Princeton Junction, NJ, November 23, 2010–The leaders driving smart card identity and security initiatives at the federal, state and local levels gathered at the Smart Card Alliance 9th Annual Smart Cards in Government Conference in Washington, D.C. last week. The group shared status updates and lessons learned for projects that are underway, and roadmaps and visions for new initiatives.

Three topics dominated the three-day event: the emerging National Strategy for Trusted Identity in Cyberspace (NSTIC), putting Personal Identity Verification (PIV) credentials to work for physical and logical access and identity management in healthcare.

National Strategy for Trusted Identity in Cyberspace (NSTIC)

Ari Schwartz, senior policy adviser at NIST, expects the NSTIC document will be ready for President Obama’s signature this winter. While stressing that the strategy incorporates a wide range of solutions and different level of assurance, Schwartz said there will “clearly be a role for smart cards.”

Many speakers agreed that the best role for smart cards in the proposed cybersecurity identity ecosystem would be in high-value assurance applications. This would take full advantage of the work done on the PIV and PIV-I (PIV-Interoperable) standards, which underlie the two-factor authentication credentials already widely used by the federal government and increasingly adopted by states and commercial organizations.

As the NSTIC strategy document works its way through the approval process, stakeholders are working towards an implementation strategy. According to Michael Garcia, a cybersecurity strategist in the Department of Homeland Security involved in the program, in 2011 they expect to stand up a National Program Office, which will serve as a focal point, and also anticipate pilots in the private sector. Both Garcia and Schwartz stressed that private sector involvement is essential to the success of the program, and encouraged organizations interested in the NSTIC initiative to get involved in helping to define implementation efforts, particularly in the area of interoperability.

PIV and PIV-I

With more than 75 percent of federal employees and contractors now carrying a smart card-based PIV credential, the focus is shifting to putting those cards to use for physical and logical access control. At the conference, representatives from the GSA, the Center for Disease Control, the Pentagon and others explained how they’re using the Federal Identity Credential and Access Management (FICAM) Guidance as a roadmap to move forward. At GSA for example, 99 percent of employees and 80 percent of contractors have PIV cards; 95 percent of the 16,000 people who access their network are using the PIV cards for secure network login.

The PIV-I standard is gaining momentum with government contractors, state and local governments, and other programs. The Commonwealth of Virginia is following the PIV-I standard for its First Responder Authentication Credential (FRAC). The Commonwealth has expanded its FRAC program in the Hampton Roads region, and will issue 13,000 FRAC cards by the end of 2011. Planning is also underway for issuing the FRAC to emergency responders throughout the remainder of the Commonwealth.

PIV-I will also be the basis for the next generation of biometric/smart card airport security access credentials. The American Association of Airport Executives (AAAE) and airport representatives from around the country are taking the lead on an industry effort to create a biometric-based solution for airport badging and access control known as the Biometric Airport Security Identification Credential or BASIC. Seven airports have already started moving toward the framework, although they are not yet issuing PIV-I credentials.

Washington, D.C., the host city for the Alliance conference, is a leader in using smart cards at the local government level. Bryan Sivak, the city’s CTO, reports his office is working on a PIV-I roadmap, including a project to credential licensed taxi drivers with a PIV-I card in an effort to crack down on fraud and increase security for customers. The city already is issuing the smart card-based DC One multi-application card that rolls up a number of municipal services such as school and recreation center access, library privileges and metro ticketing. Today, more than 70,000 DC One cards have been issued to D.C. public school students in grades 6 through 12 across 71 schools, District of Columbia government employees, Summer Youth Employment Program participants and Department of Parks and Recreation patrons.

Another program that continues to move forward is the Transportation Worker Identification Credential (TWIC). Representatives of the Port of Los Angeles pilot reported that more than 36,000 individuals are now enrolled.

Identity Management in Healthcare

Picking up speed are national efforts to implement electronic health records throughout the healthcare system, enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) as part of the American Recovery and Reinvestment Act (ARRA) of 2009. Deborah Lafky, security lead in the Office of the National Coordinator for Health IT, reported that 70 regional extension centers, established to provide local help to healthcare organizations, are now starting to have an impact.

While identity management continues to take a backseat to the broad goals to establish and exchange electronic medical records, privacy advocate Deven McGraw, director of the Center for Democracy and Technology, said that one of the watershed events in 2010 was the recognition that privacy and security are a key point for “meaningful use” of EHR technology. This is significant because the phrase “meaningful use” is part of the definition of what must be achieved in order to receive Medicare HIT incentive payments under the Recovery Act.

Controlling access to information in healthcare records is one of the privacy and security concerns getting more attention, particularly in the area of consent. “Role-based access control is too blunt an instrument,” said Lafky, explaining that some patients may not want to give a doctor blanket approval to see everything in a health record. She suggested some kind of attribute-based approach is likely to be required to provide a patient with a higher level of granularity with which to control access to his or her information.

For her part, McGraw reminded the audience that, “The law is already set. It’s a breach if someone internally looks at a record they’re not supposed to see.” Still, she recognizes that we can’t look to policy to answer all of our questions. She believes there will be more technology innovation by individual organizations as they see problems or opportunities and act on their own to enhance the privacy and security of healthcare information.

The full proceedings from the Alliance conference were recorded and are available for purchase. For more information please visit http://www.smartcardalliance.com.

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.securetechalliance.org.