Card Tricks

It used to be Oct. 31 brought the witching hour, but for government agencies, the scariest date on the calendar just might be Oct. 27. Starting last year and continuing for at least two more, that late October day heralds a deadline in the government’s effort to create a secure, common ­identity card program for physical access to buildings and logical access to systems.

By Oct. 27, 2005, as mandated by Homeland Security Presidential Directive 12, agencies had to have procedures in place for issuing the ID cards to all new employees and contractors. After that hurdle, known as Personal Identity Verification I, came the PIV-II requirements. For PIV-II’s deadline this October, agencies had to begin issuing cards interoperable with other agencies’ card readers, setting up input devices for personal identification numbers and establishing interfaces for public-key infrastructures and digital certificates.

Although agencies have made progress, it’s still a fledgling program, according to the Defense Department and General Services Administration officials who are trying to help agencies keep pace. For starters, in October many agencies were literally just beginning to issue new smart cards to meet the specifications created by the National Institute of Standards and Technology.

“A wealth of detail remains to be worked out” during the individual agencies’ implementations, says William MacGregor, NIST’s PIV program manager. So how can agencies keep up? One, lay out a functional game plan; two, turn to a shared-services card center for help; and three, integrate back-end systems with an agency’s broader asset management program.

The Game Plan

Gordon Hannah, managing director of public sector security and identity management group for Bearing Point of McLean, Va., says agencies using either their own internal programs or using shared-services ­centers for card generation must do four things:

• Make sure to define program benchmarks carefully and completely. “Every time a new set of specs gets issued within an agency, it slows down the process,” he says. “The devil is in the details — such as specs that are poorly defined or open to interpretation.” NIST did its best to create working parameters for the program, Hannah adds, and vendors also have raced against time to build compliant products.

• Join with other agencies to leverage purchasing power. Both GSA, helped by the Agriculture Department, and the Interior Department will offer shared HSPD-12 services. “Some agencies are signing up with GSA, some have their own HSPD-12 credentialing systems, and some are planning migration strategies,” he says. “They take different paths, but all of them have the goal of real, live authentication cards.”

• Use a high-volume, central production facility for cards. “Then you don’t have to field and manage multiple printers, laminates and supplies at different sites,” Hannah says. “There’s less waste, and you get better quality.”

• Begin to plan for what’s coming down the road. “The focus now is on identity verification and card issuance,” he says, “but consider how you can further automate workflow for bringing in new employees and contractors, and quickly revoking their rights when they leave. Think about adding more applications to the cards, for example, for training and payment applications. If you use the cards only for access, you may not see a return on investment.”

Hannah, who worked with GSA on pre-PIV smart cards and also managed the third phase of developing the Transportation Security Administration’s Transportation Worker Identity Credential, says the TWIC program helped him hone in on these key areas. From the start, TSA aimed the TWIC work at HSPD-12 compliance for 28 maritime sites, he says. TSA now is conducting a procurement to roll out TWIC nationwide for PIV-II.

Michael Butler, chief of DOD smart-card programs on detail with GSA during this pivotal period, also encourages collaboration and information sharing. That’s why he’s been working at GSA temporarily. Butler spends much of his time just talking to people — “through the Interagency Advisory Board, CIO meetings and individual meetings,” he says.

The Sharing Approach

To simplify compliance for agencies, GSA contracted with BearingPoint to set up shared-services centers for card issuance. Despite protests of the five-year, $104.6 million deal, Michel Kareis, GSA program manager for HSPD-12 programs, says the project “met the first milestone, and we expect to meet the others. The project work continues while in protest, and we are on track.”

After an initial test in September, the first four shared-services sites — in Atlanta, New York City, Seattle and Washington — were ready to roll, Kareis says. “We’ll go nationwide in January, with a commitment for 130 fixed and mobile stations to issue cards once we see where agencies’ customers are concentrated.”

Although DOD has issued more than 4 million of its Common Access Cards, Kareis says, GSA initially estimates that civilian agencies will make just 1.9 million cards. The number will continue to rise, however, as people retire and contracts change.

“DOD locally produces its CAC cards,” Kareis says, “but GSA is doing it centrally because that’s more robust.” Even so, “this is not a static program. As with our telecommunications services programs, we don’t see an end date.”

Back-end Systems Integration

The difficult thing is the credentialing and issuing of the cards, says Joe Broghamer, acting chief technology officer at the Homeland Security Department. Managing identities is much easier. Agencies have many of the components in place now to support an identity management system (IDMS) that will interface with the back-end systems for the cards, readers and systems accessed using the new cards, he says.

The approach and planning for an IDMS — the storehouse of certificate and personal identity information for the PIV cards — can build on the investments agencies have already made in systems for managing other lifecycle assets, says Aaron Benson, an identity management strategist for Novell. Treating the cards like another asset makes sense, he says, and it’s not an alien concept for agencies.

Benson suggests that agencies:

• Make sure IDMS apps are open and cross-platform­ to support existing agency investments in enterprise asset management. That way the IDMS becomes another cog in the enterprise infrastructure.

• Build around open standards so that IDMS apps can support multiple logistical and physical access needs, and allow for future upgrades. Despite efforts at enterprise integration, an IDMS will still have to interface with multiple systems; interoperability will be paramount.

• Consider a vendor’s partners when getting outside help on an IDMS. The ability to tap other vendors through the prime contractor will ease interoperability across disparate systems and speed up an agency’s return on its investment.

The ability to use the cards for many systems and facilities repeatedly is what will ultimately make them cost effective, Broghamer says. It’s also a functionality issue. “To make security work, it has to increase functionality first and security second,” he says.

Ultimately, Butler says, agencies must remember that DOD has already been down that road, so help is out there. “Many of the implementation issues agencies will encounter have been documented by DOD over the past few years,” including how to detail training assets, set network configurations, align with standards and calculate costs, Butler says. DOD has shared its experiences with all agencies online at www.smart.gov and idmanagement.gov.

“GSA has been promoting the transfer of information and best practices for more than two years,” Butler says, so agencies shouldn’t feel that they’re going it alone.