- Email: [email protected]
News comment – Presidential order gets smart card industry attention
news
NEWS COMMENT – Presidential order gets smart card industry attention The eyes of the world may have been on the USA’s elections in recent weeks, but for some Government officials there will have been little respite thanks to a pre-election directive from George W. Bush that called for a Common Identification Standard to be established for all federal employees and contractors. The presidential directive – HSPD-12 – was announced on 27 August 2004 and mandated that all federal agencies move rapidly to deploy a common ID card platform within their organisations. The aim of the order is to improve security – both to physical premises and the data within. According to the Bush directive there are wide variations in the quality and security of current ID documents used to gain access to secure Federal and other facilities. These security concerns need to be removed by the establishment of a “mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees)”. While the directive does not specify the use of smart cards, it is clear that the card technology is the frontrunner as it is one of the only technologies that can meet all requirements, which say the card must be able to: • verify an individual employee’s identity; • resist ID fraud, tampering, counterfeiting and terrorist exploitation; • rapidly authenticate electronically; • be issued only by providers whose reliability has been established by an official accreditation process. It is unclear how many government workers and contractors will require the new ID, but estimates in the region of 7 million have been mooted. The National Institute for Standards and Technology (NIST) is responsible for developing the standard, and it is now working overtime to meet the tight deadline set of 28 February 2005 for an agreed standard to be approved.
The standard There was already a standard under development for the federal government, called the Government Smart Card Interoperability Standard (GSC-IS) with the current version being v2.1. There had been a plan to submit GSC-ISv2.1 to the appropriate standards bodies in order to become a national or even international standard. While this standard directive will be substantially different, it will have the GSC-IS at its core. It will also have additional elements,
Editorial Office: Elsevier Advanced Technology, PO Box 150, Kidlington, Oxford, UK OX5 1AS; Tel: +44 1865 843676; Fax: +44 1865 843971; E-mail: [email protected] Editor: Mark Lockie Consulting Editor: David Jones Features Editor: Wendy Atkins In-House Editor: Nova Dudley Production Co-ordinator: Joanne Tarrant Permissions may be sought directly from Elsevier Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; tel: +44 (0)1865 843830, fax: +44 (0)1865 853333, e-mail: permissions@elsevier. com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc, 222 Rosewood Drive, Danvers, MA 01923, USA; tel: 978 7508400, fax: +1 978 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0) 171 436 5931; fax: +44 (0)171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution.
2
such as ISO 7810 (relating to physical characteristics), ISO 7816 (the contact chip standard) and ISO 14443 (the contactless chip standard), among others. The end result will enable an agency to meet the requirement to issue cards to its employees and contractors. While the final document is to be known as the Federal Information Processing Standard 201 (FIPS 201), it will also have a more user friendly name – the Personal Identity Verification Standard, or PIV. According to NIST the PIV standard will need to: • properly protect the personal privacy of subscribers to the PIV system; • authenticate identity source documents to obtain the correct legal name of the person applying for a PIV “card”; • electronically obtain and store appropriate biometric data (such as fingerprints, facial images) from the PIV system subscriber; • create a PIV “card” that is “personalized” with data needed by the PIV system to later grant access to the subscriber to Federal facilities and information systems; • assure appropriate levels of security for all applicable Federal applications; • provide interoperability among Federal organizations using the standards. The latest news is that a preliminary draft of the PIV standard is now available and comments are being sought. The final draft should draw on the experience that agencies have gained with cards recently. Last month a report from the USA’s Government Accountability Office stated that there was a trend towards larger, agency-wide projects, with 12 of the 24 known programmes intended to provide ID credentials to an agency’s employees or other large groups of individuals – for example 2.75 million of the Department of Defense’s (DoD) Common Access Card have been issued to DoD-related personnel with another 750,000 still to come.
What next? The order is proof that cards are forming a crucial part of the infrastructure for government. There is now a sense of urgency because of the tight deadlines. The first deadline is 28 February 2005, by which time an agreed PIV standard must be developed and circulated. By June, there must be programmes in place to ensure that any ID issued to Federal employees and contractors meets the standard. By October 2005, all Federal employees and contractors must use ID that meets the standard. While the work rate has increased, the deadlines are tight – but this can only be seen as good news. Mark Lockie
Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
02239 Printed by Mayfield Press (Oxford) Ltd.
Card Technology Today November/December 2004
NEWS COMMENT – Presidential order gets smart card industry attention The eyes of the world may have been on the USA’s elections in recent weeks, but for some Government officials there will have been little respite thanks to a pre-election directive from George W. Bush that called for a Common Identification Standard to be established for all federal employees and contractors. The presidential directive – HSPD-12 – was announced on 27 August 2004 and mandated that all federal agencies move rapidly to deploy a common ID card platform within their organisations. The aim of the order is to improve security – both to physical premises and the data within. According to the Bush directive there are wide variations in the quality and security of current ID documents used to gain access to secure Federal and other facilities. These security concerns need to be removed by the establishment of a “mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees)”. While the directive does not specify the use of smart cards, it is clear that the card technology is the frontrunner as it is one of the only technologies that can meet all requirements, which say the card must be able to: • verify an individual employee’s identity; • resist ID fraud, tampering, counterfeiting and terrorist exploitation; • rapidly authenticate electronically; • be issued only by providers whose reliability has been established by an official accreditation process. It is unclear how many government workers and contractors will require the new ID, but estimates in the region of 7 million have been mooted. The National Institute for Standards and Technology (NIST) is responsible for developing the standard, and it is now working overtime to meet the tight deadline set of 28 February 2005 for an agreed standard to be approved.
The standard There was already a standard under development for the federal government, called the Government Smart Card Interoperability Standard (GSC-IS) with the current version being v2.1. There had been a plan to submit GSC-ISv2.1 to the appropriate standards bodies in order to become a national or even international standard. While this standard directive will be substantially different, it will have the GSC-IS at its core. It will also have additional elements,
Editorial Office: Elsevier Advanced Technology, PO Box 150, Kidlington, Oxford, UK OX5 1AS; Tel: +44 1865 843676; Fax: +44 1865 843971; E-mail: [email protected] Editor: Mark Lockie Consulting Editor: David Jones Features Editor: Wendy Atkins In-House Editor: Nova Dudley Production Co-ordinator: Joanne Tarrant Permissions may be sought directly from Elsevier Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; tel: +44 (0)1865 843830, fax: +44 (0)1865 853333, e-mail: permissions@elsevier. com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc, 222 Rosewood Drive, Danvers, MA 01923, USA; tel: 978 7508400, fax: +1 978 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0) 171 436 5931; fax: +44 (0)171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution.
2
such as ISO 7810 (relating to physical characteristics), ISO 7816 (the contact chip standard) and ISO 14443 (the contactless chip standard), among others. The end result will enable an agency to meet the requirement to issue cards to its employees and contractors. While the final document is to be known as the Federal Information Processing Standard 201 (FIPS 201), it will also have a more user friendly name – the Personal Identity Verification Standard, or PIV. According to NIST the PIV standard will need to: • properly protect the personal privacy of subscribers to the PIV system; • authenticate identity source documents to obtain the correct legal name of the person applying for a PIV “card”; • electronically obtain and store appropriate biometric data (such as fingerprints, facial images) from the PIV system subscriber; • create a PIV “card” that is “personalized” with data needed by the PIV system to later grant access to the subscriber to Federal facilities and information systems; • assure appropriate levels of security for all applicable Federal applications; • provide interoperability among Federal organizations using the standards. The latest news is that a preliminary draft of the PIV standard is now available and comments are being sought. The final draft should draw on the experience that agencies have gained with cards recently. Last month a report from the USA’s Government Accountability Office stated that there was a trend towards larger, agency-wide projects, with 12 of the 24 known programmes intended to provide ID credentials to an agency’s employees or other large groups of individuals – for example 2.75 million of the Department of Defense’s (DoD) Common Access Card have been issued to DoD-related personnel with another 750,000 still to come.
What next? The order is proof that cards are forming a crucial part of the infrastructure for government. There is now a sense of urgency because of the tight deadlines. The first deadline is 28 February 2005, by which time an agreed PIV standard must be developed and circulated. By June, there must be programmes in place to ensure that any ID issued to Federal employees and contractors meets the standard. By October 2005, all Federal employees and contractors must use ID that meets the standard. While the work rate has increased, the deadlines are tight – but this can only be seen as good news. Mark Lockie
Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
02239 Printed by Mayfield Press (Oxford) Ltd.
Card Technology Today November/December 2004