Who are you? That was the question asked by the rock group, The Who, in the 1970s. In response to terrorism concerns, government has taken up the refrain: It really wants to know. To that end, a number of federally mandated identification card requirements are now in various stages of rulemaking or initial implementation. Each contains security requirements, often including some smart card technology, and each is targeted toward a specific user group, such as government workers and contractors (through a Homeland Security Presidential Directive, HSPD-12), transportation workers (through the Transportation Worker Identification Credential, or TWIC), and the general public (through driver’s license standards called REAL ID). Our focus is on government’s experience in implementing HSPD-12 and how it may spur smart card growth in private industry.

Although smart card projects in the federal arena were initiated as early as a decade ago by the Department of Defense, high implementation costs and a lack of interoperability standards prevented wide-scale adoption of smart cards across government. The rules changed, however, when President George W. Bush issued HSPD-12 in August 2004. The directive forced the government and industry to address many of the barriers to large-scale smart card deployment.

The directive requires the government to issue a common, smart-card-based identification credential to all federal employees and contractors. The card must be able to allow physical access to federally controlled facilities and logical access to information systems. The accompanying technical standard represents a large leap forward in the development of an interoperable standard for smart cards focused on improving security for physical and IT access to federal facilities and networks.

Agencies and industry partners worked feverishly for two years to align the programs, funding, and technology to begin issuing the cards last October. The transition, however, has been far from smooth. Some agencies did not meet the deadline at all. Of those that did, some issued only a handful of cards. And when compliance testing was conducted by the General Services Administration (GSA) shortly after the deadline, many cards failed to meet the required standards.

Cards failed for a variety of reasons, major and minor. One example of a serious problem was that card information was encoded in the wrong order, making interoperability impossible.

In January, additional testing found lingering problems. Agencies now have until October 2008 to issue compliant cards to their entire employee and contractor base. Agencies that still have problems face the greatest challenges, but even those that passed the first test by issuing a small number of compliant cards face new hurdles, such as the logistical issues arising with a nationwide rollout and the difficulties of integrating the new technology with legacy systems, or replacing them altogether.

Logistics
One of the biggest challenges facing government agencies is the nationwide rollout. The problem is that to implement nationwide credentialing, agencies need enrollment centers across the country. Though an agency might employ fewer than 1,000 people nationwide, it must still keep regional centers open to manage the card system, which can be expensive.

A number of companies are trying to do that by establishing enrollment centers that multiple agencies can use. Each agency would pay a fee for each person issued a card.

No single vendor has established a working center yet, but the GSA expects a total of 225 enrollment stations across the country. These centers could also fuel private-sector interest once they are established.

Protection of data is another consideration. There are extensive security and privacy protections called for under the HSPD-12 system, based on hardware, software, and policy. Communications between the enrollment workstations and the identity management system must be secured. Enrollment data will be encrypted and protected in storage and in transit.

Multifactor authentication is also required to access the enrollment workstations and submit data from the enrollment application, ensuring that only trained, authorized individuals can submit data.

Integration
HSPD-12 calls for use of ID cards for physical and IT access. Agencies will have flexibility in migrating their legacy access control systems to the new smart cards. Agencies are trying to avoid the costly and time-consuming process of tearing out their existing card readers, panels, or entire systems and replacing them with newer technologies. To ease migration pains, these agencies have several options.

One option is to install readers that can handle current card technologies and smart cards. Another option is to deploy smart cards with multiple technologies. GSA intends to offer agencies the option of purchasing cards that contain a 125 kHz proximity coil in addition to contact and contactless smart card chips. These multitechnology cards would allow users to present the same credential to gain access at doors with either type of reader.

Concurrently, agencies must use the new smart cards for IT access control. Traditional user names and passwords are not very secure. While certain software systems can prevent users from selecting easily guessed passwords, any reusable password is vulnerable to attack—and to compromise when users write them down or use the same password across multiple systems to avoid having to memorize numerous passwords.

A smart card with multifactor authentication can enhance IT access controls. Password security represents single factor authentication through the use of something you know. Smart cards also support the use of a second or third type of authentication, something you have—the smart card—and something you are—biometrics stored on the card. Built-in encryption, along with tamper- and counterfeit-resistant card features, can offer a high level of user authentication.

Links between applications using smart cards offer additional benefits. For example, an agency can prevent someone from using a card to log on to an agency computer system unless that card was also used to physically access the building. Such card options are already on the market. Government’s dual use of smart cards for IT and physical access control is likely to increase the trend toward this convergence in private industry as well.

ID Management
Most organizations manage a great deal of identity information for their employees, typically housed in multiple systems with little interconnectivity or synchronization. The growing focus on identity management acknowledges that a person’s identity is constant and can stay with an individual regardless of how access rights change over time. This is driving a shift to a more centralized identity management approach, where a person’s identity data is updated and maintained through a common model and shared with systems as needed.

Privacy. With the REAL ID Act’s national driver’s license, there remains concern that the data would not be secure either on the card or in the database repositories.

DHS recently published its notice of proposed rulemaking for driver’s license IDs. It calls for a great deal of personal data to be stored in bar code technology in REAL ID-compliant licenses. It does not require that the data be encrypted. A top concern is that the credential would allow various entities and technologies to read the data from the card. This is also a concern with RFID technology planned for use in the Western Hemisphere Travel Initiative.

HSPD-12 is vastly different. On the HSPD-12 card, the only piece of data that can be freely read from the contactless interface is the cardholder unique identifier, a number that isn’t tied to a Social Security number. Contactless smart cards also have a much shorter read range than other technologies, such as those being used in REAL ID and other programs.

The fingerprint biometric can only be read from the contact interface, requiring a person to physically insert the card in a reader. The person then places his or her hand onto another reader so that the live print and the stored print can be compared; the applicant must also enter a PIN.

Numerous agencies and privacy groups worked to design strong security and privacy controls into the HSPD-12 standards. In contrast, a great deal of work remains to be done to devise a secure way of sharing data for the REAL ID program without hindering the ability of law enforcement to access that information.

A well-founded concern about the REAL ID program is the lack of protections for information both when stored in the databases and during transfer between states.

To fully leverage the capabilities of smart cards in the future, it will be important for stakeholders to continue developing standards and working toward interoperability for smart-card systems.

Whether the private sector will embrace smart cards remains to be seen. The federal government clearly sees a benefit to the technology. Through its combined programs, the government is expected to issue 20 million smart card or chip-based credentials over the next two years. Industry no doubt will be watching how this government experiment unfolds.

SYNOPSIS
A number of federally mandated identification card requirements are now in various stages of rulemaking or initial implementation. Each contains security requirements, often including some smart card technology, and each is targeted toward a specific user group, such as government workers and contractors, transportation workers, and the general public.

One such directive is HSPD-12. The directive requires the government to issue a common, smart-card-based identification credential to all federal employees and contractors, and it is forcing the government and industry to address many of the barriers to large-scale smart card deployment. The card must be able to allow physical access to federally controlled facilities and logical access to information systems.

Agencies and industry partners worked feverishly for two years to align the programs, funding, and technology to begin issuing the cards last October. The transition, however, has been far from smooth. Some agencies did not meet the deadline at all. Of those that did, some issued only a handful of cards. And when compliance testing was conducted, many cards failed to meet the required standards. Those that failed did so for a variety of reasons, major and minor. One example of a serious problem was that card information was encoded in the wrong order, making interoperability impossible.

In January, additional testing found lingering problems. Agencies now have until October 2008 to issue compliant cards to their entire employee and contractor base. Those that still have problems face the greatest challenges, but even agencies that passed the first test by issuing a small number of compliant cards face new hurdles, such as the logistical issues arising with a nationwide rollout and the difficulties of integrating legacy systems.

Shelly Hartsook is a consultant with the security and identity management solutions practice at BearingPoint, Inc., in McLean, Virginia. Gordon Hannah is managing director and solution leader of the security and identity management solutions practice with BearingPoint.