With several U.S. government agencies issuing smart card IDs to their employees, there has been increased focus in the past year on making sure those cards can serve as identity documents throughout the government. That effort culminated in late August with the government's No. 1 employee, President George Bush, issuing a directive that sets an aggressive schedule for all agencies to issue a standardized and secure ID.
The directive did not specify a technology, but the widespread use of smart cards throughout the government leaves little doubt about what form that standard ID will take, observers agree. "It means a chip card in the hands of every federal employee and contractor," says Henry Dreifus, CEO of the U.S.-based Dreifus Associates consulting firm.
Underlining the political priority of the initiative, the presidential order places the ID program squarely in the middle of the fight against terrorism. "Wide variations in the quality and security of forms of identification used to gain access to secure federal and other facilities where there is potential for terrorist attacks needs to be eliminated," the directive states in its opening sentence.
The order then lays out a timetable for approving a standard for a mandatory form of identification to be issued to all of the U.S. government's more than 5 million civilian and military employees and to hundreds of thousands more employees of companies that work for the government. There are about 3 million U.S. military personnel and 2.7 million civilian employees, including some 700,000 in the massive Defense Department.
The Secretary of Commerce is given six months to develop the standard, a job that falls to the National Institute for Standards and Technology, a technology unit of Commerce. NIST this year issued version 2.1 of its Government Smart Card Interoperability Specification, and that spec likely will be updated to meet the requirements of the presidential order.
Within four months of that update agencies must have programs in place for issuing compliant IDs. And within eight months after that, or no later than 18 months from Bush's order, agencies shall "to the maximum extent practicable" require use of the standard ID for physical access to government facilities and for authenticating individuals to computer networks.
The White House did not immediately make clear how agencies were to fund this initiative, which some say could affect how "practicable" the full and rapid deployment of new smart card IDs might be.
A government report last year predicted that the Defense Department, by far the largest U.S. agency, would spend $1 billion by 2005 on its smart card ID, including more than $700 million for PKI technology used for online authentication and digital signing of documents. Defense has issued some 5 million Common Access Cards-some no longer in use-in the largest project ever to use smart cards for network security.
A Common Approach
Still, the Bush order suggests high-level support for a standard smart card ID. The directive comes 13 months after an influential White House agency, the Office of Management and Budget, called for a single policy for issuing credentials for government workers and created the Federal Identity and Credentialing Committee to coordinate that effort. FICC issued a report in February encouraging broader use of smart cards and an end to "inconsistent approaches to both physical and computer security."
In fact, sources say, the presidential order was expected in the spring as a follow-up to that report. They say debates over funding and timing delayed the order for a few months.
But now that it has been issued, the directive represents a big step toward the kind of standard ID that many in the government and smart card industry have been working toward for years, says Tony Cieri, a former Defense Department official who now consults on government ID projects.