HSPD-12 PIV Cards Moving into States and Enterprises
October 27th was deadline day for the four-year-old HSPD-12 initiative. Attendees at the Smart Card Alliance Smart Cards in Government Conference got a firsthand report Friday on the governmentwide credentialing program’s impressive results from a key figure in the program—Karen Evans, administrator of e-government and IT for the Office of Management and Budget.
In what she termed a “successful partnership between government and industry,” Evans summarized the achievements of the last four years. Standards were created and implemented; identity vetting and issuance processes are in place; 34 system integrators and 370 products were qualified; every agency has plans in place to implement both physical and logical access control using the Personal Identity Verification (PIV) cards; and as of September 1st more than 1.2 million credentials had been issued to federal government employees who were fully vetted by the new process, according to Evans. One particularly telling anecdote is that the new PIV card and surrounding infrastructure enabled the President to electronically authorize and submit the official
State and local governments are now starting to plan and test how to issue and use PIV interoperable cards, and enterprises are also moving to adopt PIV interoperable or compliant cards. Since only the federal government can issue PIV cards, distinctions are evolving for PIV interoperable and PIV compatible cards, based mostly on whether the PKI certificate comes from a Certificate Authority (CA) approved through the federal bridge. PIV compatible cards issued by commercial enterprises would, like PIV cards, meet the FIPS 201 technical specifications but have digital certificates that are not cross-linked and therefore not interoperable with the federal government.
Robert Bunty, an IT policy consultant for the
In addition to strong authentication for network security, many states in the National Capital Region see the FEMA-led initiative to create an interoperable First Responder Authentication Credential (FRAC) as the main motivation to start issuing PIV interoperable credentials. Mike McAllister of the Governor’s Office of Commonwealth Preparedness announced that
Several of the presenters at the
Enterprises are also moving into PIV cards for physical and logical access control. Northrop Grumman expects to fully badge 85 percent of its employees in 2009 with a PIV interoperable card called One Badge, and has already upgraded thousands of physical access control readers to work with the cards, according to Keith Ward of its System Integration and Automation division.
Chris Williams of SAIC says about one-third of the company’s 44,000 employees have smart cards they use for logical access control. One interesting aspect is that all of them requested it, primarily as a replacement for one-time password (OTP) tokens. SAIC employees use the cards for strong authentication to desktops and networks, digital signature and encryption. Smart cards give employees more functionality at a lower cost than OTP tokens, Williams said.
The Smart Card Alliance Identity Council recently published a white paper, Using FIPS 201 and the PIV Card for the Corporate Enterprise, available for free at the Identity Council page on the Smart Card Alliance Web site at www.smartcardalliance.org, along with many other new whitepapers. Newly covered subjects include interoperable air transport identity credentials, what makes a smart card secure and emergency response official credentials (FRAC).