SMART CARDS AT THE STATE DEPT.
Pick a door, any door, and procure a solution that will authenticate the movement of users through it. Now leverage that function worldwide, add in four wieldy federal agency administrations, numerous subcontractors, an IT component, and increase the number of users to 35,000 — without dropping a security stitch.
That is the current scope of the smart card and access control implementation project — begun some eight years ago — that Lolie Kull manages for the State Department’s Bureau of Diplomatic Security. This year, the department is close to realizing the first leg of its ambitious security goal: equipping 20,000 U.S.-based Department of State employees and contractors with “smart” identification cards that provide a range of authentication, personal identification and security solutions.
A Multi-Player Endeavor
The Department of State has undertaken the smart card project through an interagency agreement with the Department of Transportation, Research and Special Programs Administration, and the Volpe National Transportation Systems Center, which is managing the project for the State Department under the guidance of project manager David Lecraw. “We provide the funding to the Department of Transportation,” Kull says, “and we work hand in hand with them to provide oversight to define requirements and to ensure they’re met, while it’s the Volpe Center that oversees the contractors.”
According to Kull, the sheer complexity of the project is its most challenging and exciting aspect. “Security requirements and the scope of our project are never static,” she says. “We’re adding new buildings and people are moving from place to place all the time, requiring different access privileges — it’s sort of like shooting at a moving target, so to be able to define what you need from the beginning is difficult, but imperative.”
“There were a number of things prompting the initiative,” Kull continues. “When we first began looking for a new authentication solution about eight years ago, we were really seeking something that would serve more than just that one function — that would be more than just an ID card that got you in a door. We wanted a multi-functional tool,” she says.
Kull says the State Department’s then-access-control system was aging and needed to be upgraded or replaced in order to keep pace with the Department’s evolving security needs. The Department needed to provide for both employees and visitors to be issued cards and sought an access control system flexible enough to handle that volume. It also required cards on which additional information could be stored and which would allow interoperability with other federal agencies and departments.
A variety of manufacturers supply the components that make the system hum, Kull says. TASC, a division of Northrop Grumman, is the prime contractor for the project, responsible for design and installation of a Software House access control system. The card issuance and management system and card readers are provided by Xtec, while DataKey provides the cards themselves and Eltron supplies card printers.
At the heart of the solution are the “smart” 32k chips, embedded in the access cards, that provide the opportunity to read, write and store unique identifiers and personal information securely.
“You can think of it like a file cabinet,” Kull says. “One file might contain access control privileges, another might contain emergency medical information such as a rare blood type, and another might contain a copy of your travel orders.” Kull goes on to explain that two current and key functions of the cards are access control to buildings and storage of Public Key Infrastructure (PKI) certificates for computer functions. Like digital keys for documents, PKI certificates sign, encrypt or effectively “lock” a document, verifying the sender or ensuring it can only be opened by someone with the ability to unlock it.
There are approximately 35,000 employees and contractors that work for the Department of State worldwide, with some 20,000 in the United States. Kull says U.S.-based personnel will receive the cards first, and then they will go to overseas personnel upon their return. There are no plans to go abroad to issue cards, so complete issuance will take two to three more years.
Proprietary’s Out; Interoperable’s In
The State Department is not alone in Washington in the push to step up personal identification of federal employees and associates: The Department of Defense, GSA and the Department of the Treasury have undertaken massive card deployments of their own, and State is working with those agencies to deploy interoperability where the card can be used at other agency’s systems. Kull says that various technological and policy safeguards must be in place for such wide scale integration to succeed.
“I think the Department of State has the unique capability of [exploring interoperability] because we have other agencies that work with us on a regular basis in our buildings, so we can take other cards and put identifiers into our system, but the policy has to be in place,” she says. “Just because someone is a Treasury, a DoD or a GSA cardholder is not enough — people in the building must be good employees and be alert to whether someone is supposed to be in the space or not. Ultimately, it’s that need to be vigilant from a security perspective.”
The cards and access systems provide each agency the opportunity to securely embed information they want and to then access it in kind. “You can’t prevent someone from hacking in forever,” Kull says, “but you will deter people through encryption.”
For a project of this complexity, it is critical to be able to sit down and define requirements from the beginning — in terms of cards, access systems, readers, employees, visitors, et. al. — and to be able to get all the players — whether contractors, manufacturers or agency personnel — together to work in concert as a strong team to complete the security mission. All this must occur without having people pursue their own agendas.
But for the State Department, the smart card implementation project has by no means been a one-stop solution, and perhaps, Kull suggests, the access control industry could learn a lesson from it. “One of the most difficult things from an access control perspective, was that we were initially under the impression we could go out to an access control company and buy an off-the-shelf product that would give us a smart card system, and it just didn’t exist then,” Kull says. “Access control companies have been extremely proprietary-minded in the past — wanting to keep their company and their systems separate from everyone else’s with the mindset that if we tell you our secrets you won’t buy our products, or someone else will take our ideas and make them work for their system.”
Kull suggests the current push toward interoperability in Washington is a good indicator for access control companies: “When you look at the requirements from a federal government perspective — my being able to go to the Pentagon and show them my card and having them be able to read it and then grant or not grant access privileges — then proprietary systems have to be a thing of the past. Access control companies have to grow with the future and allow cards and readers and systems to function in an open architecture way.”
Kull adds that one of the biggest lessons learned from this project is that managers must be able to accept when things have to change: “Once you’ve made a decision and you realize you need to make some changes or re-define some aspects of that decision, you shouldn’t be afraid to do so: You’ll still be aiming at the same end — it’s only the way you get there that may be different.”