A tipping point for biometrics?

The Department of Homeland Security is about to embark on an ambitious project to add biometrics to its smart card identification system. Other government efforts have demonstrated that such projects can go horribly awry, but it also has the potential to profoundly change DHS for the better.

The exact path the agency takes, analysts say, depends on how well it prepares itself and possibly on how well it incorporates some new technical guidance.

In May, DHS issued a request for proposals to add facial, fingerprint and iris recognition capabilities to its ID system as part of a $102 million upgrade. The agency is seeking a new contractor to take over the ID management project currently overseen by XTec and establish a new biometric-based card system that complies with Homeland Security Presidential Directive 12 (HSPD-12). The contractor would replace 161,924 personal identity verification (PIV) cards by the end of 2013 and another 116,172 in 2014, DHS officials said.

According to the agency, the winning contractor would also install enrollment and issuance stations at as many as 300 DHS locations to manage at least 300,000 PIV cards. Those locations could include sites outside the United States.

Accenture Federal Services, Booz Allen Hamilton, Deloitte, General Dynamics Information Technology, Northrop Grumman, Science Applications International Corp. and Unisys have all expressed interest in the project.

Biometric challenges

Many agencies are meeting HSPD-12's requirement for physical and logical access to their buildings and computer systems, but few have been adequately incorporating biometric capabilities. DHS' project takes that bull by the horns, but not without risk.

Heidi Shey, an analyst at Forrester Research who covers security and risk markets, said the relatively short timeline for completing such a large project could lead to big problems if sound planning is not done upfront. For the agency to avoid trouble down the road, it should be working on — or, better yet, completing — programs that establish enrollment processes for employees, define what kind of information each employee needs embedded in his or her card, and create backup plans in case of failure, she added.

DHS is hard at work on that kind of due diligence, said Jim Williams, senior vice president of business development at Daon. The software and professional services company is helping India's government develop and manage a national biometric-based ID program. The project, which aims to issue identity cards for roughly 1.4 billion people, enrolls about 1 million people a day, taking fingerprint, iris and facial images from each. Those images are stored in a massive central database.

Williams said that although DHS is doing a great job in setting up the procurement for its project, it faces some challenges, primarily related to ensuring that the ID card and management system comply with a 2011 Office of Management and Budget directive that seeks to further the implementation of HSPD-12 by making PIV credentials the common means of authentication for access to agency facilities, networks and information systems.

Furthermore, Williams said coordinating numerous biometric identifiers can be complicated, and information storage for such a huge project is potentially costly.

He added that another big challenge for DHS is keeping its systems efficient and up-to-date. Other large identity management programs use increasingly effective commercial software to do that, and DHS could take the same approach. But Williams added that avoiding proprietary solutions and other forms of technology lock-in is essential for DHS.

A model for other agencies

DHS' plans got a boost from the National Institute of Standards and Technology in mid-July. After a long delay, NIST released specifications for iris recognition capabilities under Federal Information Processing Standard 201-2 — the latest installment in a series of NIST publications that provide technical guidance for complying with HSPD-12.

By consulting the FIPS 201-2 publication, federal agencies can implement standards-based biometrics and identity management solutions that are accurate and interoperable, said Charles Romine, director of NIST's Information Technology Laboratory.

The recently released guidelines include specifications for federal agencies to use iris recognition as an optional add-on for authentication of their PIV cardholders, Romine said. The publication also describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV card itself. The specialized format requirements for iris images are based on the international standard for compact storage, he added.

DHS declined to provide specifics about its plans for the new identity management system, but agency spokeswoman Marsha Catron said DHS continues to implement HSPD-12, which works to improve the secure, reliable identification of federal employees and contractors.

If DHS is successful in implementing its biometric ID program, it could provide a model for other agencies. For instance, Williams said the national wireless communications network for first responders that the National Telecommunications and Information Administration is spearheading will need some kind of identifier for users to access it.

He added that because DHS operations touch such a wide range of markets — including border security, air travel and emergency response — it is a trend-setter for organizations at all levels of government and in industry.

DHS is "moving to a new world," Williams said.

TWIC: A cautionary tale?

The Transportation Worker Identification Credential (TWIC), an ambitious biometric ID card project overseen by the Transportation Security Administration and the U.S. Coast Guard, has been underway for more than a decade. Congressional overseers and critics say its history shows how important upfront management can be for large biometric ID installations.

The program began in 2003 as part of an effort to protect ports and transportation infrastructure in the wake of the 2001 terrorist attacks by establishing a national, tamper-proof secure ID for transportation workers.

Millions of truckers and port workers pay $65 to $135 to get TWIC cards, which numerous critics on Capitol Hill have called nothing more than a glorified "flash pass" because their more advanced biometric and data storage capabilities have not lived up to their billing.

The card has a computer chip that stores the holder's information and biometric data, usually a fingerprint. The chip is read by inserting it into a reader or holding it near a contactless reader. The card also has a magnetic stripe like the ones on credit cards and a linear bar code as alternative reading methods.

However, over the years, the program has been hobbled by faulty card readers, inadequate fingerprint data collection, expiration-date errors, dark photos and other problems. A recent study by the Government Accountability Office said the results of a test of TWIC card readers "were incomplete, inaccurate and unreliable for informing Congress and for developing a regulation (rule) about the readers.... These issues call into question the program's premise and effectiveness in enhancing security."

At a hearing convened by the House Homeland Security Committee's Border and Maritime Security Subcommittee in June, Chairwoman Candice Miller (R-Mich.) and others questioned whether the TWIC program was dying or already dead.

Rear Adm. Joseph Servidio, assistant commandant for prevention policy at the Coast Guard, said TWIC was not dead. "We will be able to justify the technology as it matures," he said. "The systems are more robust now."

"Are we where we need to be?" Servidio asked rhetorically. "No, sir, but I think we are moving in that direction."