GSA Wants Specifics on Smart Cards, Fingerprint Biometrics

GSA releases request for information on 128K smart cards


The General Services Administration has released a request for information to figure out when 128k smart cards will be available to the government and what type of fingerprint biometrics is best.

The agency is trying to collect information to help the Office of Management and Budget finalize requirements for the federal identity card called for in Homeland Security Presidential Directive 12.

OMB’s final implementation guidance for Federal Information Processing Standard 201, which lays out the two-step plan for agencies to develop interoperable identity smart cards, is under review and should be released “in the near future,” said an OMB official.

This RFI follows a broader one released by the National Institute of Standards and Technology in June.

“We were not sure where the industry was with biometrics and what is widely available,” said a GSA official who requested anonymity. “Some agencies need a lot of information on the cards and may need 128k cards, and we need to know how long it will take for them to be available.”

The RFI asks vendors to answer 16 questions on smart cards and biometrics. Questions about smart cards touch upon how 128k cards will interface with 64k systems, whether the cards will generate 2,048-bit encryption, and the cost of 128k cards versus 64k cards.

GSA also is trying to settle the debate between those who want to use image fingerprints and those who want minutiae fingerprint biometrics. The RFI asks vendors to address product availability, performance parameters of image devices, what minutiae templates and algorithms products support, and the cost differential between image and minutiae products.

“Minutiae is still too new, and there are no open standards that are tested and deliver to the performance we need,” the official said. “NIST is testing minutiae and plans to be done by February.”

In addition to the RFI, NIST yesterday released special publication 800-79, which provides guidance for certifying and accrediting the reliability of agency processes for issuing smart cards to federal employees and contractors. The procedures must comply with FIPS-201, Personal Identity Verification I. Agencies must have these processes in place by Oct. 26. Many agencies are modifying existing processes, industry and government experts say.

NIST said 800-79 is patterned closely after special publication 800-37, which provides guidance for certifying and accrediting information systems.

“Certification in this context means a formal process of assessing the attributes of a card issuer using various methods of assessment that verify that a card issuer is reliable and capable of enrolling approved applicants and issuing PIV cards,” NIST said in the publication.

The certification and accreditation processes consist of four phases: initiation, certification, accreditation and monitoring, NIST said. Each phase consists of a set of tasks that are to be carried out by specified agency officials.