A mandate from President Bush has required the entire federal government to adopt common technology to be used to identify employees and contractors accessing federally controlled networks and buildings.
Signed late last month, the Homeland Security Presidential Directive 12 seeks to establish a government standard for secure identification to protect against a litany of threats such as terrorism and identity theft. The memo instructs the departments of commerce, state, defense and homeland security to work with the White House Office of Management and Budget (OMB) and the Office of Science and Technology Policy to determine new standards and policies within six months.
With the order covering all contractors and federal employees, it's expected to cause a ripple effect across wide swaths of the technology industry and trigger massive purchases by federal agencies. The initiative could impact "up to 60 million government and contractor employees," predicts Phil Libin, president of CoreStreet. CoreStreet's Realtime Credentials product is used for identity management and access controls for physical and logical systems.
While the presidential memo doesn't specify technologies, security experts within the government say the likely outcome will be smart cards that can make use of public-key infrastructure (PKI) digital certificates and biometrics to authenticate identity.
A smart card is a plastic device about the size of a credit card that contains an embedded circuit chip that can store and process data such as a unique digital certificate issued to a holder to verify identity through the PKI-based encryption process.
"There's confidence in PKI as a foundation for what we're doing," says David Filbey, chief information security officer at the National Archives and Records Administration (NARA), who also participates in the inter-agency Federal Identity Credentialing Committee established by the OMB last year to chart a course on combined physical and logical access. NARA, which has about 3,000 employees and 2,000 contractors, manages government paper and electronic records for the agencies.
Filbey notes that today if he shows his NARA federal badge at another agency "it means nothing." But a smart-card-based proof of identity, using a digital certificate and a fingerprint-verification technique to remotely authenticate the bearer, could provide entry to computers and buildings at other government agencies.
Filbey says the effort to determine a common access standard that would be published by the National Institute of Standards and Technology (NIST) has been ongoing for a year at the OMB committee on which he serves.
The Defense Department's PKI-based Common Access Card, which holds a user's digital certificate to authenticate to a computer network, has been the starting point for ideas, Filbey says. But the upcoming set of federal standards also likely will include options for biometrics, such as fingerprint identification, he adds.
The market is making it easier to use smart cards because hardware manufacturers typically ship laptops with card readers, Filbey says.
Some companies, including Johnson & Johnson and Microsoft, are adopting PKI-based smart cards for combined physical and logical access, but this type of authentication remains in the future for most organizations. And despite the government's best intentions, its own track record with smart cards is decidedly mixed.
According to a report published this month by the General Accounting Office (GAO), the government's watchdog agency, 28 of the 52 smart-card projects that federal agencies had ongoing in January 2003 were folded into other pilots or were discontinued by June 2004 because they weren't seen as feasible. According to the GAO report, only nine of the remaining smart-card projects (see graphic) are expected to result in sizable distribution of smart cards to employees and others for access to buildings and computers.