Feds eyeing one access model for all

A mandate from President Bush has required the entire federal government to adopt common technology to be used to identify employees and contractors accessing federally controlled networks and buildings.

Signed late last month, the Homeland Security Presidential Directive 12 seeks to establish a government standard for secure identification to protect against a litany of threats such as terrorism and identity theft. The memo instructs the departments of commerce, state, defense and homeland security to work with the White House Office of Management and Budget (OMB) and the Office of Science and Technology Policy to determine new standards and policies within six months.

With the order covering all contractors and federal employees, it’s expected to cause a ripple effect across wide swaths of the technology industry and trigger massive purchases by federal agencies. The initiative could impact “up to 60 million government and contractor employees,” predicts Phil Libin, president of CoreStreet. CoreStreet’s Realtime Credentials product (see review) is used for identity management and access controls for physical and logical systems.

While the presidential memo doesn’t specify technologies, security experts within the government say the likely outcome will be smart cards that can make use of public-key infrastructure (PKI) digital certificates and biometrics to authenticate identity.

A smart card is a plastic device about the size of a credit card that contains an embedded circuit chip that can store and process data such as a unique digital certificate issued to a holder to verify identity through the PKI-based encryption process.

“There’s confidence in PKI as a foundation for what we’re doing,” says David Filbey, chief information security officer at the National Archives and Records Administration (NARA), who also participates in the inter-agency Federal Identity Credentialing Committee established by the OMB last year to chart a course on combined physical and logical access. NARA, which has about 3,000 employees and 2,000 contractors, manages government paper and electronic records for the agencies. 

Filbey notes that today if he shows his NARA federal badge at another agency “it means nothing.” But a smart-card-based proof of identity, using a digital certificate and a fingerprint-verification technique to remotely authenticate the bearer, could provide entry to computers and buildings at other government agencies.

Filbey says the effort to determine a common access standard that would be published by the National Institute of Standards and Technology (NIST) has been ongoing for a year at the OMB committee on which he serves.

The Defense Department’s PKI-based Common Access Card, which holds a user’s digital certificate to authenticate to a computer network, has been the starting point for ideas, Filbey says. But the upcoming set of federal standards also likely will include options for biometrics, such as fingerprint identification, he adds.

The market is making it easier to use smart cards because hardware manufacturers typically ship laptops with card readers, Filbey says.

Some companies, including Johnson & Johnson and Microsoft, are adopting PKI-based smart cards for combined physical and logical access, but this type of authentication remains in the future for most organizations. And despite the government’s best intentions, its own track record with smart cards is decidedly mixed.

According to a report published this month by the General Accounting Office (GAO), the government’s watchdog agency, 28 of the 52 smart-card projects that federal agencies had ongoing in January 2003 were folded into other pilots or were discontinued by June 2004 because they weren’t seen as feasible. According to the GAO report, only nine of the remaining smart-card projects (see graphic) are expected to result in sizable distribution of smart cards to employees and others for access to buildings and computers.

The Department of the Interior’s E-Authentication project, which began with the Bureau of Land Management, is seen as an important bellwether for the effort to combine physical and logical access, Filbey says.

VeriSign is the digital-certificate and managed PKI service provider for the project, ActivCard is supplying smart cards and middleware, and Microsoft’s Active Directory is the repository for user permissions, says George Schu, VeriSign’s vice president in the public sector group. Later this month, Secretary of the Interior Gale Norton is expected to inaugurate the agency-wide use of the smart card for network and building use, he says.

IT vendors, while glad the president’s security memo envisions a defined standard for the entire government (though some high-security operations likely will be excluded), are carefully watching to see what smart card, PKI, biometrics and other standards are published by next spring.

NIST has published the Government Smart Card Interoperability Specification 2.1, says Brett Michaels, RSA Security’s director of federal systems. But that could change because the current smart-card specification lacks needed details on “how to populate the card,” Michaels says. “We want more specific guidance.”

The Defense Department’s Common Access Card, for which Netscape and RSA supply digital-certificate technology and Axalto and others the smart cards, is based on the department’s aging Defense Enrollment Eligibility Reporting System, which is not likely to be the model for other agencies, he notes.

According to Mary Dixon, deputy director of the Defense Manpower Data Center in Seaside, Calif., the total active population holding the Common Access Card was 3.1 million as of July, with approximately 10,000 to 12,000 cards issued each day.

The card is used to gain logical access to the department’s computer networks and systems, and it’s anticipated it will be used to enable physical access to buildings and controlled spaces. However, the Defense Department “will be required to comply with the standard” published as a result of the presidential directive, Dixon says.

That means the Defense Department and other agencies with smart-card projects for identification might retire them for whatever technology is mandated.

The department has spent $1 billion on smart cards and their implementation, says Shannon Kellogg, RSA’s director of government affairs, and the question now is whether the presidential directive, which is expected to result in mandated smart-card use, will be funded adequately.

Kellogg says implementing the new requirements will be an enormous project for years to come.

Agencies just becoming aware of the scope of the presidential memo – which asks them to establish programs within four months after the standards are issued and be ready “to the maximum extent practicable” to go operational for logical and physical access within eight months – say they back the idea of the common standard for identification and will plan for it.

“I see the need for this,” says Joe Scavetti, chief information security officer at Pension Benefit Guaranty, the federal corporation Congress set up in the early 1970s to provide pension insurance plans and related responsibilities. Scavetti says the agency has begun looking at PKI-based smart-card access and will follow the standards the inter-agency groups working on this define.