Home » Identity & Access » Access Control

HSPD-12: United States of Access Control

A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?

All of this is no cheap affair. The Smart Card Alliance, a trade group, estimates that just issuing the cards alonenot counting the associated background checks and policy changescould cost close to $50 a person. Multiply that by 1.9 million federal employees and contractors outside of the Department of Defense, and 3.5 million within it, and you quickly end up with a price tag of $270 million. And that's not counting the infrastructure upgrades that will be necessary for agencies to actually use the cards.

If you suspect one more acronym is coming, you're right. The whole thing is, in short, a BHAGbig, hairy, audacious goal. And the government wants it done. Fast.

The deadline for the first part of FIPS 201 was Oct. 27, 2005. In its February report, the GAO indicated that agencies studied were still working on this requirement, but progress was good enough that the OMB declared everyone had complied. The bigger deadline, for part two, is Oct. 27 of this yearthe day of the aforementioned nuptials. There's just one problem. The technology is only just being developed.

For the card system to be truly interoperable, more than a dozen pieces of technology have to work in concertfrom smart cards to readers to card management systems to physical and logical access control systems. But legacy physical access control systems, for instance, can't support the extra data on the smart cards, and their proximity readers usually function on a different wavelength. The biometrics industry has been using a mishmash of methods to store and validate fingerprint templates on smart cards, all of which are proprietary. And it turns out that none of the existing smart card deployments in the federal government are compliant with the new standards.

All of this means that this summer, NIST was still in the process of testing whether new product lines conform with the standards, and the GSA was still testing whether new products work togetherthis when the government procurement process alone typically takes months. On the last day of June, OMB announced that the first nine products, from five vendors, had been approved. Meanwhile, agencies had been sitting on their hands. (GSA did not respond to a request for an interview.)

"You can't establish a FIPS 201compliant system unless it's composed of products off [the GSA] product list," explained Bond, from Veterans Affairs, in early June. "If you don't know what's on that approved product list, you can't build your system. There are a number of agencies and departments who had started [working on smart card systems] before FIPS 201 that are literally waiting because they don't know what's going to be on the list."