[LINK] US Gov Smart IDs slow to catch on

[stephen at melbpc.org.au]

Smart IDs slow to catch on

By TIM KAUFFMAN | Last Updated: February 21, 2010 
<http://www.federaltimes.com/article/20100221/IT03/2210310/-1/>


Six years ago, President Bush sought to equip all employees and 
contractors with high-tech identification cards that would tighten 
security at federal buildings and on computer networks.

But that effort has largely failed so far to live up to its promise.

Nearly 1 & 1/2 years after employees and contractors working at federal 
facilities were supposed to have been issued the new IDs, about 1.1 
million still do not have them: Just 42 percent of employees and 
contractors at non-Defense agencies have received the cards. 

And only a handful of federal agencies have readers and other 
infrastructure installed that can make full use of the personal data 
embedded on the cards, such as fingerprints and personal identification 
number codes

"Absent those uses for the card, the card is worthless. So we need to put 
it to work," said Scott Glaser, a senior program manager in charge of 
physical access controls at the General Services Administration's Public 
Buildings Service.

Governmentwide, 82 percent of the 6.2 million employees and contractors 
required to obtain the enhanced-security ID cards had received them by 
the end of 2009, falling short of the original mandate to have all cards 
issued by October 2008. Most of the progress has occurred at the Defense 
Department.

There's been even less progress in using the cards to secure access to 
buildings and computers. 

Only a relative handful of the government's 400,000 owned and leased 
facilities have card scanners and other technology needed to read the 
personal data encrypted on the cards and detect automatically whether the 
card holder should be granted access to the particular building or 
office. 

The IDs include a computer chip that holds at least four pieces of data 
to verify the cardholder's identity: two fingerprints, a personal 
identification number the cardholder would know, an identifying number 
unique to each card and a digital signature.

A major hurdle, federal managers say, is that agencies lack money to 
purchase and install the readers and related technology. 

The Bush administration issued Homeland Security Presidential Directive 
12 (HSPD-12) — the presidential order requiring the governmentwide 
rollout of smart IDs — in 2004 without providing any additional money for 
agencies to perform the more robust background checks on their employees 
and contractors that were required, to purchase the cards or to purchase 
and install the systems needed to use the card's enhanced security 
features.

"This was an unfunded mandate," said Bob Shaw, director of security at 
PBS.

More progress has been made in using the cards to access personal 
computers and laptops since that requires less investment. 

Defense, State and some other departments require employees to use the 
cards rather than passwords to log in to their computers.

Requiring employees to use the cards to access computers had an immediate 
impact at Defense: Intrusions to the department's unclassified networks 
dropped 46 percent after all employees began using the cards to access 
computers in 2006.

Agencies are "just getting through the issuance of the cards," said Mary 
Dixon, director of the Defense Manpower Data Center, which manages card 
issuance at the Pentagon. 

"Now it's a matter of, how do I use this in a way that makes sense so 
this is not just a card that I hang around my neck, but I'm actually 
using it."

Defense officials have already found other uses for the cards:

• Managers use them to digitally approve travel claims, leave requests, 
fitness reports and other work documents, which expedites approvals and 
saves paper.

• Employees use the cards to open encrypted e-mails containing sensitive 
or personally identifiable information.

• Employees can use them as cash cards for approved purchases. For 
example, Marines entering boot camp can get cash advances loaded on them.

• Employees can use them to ride local subway trains and buses. For 
example, Defense employees in Utah receive mass transit subsides on their 
cards and use them when commuting under another pilot that likely will be 
expanded to other metro systems.

Vivek Kundra, federal chief information officer, said the number of cards 
issued to federal employees and contractors increased 65 percent last 
year, indicating that the Obama administration and agencies are focused 
on the effort.

The Agriculture Department, for instance, increased the number of cards 
issued from 21,000 in October 2008 to more than 86,000 by the end of 
2009. The agency deployed card readers and related technologies at more 
than 150 of its facilities to manage facility access, a spokesman said. 
Still, the department has much to do in deploying card readers at all 
25,000 buildings it owns.

Neville Pattinson, vice president of government affairs and technology at 
Gemalto, a leading smart-card vendor, said it may still take a couple of 
years before all employees and contractors are issued smart IDs and even 
longer before agencies outfit their buildings with systems to accept the 
cards. "Each agency has a unique set of challenges, no question," 
Pattinson said. "Some are small, some are distributed. There is no single 
recipe that works for any of this."

The costs of outfitting the 9,000 buildings that the General Services 
Administration owns and leases for federal agencies will be passed on to 
tenant agencies through the rent it charges. GSA officials say they don't 
know how much it will cost to roll out the required technology, but it 
will be far less today than it would have been even a few years ago 
because of technological breakthroughs and an expanded marketplace.

"We are very pleased we're taking this slowly and methodically," Glaser 
said. "We're doing this methodically to be sure we have it right. We 
can't afford mistakes."

Input, an IT consulting firm, estimates that agencies will spend $500 
million this year on goods and services related to HSPD-12. Spending is 
growing at a rate of about 6.5 percent annually, said John Slye, 
principal analyst at Input. He said it's difficult to predict how much 
agencies will need to spend to fully implement HSPD-12 since agencies 
could generate substantial savings by taking advantage of economies of 
scale.

"Dollars isn't necessarily a good reflection of success. It's hard to put 
a full price tag on how much it would take to put a reader on every door 
and building," he said.

Besides the readers, agencies also must deploy systems capable of 
reaching into employee and contractor databases at other agencies so they 
can authenticate that a visitor from another agency has a valid card.

"Any card you want to present to me that was issued in the Department of 
Defense, I know immediately whether it's a good card or not. I have no 
clue for anybody at any other federal agency," said Dixon of the Defense 
Department.

Agencies also have yet to agree on the systems and approaches they will 
use to manage physical access, a process Dixon likened to the videotape 
format competition between Beta and VHS 30 years ago. Unless agencies 
adopted a common standard — which Defense and GSA have done — it's unwise 
to spend precious dollars on systems that may not comply, experts said.
 
--

Cheers,
Stephen