Princeton Junction, NJ, March 16, 2004–New program details were announced at the Smart Card Alliance 3rd Annual Smart Cards in Government conference, as the fast-growing focus on smart cards in the federal government more than doubled attendance at this year’s event.

“We had more than 360 registered attendees, twice as many as last year,” said Kevin Gillick, head of corporate marketing for the Datacard Group and chairman of the Smart Card Alliance. “The Alliance supports the public-private partnership by providing a forum where government and industry can come together and work. The success of the meeting and the growth in attendance show it’s working.”

“This was the second year the Smart Card Alliance hosted the Federal Smart Card Project Managers Group meeting in conjunction with our full conference and exhibition,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “The government interest has increased so dramatically that the morning session was standing room only.”

Government agencies that announced new program details in ID credentials and physical access control were the National Aeronautics and Space Administration (NASA), the Department of Veterans Affairs (VA) and the Transportation Security Administration (TSA). Representatives from the American Public Transportation Association (APTA), the Federal Identity Credentialing Committee (FICC) and the National Institute of Standards and Technology (NIST) presented new standards efforts, an essential part of the success of smart card technology in government.

NASA

NASA’s Tim Baldridge presented new details about the “One NASA” smart card system to be used by all NASA employees and contractors across the United States. In February, NASA announced an award to Maximus to develop the system.

Plans call for dual contact and contactless chips in a high-reliability card body similar to the 4.5 million Common Access Cards (CAC) issued by the Department of Defense (DoD), according to Baldridge. The contact portion is a 64K Java-based chip and the contactless component is a 4K ISO 14443 Type A chip.

Special features include on-card secure key generation and a PKI certificate profile consistent with the FICC cross-credentialing guidelines and following the DoD CAC card model.

Following a successful operation readiness review from July to September 2004, NASA will begin issuing 20,000 cards in October and plans another issue of 70,000 cards between November 2004 and September 2005.

NASA’s application priorities are using the card for an ID credential, physical access control and logical access control. One interesting aspect of the program is the decision not to put any distinguishing graphics or logos on the card. “On the advice of our security office, we will not identify the badge in any way that indicates it is a NASA badge or a U.S. government badge,” said Baldridge.

Department of Veterans Affairs

Fred Catoe, project manager for the smart card initiative in the Office of Cyber and Information Security for the Department of Veterans Affairs, presented new details about the VA’s smart card program.

There are three major parts to the system: a smart card ID credential and physical access control card, a PKI certificate meeting the federal PKI standards, and an identity and access management system. The VA is working closely with the DoD on PKI implementation choices and other issues. “The VA is in discussions with the DoD to consider how to leverage the DoD infrastructure and backend systems,” said Catoe.

An interesting aspect of the program is its support for a thin client system logon in VA hospitals. A doctor logs on from one room using the smart card, and removes the card when he or she leaves the room. The doctor then inserts it in a computer in another room, and the session comes right back to where it was. “As doctors move from room to room during the course of a day, they are constantly logging in and out of our systems. With our thin client system, the doctor will logon once with a smart card. This will save doctors about 45 minutes a day according to our surveys,” said Catoe.

If the testing and pilot phases go well in the coming months, “we plan on deploying this system starting in July,” said Catoe. Current plans call for issuing 15,000 cards from July through September 2004. Starting in September 2004, the VA plans to issue 12,000 cards per month for the next three years, eventually issuing smart card credentials to 500,000 VA employees, doctors and designated support contractors.

The VA administers health and benefit programs for 25 million living veterans, and has the largest civilian workforce of any U.S. government agency.

TWIC Testing To Begin in State of Florida

The TSA Transportation Worker Identification Credential (TWIC) is moving forward with a smart card-based program. “We’ve completed the technology evaluation phase and the prototype phase is imminent,” said Jack Cassidy of BearingPoint, speaking for the Transportation Security Administration.

One of the important steps forward in the program was to add the 14 deepwater ports in the State of Florida to the ports in Philadelphia-Camden-Wilmington and Long Beach that participated in the first round of tests. “Florida statutes mandate a uniform access identity credential modeled on the U.S. TWIC program. That got Florida working closely with TWIC,” said Billie Dixon, lead of the integrated Florida TWIC team.

Florida has decided to do enrollment with port personnel working in conjunction with TSA, and they will use the TSA centralized card issuance model for security reasons. Based on years of experience in looking at security for distributed driver’s license issuance for the Department of Motor Vehicles, “we trusted the centralized issuance model,” said Dixon. “That takes care of security problems that are enormous otherwise.”

Things will move fast, according to Dixon. “We have to show substantial progress by July 1 of this year with at least one port operational. It is an aggressive timeline but we believe we can make that.”

Universal Transit Farecard Standards (UTFS)

Greg Garback, executive officer, department of finance, Washington Metropolitan Area Transit Authority, told attendees about a new standards initiative–the Universal Transit Farecard Standards (UTFS). Established at the request of transit agency executives throughout the United States, UTFS is an activity of the American Public Transportation Association under the auspices of the U.S. Department of Transportation (USDOT).

The goal of UTFS is to develop a standard that “achieves vendor neutrality and is technology agnostic,” said Garback. “We are striving for a plug and play environment for application hardware and software using off-the-shelf products.”

The primary work products of the new organization will be in the form of standards and guideline specifications. The group plans to finalize a smart farecard specification by September 2004, building on work done in the Port Authority of New York and New Jersey Regional Interface Specification and the Vendor Equipment Interface from the San Francisco-based Bay Area Rapid Transit program.

APTA will also work on a Security Planning guideline, expected to be completed in 2005.

NIST and the GSC-IS Specifications

Theresa Schwarzhoff told the federal project managers group attendees that the work done on the Government Smart Card Interoperability Specification (GSC-IS) by NIST and many Alliance member organizations has led to a favorable response by the International Standards Organization (ISO). With 19 of 23 votes cast as a “yes,” the ISO organization established a task force to develop a standard based on GSC-IS 2.1.

Federal Identity Credentialing Committee

Judy Spencer, chair of the FICC, reported that the progress made by the committee since its inception about a year ago bodes well for using smart cards for computer security. “If you want to have a Level 4 strong assurance you really need a smart card or some other hardware token,” said Spencer. “You want to be sure the identity is not loaded in software on someone’s computer somewhere or stored on a password list.”

Spencer referred to guidelines established by The Office of Management and Budget in memo M-04-04, “E-authentication Guidance for Federal Agencies,” one of the foundation documents of the FICC. The OMB guidance establishes four levels of authentication assurance, from Level 1, which is no authentication, to Level 4, which combines strong authentication of an individual’s identity with high-security for identity storage and verification in the form of a token.

The FICC vision is aligned with the U.S. federal government’s goal of a common access credential for physical access. “Our vision is that if I go to another federal agency and I present my credential at the front door they can electronically authenticate it. We’re not relying on the old ‘looks like a GSA card’ visual inspection anymore,” said Spencer.

Policy, Business Rules Contribute to Success

“The federal government is doing things the right way, and that is why smart card programs are succeeding,” said the Alliance’s Vanderhoof. “They did not just throw smart card technology out there and expect it to fly. The real focus is right where it should be–a balance of policy, business rules and technology standards.”

The Smart Card Alliance plans to make the proceedings from “Smart Cards In Government 2004” available at http://www.securetechalliance.org. All Smart Card Alliance reports and proceedings are available to members at no charge.

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to accelerate the acceptance of smart card technology.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. For more information please visit http://www.securetechalliance.org.