A tipping point for biometrics?

Nearly a decade after HSPD-12 was issued, the Department of Homeland Security is beginning to make real progress on linking ID cards to their holders.

ID card

The Department of Homeland Security is about to embark on an ambitious project to add biometrics to its smart card identification system. Other government efforts have demonstrated that such projects can go horribly awry, but it also has the potential to profoundly change DHS for the better.

The exact path the agency takes, analysts say, depends on how well it prepares itself and possibly on how well it incorporates some new technical guidance.

In May, DHS issued a request for proposals to add facial, fingerprint and iris recognition capabilities to its ID system as part of a $102 million upgrade. The agency is seeking a new contractor to take over the ID management project currently overseen by XTec and establish a new biometric-based card system that complies with Homeland Security Presidential Directive 12 (HSPD-12). The contractor would replace 161,924 personal identity verification (PIV) cards by the end of 2013 and another 116,172 in 2014, DHS officials said.

According to the agency, the winning contractor would also install enrollment and issuance stations at as many as 300 DHS locations to manage at least 300,000 PIV cards. Those locations could include sites outside the United States.

Accenture Federal Services, Booz Allen Hamilton, Deloitte, General Dynamics Information Technology, Northrop Grumman, Science Applications International Corp. and Unisys have all expressed interest in the project.

Biometric challenges

Many agencies are meeting HSPD-12's requirement for physical and logical access to their buildings and computer systems, but few have been adequately incorporating biometric capabilities. DHS' project takes that bull by the horns, but not without risk.

Heidi Shey, an analyst at Forrester Research who covers security and risk markets, said the relatively short timeline for completing such a large project could lead to big problems if sound planning is not done upfront. For the agency to avoid trouble down the road, it should be working on — or, better yet, completing — programs that establish enrollment processes for employees, define what kind of information each employee needs embedded in his or her card, and create backup plans in case of failure, she added.

DHS is hard at work on that kind of due diligence, said Jim Williams, senior vice president of business development at Daon. The software and professional services company is helping India's government develop and manage a national biometric-based ID program. The project, which aims to issue identity cards for roughly 1.4 billion people, enrolls about 1 million people a day, taking fingerprint, iris and facial images from each. Those images are stored in a massive central database.

Williams said that although DHS is doing a great job in setting up the procurement for its project, it faces some challenges, primarily related to ensuring that the ID card and management system comply with a 2011 Office of Management and Budget directive that seeks to further the implementation of HSPD-12 by making PIV credentials the common means of authentication for access to agency facilities, networks and information systems.

Furthermore, Williams said coordinating numerous biometric identifiers can be complicated, and information storage for such a huge project is potentially costly.

The New Smart Card

Today's smart cards might look like the laminated flash passes of old, but they now go far beyond name, address and photo. Onboard computer chips can carry complete identification records and other documentation, including digitized fingerprint or facial recognition images.

Cards can incorporate not only bar codes, RFID tags and magnetic stripes, but also have onboard data processors to segment and store information, even allowing for automatic remote information updates. These cards can take up to 30 steps to construct, print and laminate.

He added that another big challenge for DHS is keeping its systems efficient and up-to-date. Other large identity management programs use increasingly effective commercial software to do that, and DHS could take the same approach. But Williams added that avoiding proprietary solutions and other forms of technology lock-in is essential for DHS.

A model for other agencies

DHS' plans got a boost from the National Institute of Standards and Technology in mid-July. After a long delay, NIST released specifications for iris recognition capabilities under Federal Information Processing Standard 201-2 — the latest installment in a series of NIST publications that provide technical guidance for complying with HSPD-12.

By consulting the FIPS 201-2 publication, federal agencies can implement standards-based biometrics and identity management solutions that are accurate and interoperable, said Charles Romine, director of NIST's Information Technology Laboratory.

The recently released guidelines include specifications for federal agencies to use iris recognition as an optional add-on for authentication of their PIV cardholders, Romine said. The publication also describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV card itself. The specialized format requirements for iris images are based on the international standard for compact storage, he added.

DHS declined to provide specifics about its plans for the new identity management system, but agency spokeswoman Marsha Catron said DHS continues to implement HSPD-12, which works to improve the secure, reliable identification of federal employees and contractors.

If DHS is successful in implementing its biometric ID program, it could provide a model for other agencies. For instance, Williams said the national wireless communications network for first responders that the National Telecommunications and Information Administration is spearheading will need some kind of identifier for users to access it.

He added that because DHS operations touch such a wide range of markets — including border security, air travel and emergency response — it is a trend-setter for organizations at all levels of government and in industry.

DHS is "moving to a new world," Williams said.

ID management map

TWIC: A cautionary tale?

The Transportation Worker Identification Credential (TWIC), an ambitious biometric ID card project overseen by the Transportation Security Administration and the U.S. Coast Guard, has been underway for more than a decade. Congressional overseers and critics say its history shows how important upfront management can be for large biometric ID installations.

The program began in 2003 as part of an effort to protect ports and transportation infrastructure in the wake of the 2001 terrorist attacks by establishing a national, tamper-proof secure ID for transportation workers.

Millions of truckers and port workers pay $65 to $135 to get TWIC cards, which numerous critics on Capitol Hill have called nothing more than a glorified "flash pass" because their more advanced biometric and data storage capabilities have not lived up to their billing.

The card has a computer chip that stores the holder's information and biometric data, usually a fingerprint. The chip is read by inserting it into a reader or holding it near a contactless reader. The card also has a magnetic stripe like the ones on credit cards and a linear bar code as alternative reading methods.

However, over the years, the program has been hobbled by faulty card readers, inadequate fingerprint data collection, expiration-date errors, dark photos and other problems. A recent study by the Government Accountability Office said the results of a test of TWIC card readers "were incomplete, inaccurate and unreliable for informing Congress and for developing a regulation (rule) about the readers.... These issues call into question the program's premise and effectiveness in enhancing security."

At a hearing convened by the House Homeland Security Committee's Border and Maritime Security Subcommittee in June, Chairwoman Candice Miller (R-Mich.) and others questioned whether the TWIC program was dying or already dead.

Rear Adm. Joseph Servidio, assistant commandant for prevention policy at the Coast Guard, said TWIC was not dead. "We will be able to justify the technology as it matures," he said. "The systems are more robust now."

"Are we where we need to be?" Servidio asked rhetorically. "No, sir, but I think we are moving in that direction."

 

 

NEXT STORY: Why .gov went dark

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.