According to several sources, NIST angered some officials by ignoring proposals made by the Interagency Advisory Board, a group of representatives from agencies with smart card programs. They say the IAB's suggestions were largely left out of NIST's updated spec, released for comment Jan. 31.
Lisimaque says the Jan. 31 proposal did take into account earlier comments about the original spec NIST released in the fall, and now specifies only the minimum required to ensure interoperability. What NIST did not include, was the IAB's proposal for a migration path from current GSC-IS implementations to the new ID standard. NIST's Dray says a migration path will be proposed after officials agree on the spec.
The IAB made its discomfort clear last month by informing NIST that it did not concur with the latest proposal. Although IAB's approval is not required, NIST clearly would prefer the agreement of the agencies that must implement the standard.
The clock was ticking. The policy document setting out the framework for the ID standard, FIPS 201, was due to be approved early this month. The more controversial document that will provide details on the smart card technology, Special Publication 800-73, is expected to come several weeks later. Sources said late last month that a compromise was in the works that appeared satisfactory to the major players.
The most pressing deadline is the one coming in October, when agencies are supposed to start complying with the new standard. However, the presidential decree says agency heads should comply by that date "to the maximum extent practicable." That may provide an out if the government decides to allow a longer transition to the new technology.
If there is a lesson for other governments, it may be to try to set your ID card standard before agencies are too far along in their deployments to easily modify their systems. Otherwise, expect howls of protest and lengthy negotiations over how to convert and who is going to pay.