Smart-card pilots reach technical liftoff
Over the past decade, about 60 federal agencies started making plans to issue smart cards to their employees. Most are still at the drawing board.
“No one yet has undergone full implementation,” said Michael R. Brooks, director of GSA’s Center for Smart Card Solutions.
Money is short because the administration wants to consolidate agencies’ IT projects. But a lack of money for smart cards isn’t the only constraint.
“We didn’t find one [vendor] who could meet our requirements” for full implementation, said Lolie Kull, program manager for the State Department’s Access Control Smart Card Implementation Project. “We’ve been working on smart-card technology for seven years.”
Kull said she originally expected to put smart cards in the hands of 20,000 State employees in the metropolitan Washington area by June. It could still happen this fall.
State’s pilot began in 2000, when 250 people in Kull’s office and the diplomatic security and IRM offices tried out smart cards with hand-geometry scanners. Kull said it had already taken her almost five years to get into pilot phase. She expected the successful trial to move things along faster.
During those five years, Kull made plans to upgrade the department’s existing access-control system, from Ultrak Inc. of Lewisville, Texas, so that workers could swipe smart cards instead of ID badges through turnstile readers.
In 1998, she asked Software House of Lexington, Mass., a subsidiary of Tyco International Ltd. of Bermuda, for help with the pilot and full implementation.
By 2000, Software House’s Sensormatic physical access system could work with smart cards if an adaptable reader was installed. But Software House didn’t have a reader or badging system, so “we had to find another company that could provide that,” Kull said.
State is now installing readers from XTEC Inc. of Olathe, Kan., to compare smart-card information against a database stored in the Sensormatic system.
“When you issue the card, you issue access privileges,” Kull said. “The reader looks at the privileges in the database.”
Eventually, Kull hopes the readers can be upgraded to scan biometric identifiers. “We’re using personal identification numbers initially,” she said.Meets standards
The Sensormatic system in 2000 met the National Institute of Standards and Technology’s Government Smart Card Interoperability Specification. It now conforms to NIST’s 2.0 specification.
“The vision is to be interoperable with all agencies that will be using the same specification,” Kull said. She declined to give her initial or current estimates for the cost of smart-card distribution. “I’m not sure what the final cost is going to be,” she said.
Randy Vanderhoof, president and chief executive officer of the Smart Card Alliance of Princeton Junction, N.J., said that is common. “When agencies are putting their budgets together, it’s easy to quantify the cost of the readers,” he said. Costs of integration and other requirements usually come up later.
Agencies that issue cards, for example, might not want to add biometric identifiers until standards have been accepted, he said.
The NIST specification does not cover biometric-enabled or contactless cards.
When Kull’s office begins issuing the 20,000 smart cards this fall, about 2,000 will have digital certificates embedded in their chips. State doesn’t have the money to put digital certificates in all the cards yet, she said.Standards keep changing
In view of ever-changing technology standards, compliant devices wouldn’t necessarily be available even if agencies started ordering in great quantity, GSA’s Brooks said.
“Let’s say I want 20,000 smart cards and readers, and the Treasury Department and the rest are doing likewise,” Brooks said. “We may overtax the industry.”
The Patent and Trademark Office started a pilot last December, issuing 30 smart cards to IT staff, security officers and one remote user in a finance office in Florida. PTO will issue more certificates in stages to its 7,000 employees, including teleworkers and those moving next year to a new office in Alexandria, Va.
PTO started its pilot with the goal of embedding digital certificates to secure transactions and eventually for physical access. The pilot is over, but the agency doesn’t have the money for full implementation.
Larry Cogut, director of systems engineering, said the initial investment is high. He estimated a card issuing system, cards and readers from Datakey Inc. of Minneapolis would cost $700,000. But he said PTO needs to consolidate with smart cards because some employees have to carry around as many as five identification cards for different uses.
The Transportation Security Administration and the Federal Emergency Management Agency also are planning smart-card pilots.
Brooks said they recently enlisted GSA’s help. But money will have to come from other programs to pay for the pilots.
“We will have to redirect money to at least start the ball rolling until we can support it with budget dollars,” Brooks said. “That may take a year and a half to two years.”
Connect with the GCN staff on Twitter @GCNtech.