Home » Identity & Access » Access Control

HSPD-12: United States of Access Control

A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?

Of course, part of this is just how the standard-making process works. The government decides it wants to make a change, codifies it and pushes it forwardcausing pain along the way but eventual improvements. But the vast scope of and short time line for HSPD 12 have made the pain especially acute and even called into question whether the program isn't bound to fail.

"A project like this has never been done before, particularly on this scale," says Randy Vanderhoof, executive director of the Smart Card Alliance. "It's not pointing fingers at the government as much as it is that taking on this projectdefining this HSPD 12 interoperable card platformwas I think much more than the policy writers anticipated. And now that they're in the midst of it, there's no turning back."

A Proprietary Jungle

Michael Butler got his introduction to smart cards almost 10 years ago, when he went to work for a Navy office with a smart card program. "My predecessor had installed about seven smart card systems, and they were the most painful part of my job," recalls Butler, a former Navy officer with a master's degree in computer engineering. "Every time [there was an upgrade]like if I bought a new card version from the manufacturermy physical security system quit working. Usually it was when some admiral or general was around. I had to go to every reader, in every building, and update the firmware and the readers."

This has long been the complaint about physical access control systems: that multiple systems, even from one manufacturer, don't always work together. Since those days with the Navy, Butler, now the access card office director at the U.S. Department of Defense, has been trying to get the physical security community to move toward a standards-based model. In 1998 he helped form the Government Smart Card Interagency Advisory Board, which persuaded a major smart card chip manufacturer to put a handful of ISO commands on its cards. They were simple commands, like "get data" and "write." But they cracked open a door, and a couple other manufacturers agreed to throw the commands onto their chips too.

"All of a sudden, we have competition," says Butler, who now oversees the largest smart card installation in the federal government, with 3.5 million cards in circulation. (Butler has since taken a six-month assignment at GSA, where he will help with the technical aspects of HSPD 12 implementation.) The competition is a very good thing if you're a government agency trying to make taxpayer dollars go a long way; it's not such a good thing if you're a vendor who's used to a steady stream of revenue off a proprietary system.