GSA works on ID guide

General Services Administration officials are developing a guidebook to help federal agencies comply with the upcoming standards on issuing secure credentials to their employees and contractors.

Judith Spencer, chairwoman of the General Services Administration's Federal Identity Credentialing Committee, said the Identity Management Handbook for the Federal Information Processing Standard (FIPS) 201 will provide checklists, recommendations, best practices and other guidance to help officials complete their plans for implementation.

Officials expect Commerce Department Secretary Carlos Gutierrez to sign FIPS 201 Friday, establishing technical specifications for common identity credentials for federal employees and contractors. Federal agencies must submit their plans to the Office of Management and Budget by June and then must comply by October.

A common credential, officials said, will improve security by providing a common way to authenticate identity for access into physical facilities and information systems. It will require officials to issue smart cards in some cases. Some cards will need biographic and possibly biometric data. Agencies are in various stages of development on the issue and implementation costs will vary.

Spencer, who spoke during a panel discussion about federal credentialing at the AFCEA International homeland security conference today, said GSA expects the guidebook to be issued next week if FIPS 201 is signed this week. She said it will be a final draft and expects feedback from federal and industry officials about incomplete information or discrepancies.

By the end of March, GSA officials will publish a final handbook, but she said it will be a living document because she expects it to be updated to meet new requirements. GSA officials are also hoping to maximize their buying power to help agencies save costs on implementation.

Federal agencies have collectively been working on a common credential for nearly two years. Their work was bolstered by President Bush's Homeland Security Presidential Directive-12, which established tight deadlines for agencies to develop and implement secure common credentials that could be authenticated electronically.

Mary Dixon, deputy director for the Defense Department's Defense Manpower Data Center, said DOD's Common Access Card program, which has issued about 4 million smart cards to military and civilian employees and selected contractors, will be able to accommodate changes, but not huge changes, from the new standard.

She said she had no reason to believe the changes would mandate major costs for changes to DOD's infrastructure. She said DOD officials had already planned to implement some changes. The biggest challenge will be to getting the physical security access community to use electronic authentication to verify identity. She said they've been working on that for four years.

Dixon added that DOD officials are also working on a test with two state governments to electronically authenticate credentials. She said many military employees use their military ID cards to obtain a driver's license. Consequently, people seeking employment at DOD use their driver's license to verify their identification. She said the test would merely verify that a credential is good, IS issued by DOD and expires at a particular date.

Panel members also said that the new standard will adhere to privacy guidelines and that card holders would be in control of how that data is used. The cards would contain minimal data on a person. Card holders would have to punch in a password or a personal identification number to allow others to share data stored in that card.