In Depth
HSPD-12: United States of Access Control
A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?
By Sarah D. Scalet
At Veterans Affairs, for instance, Bond says the agency had already invested millions of dollars in a system that, among other things, doesn't support the new biometric requirement. "If we were to become FIPS 201 compliant, we would have to literally throw away millions of dollars of equipment and card stock," Bond says, "and OMB says that it doesn't make sense to throw away that stuff."
What's more, the new cards at Veterans Affairs will be compatible with maybe 60 percent of the existing physical access control systems throughout the agency. "Anytime we go to upgrade a facility, we will make sure that the system is in compliance," Bond says. "In the interim, you will have noncompatible systems which will require separate badges to exit and enter different parts of the facility."
Some other agencies that do have to start issuing FIPS 201compliant cards by October are likely to find a different workaroundincorporating their legacy technology onto the new smart cards. This might involve, say, slapping an old magnetic stripe onto a new card. That makes the new card not so much one card that does everything but two cards in one. "It becomes a migration strategy," Klinefelter of the Open Security Exchange says. The OMB has not set a deadline for how long either the transitional cards or those that incorporate legacy technology can be used.
As far as actually issuing the cards, an emerging approach involves a shared service model, in which agencies can sign up to outsource card issuance to a common provider. Initially, USDA's Niedermayer said that the federal government's Executive Steering Committee was looking for agencies who were able to issue cards for other agencies. Then, the government issued an RFP for contractors who could do the work. Vendors were asked to submit plans to start issuing cards to 30 agencies in multitenant facilities in Atlanta, New York City, Seattle and Washington, D.C., by the October deadline. At press time, Niedermayer said the government was still waiting to see who would submit bids by the deadline, which had been extended.
With this development, it remains to be seen whether the government has created one big headache, instead of dozens of small ones. Observers say there is a risk that the cards will not be interoperable or that deadlines will not be met. Indeed, agencies that sign up for the shared service model but are not part of the 30-agency pilot are not likely to have one card issued by the deadline.
smart cards
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Understanding Versatile Authentication and Its Benefits
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Implementing Best Practices for Web 2.0 Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
