The US government is studying the viability of a shared technology and services infrastructure to help agencies issue new Personal Identity Verification (PIV) smart cards to all employees and contractors beginning in October.
The goal of setting up such a common infrastructure is to make it easier and cheaper for agencies to enroll and register individuals in the PIV program, said David Temoshok, director for identity policy and management at the U.S. General Services Administration (GSA). Federal agencies are looking to implement a 2004 presidential directive requiring the smart cards.
“I would argue that if we can put a common infrastructure in place for agencies to start enrolling and registering individuals it would be a huge and important step” in speeding adoption of the smart cards, Temoshok said. Such an infrastructure would include common services for capturing identity and biometric information and the systems needed to record that information, he said.
According to Temoshok, an executive steering committee is currently looking into funding and governance issues and is also trying to figure out which agencies would be in charge of such a shared infrastructure, he said. “We are looking at doing something that ought to be efficient and will also save agencies time and money,” he said.
Homeland Security Presidential Directive-12 (HSPD-12) is an unfunded mandate that calls for a government-wide standard for identifying federal employees and contractors. It also mandates the use of a common identification credential (PIV smart cards) for both logical and physical access to government computer systems and facilities. The cards must be interoperable across government, meaning a PIV card issued by one agency can be read and verified by another agency’s authentication systems. The interoperability requirement has meant that agencies such as the Departments of Defense and Interior — which have already rolled out millions of smart cards based on different standards over the past few years — now must put in place a migration path to PIV cards.
Under HSPD-12, federal agencies had until last October to put in place a way to verify the identities and backgrounds of all federal employees and contractors. By the end of this October, they are required to start issuing PIV cards, though they are not required to issue them to all employees by then.
The government’s exploration of a shared infrastructure comes as federal agencies are scrambling to implement the needed infrastructure — such as PIV-compliant card readers and biometric readers and physical access control devices — by the October deadline. With just six months left to go, agencies don’t have a much time left, especially considering the fact that few PIV-compliant products are available, said David Troy, practice manager at Plano, TX.-based EDS.
“People may be under-estimating the logistical, technical and organizational challenges” involved in rolling out the cards, Troy said, noting that there has nonetheless been “tremendous progress” within agencies in establishing consistent ID vetting processes over the last several months. He stressed that with few products available and no clear indication yet on how or when the government will start procuring them, the October deadline could be tough to meet, he said.
Even when PIV-compliant products do become available, there is still going to be considerable integration work required, said Neville Pattison, director of technology and government affairs at Axalto Inc., a smart-card manufacturer in Austin. “Everybody is doing the best they can. But there’s a lot of work to do and perhaps not enough time.”
The fact that HSPD-12 is an unfunded mandate also means that in some cases agencies are scrambling to find money to implement PIV cards, said Manoj Srivastava, CEO of Infomosaic Inc., a San Jose-based software vendor with a work flow product for registering individuals to the PIV program. “Some agencies have done nothing. Some have done a little. It all depends on which agency you are talking about,” he said. “A lot of them are trying to do the minimum; There really is no money to push this forward.”
The National Institute of Standards and technology (NIST), which was responsible for developing the PIV specification and related technology standards, has established a set of conformance guidelines for vendors of smart cards and middleware technologies. NIST has also established test laboratories where vendors of smart card technology can get their products tested and certified for conformance with PIV standards, said Curt Barker, a NIST program manager who deals with PIV standards. So far, two vendors have been issued compliance certificates, while several others are now going through the process, he said.
“The departments and agencies have done a good job across the board of meeting the first set of deadlines and we are hopeful that procurement will occur within a timeframe that allows agencies to begin issuing cards by October 27,” Barker said.
The GSA, which is responsible for helping agencies procure PIV components such as card and biometric readers, hopes to seek solicitations soon from vendors interested in supplying PIV-compliant products to the government. The GSA is also responsible for testing and approving 20 different categories of products to make sure they meet the interoperability requirements mandated by HSPD-12. So far, the agency has posted test-and-approval procedures for nine of those products and hopes to have the others ready soon, Temoshok said, without specifying a date. Once all the procedures have been finalized, the GSA hopes to test, evaluate and approve products “very, very quickly,” he said.
Visit Vendor of Record, Canada’s online procurement directory