Clock Is Ticking on U.S. Government ID Cards

Standards will set how world uses smart cards, timetable gets closer on this major project

Under orders from U.S. President George Bush to create a new standard ID card for government employees and contractors by February 2005, officials have set an aggressive schedule for developing a draft proposal that is sure to be based on current government smart card programs. Then they must seek comment and refine the draft document.

"This usually takes about two years," says William C. Barker, program manager for the ID project at the National Institute of Standards and Technology. "We will do it within six months."

Once the document, known as Federal Information Processing Standard (FIPS) 201, is approved, U.S. agencies will have eight months to begin implementing it. While it is not clear exactly how many individuals will receive the new ID cards, Barker says the best estimate is 7 million. About half of them are employees of companies that do business with the U.S. government and the rest government workers.

The impact of FIPS 201, however, is likely to be felt far beyond the borders of the United States.

Global standard?

As one of the earliest large-scale implementers of smart cards for use as employee IDs, the U.S. government has already proposed its existing smart card protocol to the International Organization for Standardization as the basis for a new ISO standard. And government officials say they are in talks with Microsoft Corp. about incorporating U.S. requirements into future versions of Windows, a step that would go further than any ISO committee's approval toward creating a common model for ID cards worldwide.

While Barker calls the deadlines outlined by Bush's order "extraordinarily aggressive," a working paper issued by his group nonetheless advises government officials that the project "should be treated with extremely high priority." That is because the Aug. 27 presidential order placed the ID project in the context of combating terrorism by better securing government facilities and computer networks.

Starting point

Fortunately for Barker and his colleagues, the U.S. government is hardly starting from scratch. Several U.S. agencies have begun issuing smart cards to their employees, led by the largest of them all, Defense, which is 91% of the way to issuing a chip-based Common Access Card to the 3.45 million civilian and military employees and government contractors who need it.

The projects at Defense and other agencies provided the basis for NIST's Government Smart Card Interoperability Specification, or GSC-IS, which is aimed at ensuring that smart card IDs can be used throughout the U.S. government.

It is the GSC-IS protocol that a new ISO smart card committee last year agreed to consider as the starting point for a new international standard for employee ID cards.

The U.S. government was instrumental in getting this ISO 24727 committee launched on a fast track. But even before that committee adopts its first set of specifications, the sheer "momentum and size" of the U.S. government ID card project could turn it into a global de facto standard, says Olivier Piou, president of France-based Axalto, a major supplier of the Defense Department's Common Access Card.

The work of the U.S. government, combined with the product of the new ISO committee, could deliver what amounts to a worldwide ID card application-roughly comparable to the GSM application on SIM cards and EMV for chip-based credit and debit cards.

The GSC-IS spec is about to embark on a shakedown cruise to identify any errors or ambiguities. That will be in the form of a "reference implementation" at the Department of Homeland Security due to begin this fall.

"We're filling the holes in a standard," says Joseph Broghamer, the security architect in the office of the chief information officer at Homeland Security.

The goal is to issue and use GSC-IS in a live setting, creating a model that others can follow. At the same time, Homeland Security will be exposing the government interoperability spec to attack for the first time in a live environment.

This content continues onto the next page...