Who are you? That was the question asked by the rock group, The Who, in the 1970s. In response to terrorism concerns, government has taken up the refrain: It really wants to know. To that end, a number of federally mandated identification card requirements are now in various stages of rulemaking or initial implementation. Each contains security requirements, often including some smart card technology, and each is targeted toward a specific user group, such as government workers and contractors (through a Homeland Security Presidential Directive, HSPD-12), transportation workers (through the Transportation Worker Identification Credential, or TWIC), and the general public (through driver’s license standards called REAL ID). Our focus is on government’s experience in implementing HSPD-12 and how it may spur smart card growth in private industry.
Although smart card projects in the federal arena were initiated as early as a decade ago by the Department of Defense, high implementation costs and a lack of interoperability standards prevented wide-scale adoption of smart cards across government. The rules changed, however, when President George W. Bush issued HSPD-12 in August 2004. The directive forced the government and industry to address many of the barriers to large-scale smart card deployment.
The directive requires the government to issue a common, smart-card-based identification credential to all federal employees and contractors. The card must be able to allow physical access to federally controlled facilities and logical access to information systems. The accompanying technical standard represents a large leap forward in the development of an interoperable standard for smart cards focused on improving security for physical and IT access to federal facilities and networks.
Agencies and industry partners worked feverishly for two years to align the programs, funding, and technology to begin issuing the cards last October. The transition, however, has been far from smooth. Some agencies did not meet the deadline at all. Of those that did, some issued only a handful of cards. And when compliance testing was conducted by the General Services Administration (GSA) shortly after the deadline, many cards failed to meet the required standards.
Cards failed for a variety of reasons, major and minor. One example of a serious problem was that card information was encoded in the wrong order, making interoperability impossible.
In January, additional testing found lingering problems. Agencies now have until October 2008 to issue compliant cards to their entire employee and contractor base. Agencies that still have problems face the greatest challenges, but even those that passed the first test by issuing a small number of compliant cards face new hurdles, such as the logistical issues arising with a nationwide rollout and the difficulties of integrating the new technology with legacy systems, or replacing them altogether.