencies are concerned about its costs and practical implementation.
The Department of Defense, the government's biggest user of smart cards, is most worried.
"We expect we're going to have to make some changes," says Mary Dixon, deputy director at the department's Defense Manpower Data Center. The group has issued more than 3 million smart cards based on the older Government Smart Card Interoperability Specification (GSCIS ).
In comments to NIST last December on the draft standards document, the Defense Department said FIPS 201 would force a "costly re-investment" that would "require [Department of Defense] to re-deploy desktop middleware to 2.2 million [Defense Department] computers," update 3.5 million Common Access cards and "impose an unproven solution with no supporting product."
The government did not release estimated costs to pay for Bush's mandate.
"[Department of Defense] CIOs and program managers will be hard-pressed to explain and defend this decision to their senior leadership," the department stated in its comments to the NIST, and added that the draft standard is at odds with changes planned by the agency this year. The Defense Department did not divulge those changes.
Dixon says the Defense Department will lobby for changes in FIPS 201 right up until its official publication.
The two NIST engineers who wrote FIPS 201, Cliff Barker and Jim Dray, aren't oblivious to the concerns surrounding the emerging standard.
"The majority of the controversies we enjoyed in the last few months are due to the legacy issues of the GSCIS world," said Dray said during a presentation he made two weeks ago at the RSA Conference. "But card management was one of the main things missing from GSCIS v.2.1."
The smart-card platform expected to be unveiled this week is a "virtual machine card" with common namespace definition, management, file IDs and application IDs.
The standard also will define procedures for establishing user identity before issuing a smart card. The NIST engineers said agencies, which use smart cards for access to networks or, less commonly, buildings, are going to have to get on board.
"We don't think it's going to be possible to have business as usual for agencies that don't want to change," Dray said.
The smart-card standard is expected to have two-fingerprint biometrics and a digital certificate for authentication. The smart card would support both "contact-based" and radio frequency identification (RFID)-based "contactless" methods for sharing data.
The contactless method has been controversial because of the concern that "you could come behind someone in an elevator and pull the biometric off a card using an RFID reader," says Dave Enberg, CTO at CoreStreet, which makes identity management and access control products for physical and logical systems.
"The whole process has gone through highs and lows in terms of the communications between staff at NIST, industry and the government agencies involved," says Randy Vanderhoof, executive director of the Smart Card Alliance in Princeton Junction, N.J., whose members include manufacturers such as Axalto and Gemplus.
Vendors to the government will inspect the published standard for how "tight the FIPS 201 specification would be in defining specific card data files and smart cards that would render existing systems incompatible." He adds: "The 'must' vs. 'may' vs. 'should' is critical to this process."
Two technical documents from NIST, Special Publications 800-73 and 800-76 expected out in March, will further define smart card hardware and biometrics requirements.
Gary Klinefelter, vice president of engineering at Fargo Electronics and chair of a group called Open Security Exchange, which advocates open standards for dual-use access methods, says smart-card manufacturers are going to have to determine whether they'll need to develop new chipsets for FIPS 201.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment