Feds Eyeing One Access Model for All

A mandate from President Bush has required the entire federal government to adopt common technology

The Department of the Interior's E-Authentication project, which began with the Bureau of Land Management, is seen as an important bellwether for the effort to combine physical and logical access, Filbey says.

VeriSign is the digital-certificate and managed PKI service provider for the project, ActivCard is supplying smart cards and middleware, and Microsoft's Active Directory is the repository for user permissions, says George Schu, VeriSign's vice president in the public sector group. Later this month, Secretary of the Interior Gale Norton is expected to inaugurate the agency-wide use of the smart card for network and building use, he says.

IT vendors, while glad the president's security memo envisions a defined standard for the entire government (though some high-security operations likely will be excluded), are carefully watching to see what smart card, PKI, biometrics and other standards are published by next spring.

NIST has published the "Government Smart Card Interoperability Specification 2.1," says Brett Michaels, RSA Security's director of federal systems. But that could change because the current smart-card specification lacks needed details on "how to populate the card," Michaels says. "We want more specific guidance."

The Defense Department's Common Access Card, for which Netscape and RSA supply digital-certificate technology and Axalto and others the smart cards, is based on the department's aging Defense Enrollment Eligibility Reporting System, which is not likely to be the model for other agencies, he notes.

According to Mary Dixon, deputy director of the Defense Manpower Data Center in Seaside, Calif., the total active population holding the Common Access Card was 3.1 million as of July, with approximately 10,000 to 12,000 cards issued each day.

The card is used to gain logical access to the department's computer networks and systems, and it's anticipated it will be used to enable physical access to buildings and controlled spaces. However, the Defense Department "will be required to comply with the standard" published as a result of the presidential directive, Dixon says.

That means the Defense Department and other agencies with smart-card projects for identification might retire them for whatever technology is mandated.

The department has spent $1 billion on smart cards and their implementation, says Shannon Kellogg, RSA's director of government affairs, and the question now is whether the presidential directive, which is expected to result in mandated smart-card use, will be funded adequately.

Kellogg says implementing the new requirements will be an enormous project for years to come.

Agencies just becoming aware of the scope of the presidential memo - which asks them to establish programs within four months after the standards are issued and be ready "to the maximum extent practicable" to go operational for logical and physical access within eight months - say they back the idea of the common standard for identification and will plan for it.

"I see the need for this," says Joe Scavetti, chief information security officer at Pension Benefit Guaranty, the federal corporation Congress set up in the early 1970s to provide pension insurance plans and related responsibilities. Scavetti says the agency has begun looking at PKI-based smart-card access and will follow the standards the inter-agency groups working on this define.