Smart Card Update: Two Months to PIV II
Just two months before the Oct. 27 deadline for the implementation of the federal government’s new smart card ID and access control system, federal agencies are racing to test and tweak the technology underlying their applications.
The Department of Defense (DoD), for example, is right now conducting pilot tests at 10 sites. “Each of the services and some defense agencies are collecting data for us,” says Lynne Prince, acting director of the DoD Access Card Office in Washington, D.C. “We’re testing the technology at different kinds of sites, some doors, some gates, some computers. We want the test sites to answer questions. How hard is it to bring physical access systems into compliance? What do they have to do? How do the contactless cards work? Will vendor cards work with the system?”
DoD is different than many other federal departments and agencies in that it has been using smart access control cards and technologies across its department for years.
About three years ago, President Bush issued Homeland Security Presidential Directive 12 (HSPD-12), which ordered federal agencies to come up with a common identification card for all federal employees and vendors. Under the Federal Information Processing Standard or FIPS 201, which set the technical standards for HSPD-12, the new identification and access cards must display the cardholder’s name, photograph, organization, serial number, expiration date and other information related to the cardholder’s agency and department.
The cards must also work with both physical and logical access control systems, carry two fingerprints for biometric authentication, contain both contact and contactless interfaces, and interoperate across federal agencies when necessary.
The smart card chip must store a personal identification number (PIN), a Card Holder Unique identifier (CHUID) and an authentication key. Oct. 27 is the deadline for 1,000-plus departments and agencies to be ready to issue these smart cards to more than 2.5 million federal employees and another 2 million or so military personnel, whether on active duty, in the Reserves, or in the National Guard.
Employees of vendors that regularly visit federal departments and agencies must also carry the new cards. No one is quite sure how many people work for the hundreds of thousand vendors that serve the federal government, but the defense department numbers its outside contractors at 300,000.
Thanks to its existing card access program, DoD has become something of a model for other departments and agencies that are installing the technology for the first time or upgrading existing systems.
For the past two years, federal departments and private vendors have been ironing out the details related to the new system. Two deadlines have controlled FIPS 201 implementation: Personal Identification Verification I and Personal Identification Verification II or PIV I and PIV II.
Largely completed in October of last year, PIV I described what kind of information federal agencies would need to collect from employees, appropriate background checking procedures and required documentation prior to card issuance, as well as privacy guidelines. “Essentially, PIV I focused on infrastructure, enrollment, identity proofing and identity vetting,” Prince says. “It required us to acquire and install the technology and the infrastructure to check backgrounds and to capture fingerprints. We had to submit our plans for this to the Office of Management and Budget (OMB), and they approved the plan. We were in compliance with the PIV I deadline as of last year.
“This year, one year later, on Oct. 27, we must comply with PIV II, which means issuing our first PIV-compliant card,” Price adds.
As the implementation stage of the program, PIV II requirements are more technical. They require finding and configuring readers that can talk to smart cards with public key infrastructure (PKI) credentials that allow cryptographic log-ons, carry personal data, photo and fingerprint biometric data, and a cardholder unique identifier (CHUID). Most importantly, the readers must interoperate from department to department and agency to agency throughout the federal government.
Since DoD is already using a smart card, it is receiving different treatment than other agencies in PIV II. “We have a legacy card out there,” Prince says. “So we’re entering a transitional phase from one card to another rather than the end point (of an initial installation). This plan has been approved by OMB, which is approving plans made by all federal government agencies and departments.”
The DoD’s 10 pilot tests are key to the transitional strategy. Despite its experience with large card access systems, DoD had never used contactless technology, and FIPS 201 requires cards equipped with both contact and contactless technology. Moreover, FIPS 201 permits the use of two types of contactless technology. One employs two chips, one for contact operations and the other for contactless. The second is a dual-interface chip, in which a single chip handles both contact and contactless reader interfaces. DoD elected to use the dual-interface technology. The pilot tests are trying out various technical configurations of dual interface systems, as well as systems provided by different vendors.
“As we issued new cards, we asked the services to participate in pilot tests,” Prince says. “We’re doing this at 10 sites now throughout DoD, at each of the services and some of the defense agencies.” Pilot test applications include doors, gates and other physical access barriers. When the tests are completed, Prince says the office hopes to have a better understanding of how to educate their constituencies about card features.”
But implementing PIV II of FIPS 201 won’t be the end. “The challenges will continue,” Prince says. “We will have to come to terms with costs, sizes and interoperability between departments at both the physical and logical levels.”
The next challenge will be turning the system on across the federal government.