The GSA's Smart Card Security Prototype

One of the U.S. government's largest smart card security systems is located in the heart of lower Manhattan, just eight city blocks from the World Trade Center Ground Zero memorial site. The smart card system controls access into the mammoth Jacob Javits Federal Building. At 2.4 million square feet, the Javits Federal Building is the government's second-largest civilian building, after the Ronald Reagan Federal Building in Washington, D.C. The system extends to another federal building, also in lower Manhattan, to bring the total covered floor space to almost 3.5 million square feet. Approximately 35 federal agencies and their 13,000 employees and contractors work out of the two buildings.

The system was created and is managed by the General Services Administration. The GSA has been the executive branch's lead agency in the purchasing and use of smart cards since the federal government began investigating the technology in the mid-1990s. As an extension of its smart card mandate, the GSA's Northeast and Caribbean region took the lead in developing what has become one of the largest smart card security system pilots in the nation.

Thinking Big
Steve Ruggiero, deputy regional administrator for GSA's Northeast and Caribbean region, has played a key role in overseeing the development of the New York City smart card pilot. According to Ruggiero, the GSA was researching smart card technology to develop expertise and resources it could make available to other federal government agencies. In 1998, the GSA's Federal Technology Service (FTS), in cooperation with the U.S. Navy, had already established the Smart Card Technology Center to demonstrate the application of smart card technology on a small scale.

Ruggiero and his team believed a larger, more practical demonstration of the technology was needed to make a compelling case for smart card adoption throughout the government. "We thought that the size and the complexity of the Javits Building would provide a perfect setting," recalled Ruggiero. "If a smart card system could work here, it could work anywhere."

Representatives from various regional GSA service lines, including the FTS, the Public Buildings Service (serving as the primary landlord to most civilian agencies), the Federal Supply Service, and the Federal Protective Service (now part of the Department of Homeland Security), formed a working group that would hammer out the details of the proposed smart card system.

Dollars and Sense
The group spent the next two years developing a familiarity with the technologies, evaluating products and potential vendors, and securing the necessary funding. At that point, security-related projects, such as the smart card pilot, competed with a variety of other prominent projects for funding dollars. So rather than request special funding for the project, the group opted to use its existing budget and move forward at a conservative pace.

"At the same time, we were trying to address the social implications of this change," explained Ruggiero. Up to that point, each of the various tenant agencies, including the FBI, the EPA and HUD, were issuing their own agency-specific photo identification badges to their employees and contractors based on differing badge formats and background security evaluation criteria. The Javits Building's antiquated electronic access control system had outlived its usefulness, so visual identification was the primary basis upon which individuals were granted access into the buildings. Facility security personnel were faced with the challenge of spotting invalid or counterfeit badges from a range of 30 to 40 different badge types used daily by thousands of individuals.

A Brave New World
Then, in September of 2001, disaster visited the GSA's prominent neighbors less than a mile away. In the midst of the work group's planning, the World Trade Center towers fell to the ground. "Our project was no longer perceived as a theoretical exercise," said Ruggiero. "The urgent need to increase security at federal buildings was now a priority issue." The group continued its outreach effort to the various tenant agencies and issued a request for proposal to the government's five smart card system providers. The contract to design and install the system was awarded to Maximus, one of the prime contractors that had extensive experience deploying smart card systems.

The GSA RFP stipulated that the smart cards would be used as access control credentials and that the system would have to comply with the Government Smart Card Interoperability Specification (GSC-IS), recently updated by the National Institute of Standards and Technology. "Up to that point, most government smart card programs relied on custom-developed, proprietary solutions," said Jeremy Grant, an engineer with the Federal and Intelligent Technologies Division of Maximus. "Our challenge was to provide the GSA with a leading-edge, commercial off-the-shelf smart card access control system that complied with GSC-IS."

Partners and Products
Maximus partnered with security systems integrator ISR Solutions, which is now a part of Stanley Security Solutions, to acquire ISR's physical security technology product knowledge and installation expertise. Maximus and ISR first discussed which access control system could best meet the project's specifications. ISR recommended the Lenel OnGuard' access control product. Grant explained, "We looked at the Lenel product and reached the same conclusion: that it had the best capability to implement the smart card system and would be able to expand to handle multiple buildings regionally or even nationally."

At the time, the Lenel system did not have the ability to encode the contact smart cards the GSA would be using. To resolve this issue, Maximus developed a middleware application that would enable the GSA's smart card administrator to issue and manage cards seamlessly with the Lenel application. To ensure the maximum reliable performance of the new access control system, the GSA purchased a high-availability, fault-tolerant redundant server from NEC. As a result, system downtime is less than five minutes per year.

The next challenge was the design and manufacture of identification readers to be posted at various places within the GSA buildings. One of the GSA requirements was that the readers be as transparent and aesthetic as possible. Ruggiero said, "We didn't want to build barricades." Additionally, the GSA specification called for readers that featured multiple identification technologies-smart card, fingerprint biometric, and PIN entry. "9/11 taught us that we needed to be able to ratchet up security on a moment's notice," explained Ruggiero. According to Scott Glaser, regional smart card administrator, this can be accomplished within a matter of seconds either on site or from a remote location.

"The GSA has already purchased a set of optical turnstiles and wanted the multi-technology readers to be embedded within them," said Tony Padilla, vice president and chief technology officer of ISR Solutions. Maximus and ISR reached out to BridgePoint, a manufacturer of custom smart card and biometric reader products. BridgePoint developed a reader that exactly matched the GSA specification and featured an embedded fingerprint reader module provided by Bioscrypt. Under normal circumstances, cardholders entering the Javits Building are required only to present their smart card. When a circumstance requires increased security, cardholders must also provide a fingerprint scan and enter their PIN.

Measure of Success
The GSA's New York City smart card pilot system went operational in November of 2003-nine months before President Bush issued Homeland Security Presidential Directive 12. HSPD-12 mandated that federal agencies implement "secure and reliable forms of identification" to increase the security of their facilities. To date, all of the agencies that occupy space in both of the New York City buildings have adopted the smart card and all accompanying policies; including policies and procedures for granting building access to agency contractors and volunteers. "It has been an exciting process to assist all of our tenant agencies in establishing uniform criteria for background security clearances prior to the issuance of HSPD-12," said Glaser.

"We've had very positive feedback from all of our tenants," said Ruggiero. "In fact, they asked us to mandate using the card plus the PIN in normal day-to-day operations." In keeping with the GSA's original mission to become the government's smart card application resource, the New York City pilot has become a popular destination for other federal agencies looking for successful uses of the technology. For example, a recent Government Accountability Office report (05-49) featured the pilot project as an example of how technology is being used to protect federal facilities.

Glaser said, "The access control system in GSA's Northeast and Caribbean region has become a state-of-the-art learning center for other federal agencies. We continuously strive to improve upon our technology, policies, and procedures to ensure that our systems provide the highest level of security."

Jeremy Zimmerman is a freelance writer based in Southern California.