Fed Smart-Card Programs Struggle For Traction

A year into the General Services Administration's 10-year, $1.5 billion smart-card program, federal agencies are quietly plugging away, still struggling to figure out how to use the new technology to strengthen security, streamline procedures and save money.The task is proving more complex and time-consuming than many expected.For example, federal agencies are grappling with the interoperability standard that will determine which technologies are appropriate for the governmentwide smart-card program. The delay in establishing the standard has led many agencies to approach smart cards cautiously with pilot projects or to stand aside while the Defense Department and other agencies take the lead."The lateness of the standard is making some government agencies nervous," said Todd Freyman, principal investigator for emerging technologies at TASC, once a Litton Industries Inc. subsidiary and now part of Northrop Grumman Corp. "The projects that either have been started or are about to start [could be] delayed." Smart cards look like credit cards, but they are embedded with microchips. They can be used as sophisticated identification cards to enter buildings, personal computers and networks, but they also can be used for more elaborate applications involving sensitive information, such as health records, financial information, even digital signatures.A system taking full advantage of smart-card technology requires software and hardware in multiple locations, integration into back-office systems, planning, training and implementation. Smart cards themselves are the least expensive component and simplest to replace. Because smart-card technology is relatively new among federal agencies, government officials are moving slowly as they try to measure its precise costs and benefits, said Steve Peterson, program manager of the Advanced Card Technology Center for Electronic Data Systems Corp., Plano, Texas.People recognize the need for smart-card technology, but "the business case for it is still a little problematic," he said. "What we're seeing ... is pilots in different agencies, taking a look at what the benefits are, trying to not spend a lot of money."EDS is one of five prime contractors winning a place on GSA's Smart Access Common ID Card contract, awarded in May 2000. Other companies on the contract are KPMG Consulting Inc., McLean, Va.; Logicon and PRC Inc., both units of Northrop Grumman of Los Angeles; and Maximus Inc., McLean.Market research firm Frost & Sullivan Inc. of Mountain View, Calif., estimated that the smart-card market just for the governments of the United States and Canada was about 300,000 units in 2000, according to Prianka Chopra, a research analyst who tracks the industry for the firm. But, she said, by 2004, the number of cards sold to the two governments is expected to reach 14.6 million, "and that may be a little conservative."The Defense Department is taking the lead in implementing smart-card solutions, with its plan to issue up to 4 million cards to military personnel, reserves, civilian employees and contractors at some 900 sites worldwide by the end of 2002."A number of the other agencies are certainly watching what we do," said Mary Dixon, director of the department's Access Card Office, part of the Defense Manpower Data Center. "None of them are as large as we are. ... We're the test case." Under the current program, however, the Defense Department has issued only about 6,000 cards, and the departmentwide process for issuing cards won't be in place until the end of May, Dixon said. Despite the slowness, she is confident the military will reach its goal on schedule."When we do beta testing, that's really an operational test, because they're real cards from real workstations," Dixon said. This increases the department's confidence in rolling out the cards. Dixon's office is responsible for issuing military ID cards, so there are some 1,400 workstations already in place to issue cards, she said. They simply need to add peripherals to distribute smart cards.Dixon's office is responsible just for the cards. The individual services must purchase the readers and upgrade their systems to use the cards. The Army has an order for some readers, and the Air Force is not far behind, she said."It's sort of a chicken-and-egg thing," Peterson said. DMDC decided to issue smart cards first, expecting that "the other stuff that makes the card useful, the applications, will all follow," he said.Driving the federal government's move to smart cards is the interest in security, control of both physical and computer access.The State Department recently awarded a contract to TASC for its Physical Security Systems Smart Card Technology Integration project, worth $10 million over the next three years."It will significantly improve the security of the State Department. That was their goal," TASC's Freyman said."If you don't need security, you don't need a smart card," said Albert Leung, business development manager for Sun Microsystems Inc., Palo Alto, Calif. "Right now, virtually anybody can buy a military ID card for $75, but you can't clone a smart card." Magnetic strips, bar codes and photographs can all be counterfeited, Leung said, but the encrypted chip on a smart card can't be forged.Sun is in the smart-card business by virtue of its Java programming language, which can be overlaid on any computer operating system. Java became the language of choice when GSA specified in its smart-card contract that an open architecture be used. This was so the government could choose several vendors while ensuring the products could operate together. But the interoperability standard has not yet been finalized. The smart-card industry historically has been based on companies using proprietary software and hardware products, industry and government representatives said.Also complicating the push for interoperability, the standard has been written in such a way that "interoperability" need only be achieved within a single agency. For instance, Veterans Affairs is pursuing its own smart-card program to provide veterans with encoded patient ID cards to streamline admissions at its health facilities nationwide. The cards for the agency's test program were ordered through the GSA contract, but they do not use Java and will operate only within the VA's system, Leung said.On the other hand, VA is hedging its bets. According to agency spokesman Jim Benson, early this winter VA scaled back its initial order of cards to 40,000 from 200,000. Benson said the agency decided the smaller sample size would still give enough information to make decisions about future plans for smart cards, while saving VA some money.The language used in the interoperability specification leaves the door open for other major players to enter the market and establish a standard, including industry giant Microsoft Corp. of Redmond, Wash. (See next page)"They've got a Windows for smart cards operating system," said EDS' Peterson regarding Microsoft. "They have a certain market presence and reputation that says if they do something, they don't do it wrong."The National Institute of Standards and Technology and GSA have been working with the five smart-card prime contracting teams to hammer out a final version of the interoperability standard. Mike Brooks, director of the Center for Smart Card Solutions in GSA's Federal Technology Service, said the organizations are refining the specifications issued last year and are planning to have a new draft ready by June 30.While the delay in establishing the standard has created some drag on agencies' interest in pursuing smart-card applications, many see the government's move to the technology as inevitable. One of those is Scott Schnell, senior vice president of marketing and corporate development for RSA Security Inc., a Bedford, Mass., company specializing in security software and hardware, including those for smart-card applications. His company operates an independent laboratory dedicated to cryptographic and security research, working on open standards, some of which apply to smart cards. "This is a necessary foundation for moving physical processes to electronic [format]," Schnell said. "Smart cards are just the tip of the iceberg."While most efforts are focused on access concerns, some federal agencies are beginning to think about additional functions for smart cards. The Defense Department, for example, is considering joint exercise applications, such as manifesting and tracking military travelers, deployment readiness and food service, Dixon said.Another application related to access, but more sophisticated, is public key infrastructure, or PKI, and its usefulness for electronic signatures. PKI is an electronic system of verifying an individual's identity using an embedded authentication certificate."The electronic signature legislation is one of the driving forces behind this," said John McKeon, vice president of products with 3-G International Inc., Springfield, Va. While 3GI sold its government services division ? and its place on the GSA smart-card contract ? to Maximus, the company continues to provide security and authentication products to the industry.With the passage of the Government Paperwork Elimination Act in 1998, federal agencies must be able to offer and accept digital signatures, McKeon said."This is law, not an option they have to look at," he said. "It's very different than the commercial sector, where when the economy goes a little sour, everyone holds off a little bit."Dixon is eager for smart-card applications to begin to expand beyond security concerns, too. "The killer app for the Department of Defense was PKI. ... Anything that improves the security of your network at an affordable price, you want to do," she said. "If you look at the kind of opportunities you get with this card, enabling legacy databases so people can do business over the Web, you start to see lots of ways [to save] money, to look at ways to make your business better, to do more online."XXXSPLITXXX-Microsoft Corp. dominates the personal computer world with different versions of its Windows operating system. But systems integrators on the General Services Administration's $1.5 billion contract for smart cards are making use of Sun Microsystems' Java programming language as the template for the interoperability requirements in the contract.Microsoft may not consider that an insurmountable obstacle."We do have a product, Windows for Smart Cards, an operating system that Microsoft developed," said Patrick Arnold, director of information assurance for Microsoft Federal Systems.Microsoft was involved with most of the prime contractors on the GSA contract, attending several meetings on the interoperability issue. But the company disagreed with the government's insistence on some types of interfaces, Arnold said. He said the interfaces were not vetted through any kind of recognized international body. "From a Microsoft perspective, we've not embraced that model for a variety of reasons, [including that] we're not convinced the government is on the right track," he said.While the company may have dropped out of the interoperability discussions for the GSA contract, it is moving ahead on other smart-card opportunities within the government. Arnold said Microsoft is working with the Navy on an electronic cash project, basically providing sailors with an electronic form of spending money.The Defense Department, the major user of the GSA contract to date, is committed to its course of action. But Mary Dixon, director of the department's Access Card Office, didn't rule out the idea of making changes in the future if another architecture offers even more flexibility and potential for upgrades."We picked Java because it seems to satisfy most of our requirements," Dixon said. "Our commitment is to our users. Whatever we do will not obsolete what we did in the past. [The] card is only valid for three years, so it's easier" to make incremental changes as the cards expire.Todd Freyman, principal investigator for emerging technologies at TASC Inc., is less sanguine about the prospects of a Microsoft entry."My own gut instinct, and from history, says Microsoft is getting ready to release a new smart card. [The company] always seems to have a large impact on the market," Freyman said. Most of Microsoft's solutions are proprietary, he said, and the company may be looking to establish a new standard for smart cards. What the company has now is not GSA-compliant, Freyman said. "Maybe the federal government can fight [their standard]," he said.