Culture hinders smart card rollout

The technology exists to create a governmentwide smart card program, but cultural issues and a lack of top-level management support stand in the way of implementation, experts said last week.

"It would probably be very difficult to standardize it from a management and policy perspective," said Joel Willemssen, managing director of information technology management at the General Accounting Office, speaking last week at a hearing of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.

As of last November, GAO had identified 62 smart card initiatives in varying stages at 18 agencies. Agencies have different security clearance processes and access controls. One of the crucial next steps, Willemssen said, is to establish a governmentwide credentialing policy to streamline how employees are cleared.

"Once you set that policy, then the technology can follow," he said.

Introducing smart cards for physical or systems access is often met with hesitation, said Sandra Bates, commissioner of the General Services Administration's Federal Technology Service. People tend to like the feel of an identity card and want to visually verify the card on their own.

"We've identified that the technology's there," Bates told Rep. Adam Putman (R-Fla.), the subcommittee's chairman. "We're also talking now about a cultural change, and there are barriers. It's gaining acceptance and top-management support."

Putnam peppered the panel with questions about why the government wasn't further along in developing a smart card program. Many colleges have had access cards for several years, and he said he wasn't sure what was holding back the government.

"It's absurd," he told the panel last week. "We hear from all of you that the technology exists and culture is the biggest impediment."

The key issues are educating employees about the need for the devices and ensuring that senior executives support the program, Willemssen said.

But another significant challenge is obtaining the resources for infrastructure and software. The costs can be high, particularly if biometrics and public-key infrastructure technologies are included, he said. Costs, including contractors, card suppliers and systems that interface with existing systems, can be higher than anticipated.

The Defense Department, for example, budgeted $78 million in fiscal 2000 and 2001 for its Common Access Card program. DOD now expects to spend more than $250 million by the end of this year, Willemssen said. This cost does not include funding for card readers and middleware, GAO's report says.

Ken Scheflen, director of DOD's Defense Manpower Data Center, agreed. "The infrastructure costs and enabling technologies are the hard part because you really have to change the way people do business," he said.

The department completed the program's infrastructure in July and is currently adding the required hardware and software to the workstations. CAC is the most advanced smart card program in the world, Scheflen said, and can serve as a model for other agencies.

"We think it's a real success story," he said. "CAC and the infrastructure is a large and costly enterprise. DOD is fortunate to have the resources to do it."

One of the first steps is creating smart card standards for interagency interoperability, the experts said. Once standards outline common features of each card, agencies could add capabilities, Bates said. "Some agencies will always have unique requirements and traits, and that's OK, but you have to have a baseline," she said.

Developing a program based on standards will allow agencies to make the card as smart as they want it to be, said Benjamin Wu, the Commerce Department's deputy undersecretary for technology. "The sky's the limit," he said.

Officials at GSA and the National Institute of Standards and Technology have taken steps to create those standards. GSA established an Interagency Advisory Board, that includes NIST and other agencies to refine interoperability specifications. It also awarded a smart card contract in May 2000 to five vendors to provide smart card services governmentwide based on those standards. The contract has expanded to include more than a dozen agencies.

NIST has published two versions of its specifications, in June 2002 and July, and is working with agencies and industry partners on program requirements. The institute is also examining standards for a multitechnology card that could include bar codes, photographs and holograms.

NIST officials expect to release a draft report next month that will identify interoperability research topics and gaps in standards coverage, Wu said.

"Large-scale deployment of smart cards has proven challenging," Wu said. "Agencies have found it difficult to deploy systems due to a lack of interoperability among different types of smart cards, and without assurances of interoperability, agencies would be locked into a single vendor. The issue of interoperability had to be addressed before significant investments were made."

Randy Vanderhoof, executive director of the Smart Card Alliance Inc., said that with the establishment of the standards, smart card development is moving in the right direction, and the next step is in the hands of policy-makers.

"These types of enterprisewide approaches could take place because there were commonalities on the technical level," he said. "Once the technical standards were defined, it became incumbent on the agencies to change the policies that then allow people to change the processes."


Getting carded

The General Accounting Office found that 18 agencies have started 62 smart card projects.

The State Department had handed out more than 9,000 smart cards by July, with plans to issue 60,000 to 70,000 more.

The Transportation Security Administration plans to issue worker identification cards to up to 15 million transportation employees.

The Interior Department's Bureau of Land Management launched a pilot project for facility access cards for about 1,100 employees.

The Department of Veterans Affairs plans to issue more than 400,000 smart cards using a Defense Department contract.


  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

  • IT Modernization
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA plans 'strategic review' of $16B software program

    New Veterans Affairs chief Denis McDonough announced a "strategic review" of the agency's Electronic Health Record Modernization program of up to 12 weeks.

Stay Connected