HSPD-12 PIV Cards Moving into States and Enterprises

October 27th was deadline day for the four-year-old HSPD-12 initiative. Attendees at the Smart Card Alliance Smart Cards in Government Conference got a firsthand report Friday on the governmentwide credentialing program’s impressive results from a key figure in the program—Karen Evans, administrator of e-government and IT for the Office of Management and Budget.

In what she termed a “successful partnership between government and industry,” Evans summarized the achievements of the last four years. Standards were created and implemented; identity vetting and issuance processes are in place; 34 system integrators and 370 products were qualified; every agency has plans in place to implement both physical and logical access control using the Personal Identity Verification (PIV) cards; and as of September 1st more than 1.2 million credentials had been issued to federal government employees who were fully vetted by the new process, according to Evans. One particularly telling anecdote is that the new PIV card and surrounding infrastructure enabled the President to electronically authorize and submit the official U.S. budget to the Government Printing Office (GPO) and Capitol Hill earlier this year, a first for the United States or for any country, she said. Up-to-date results on how close the government came to its goal of credentialing approximately two million federal employees will be announced this week.

State and local governments are now starting to plan and test how to issue and use PIV interoperable cards, and enterprises are also moving to adopt PIV interoperable or compliant cards. Since only the federal government can issue PIV cards, distinctions are evolving for PIV interoperable and PIV compatible cards, based mostly on whether the PKI certificate comes from a Certificate Authority (CA) approved through the federal bridge. PIV compatible cards issued by commercial enterprises would, like PIV cards, meet the FIPS 201 technical specifications but have digital certificates that are not cross-linked and therefore not interoperable with the federal government.

Robert Bunty, an IT policy consultant for the Commonwealth of Pennsylvania, reported the state has largely completed putting an infrastructure in place to issue and use PIV interoperable credentials for network security as part of its Identity Protection Access Management vision. The next challenge is to get leadership buy-in and support to generate “the big MO” needed to issue and use the credentials statewide, Bunty said.

In addition to strong authentication for network security, many states in the National Capital Region see the FEMA-led initiative to create an interoperable First Responder Authentication Credential (FRAC) as the main motivation to start issuing PIV interoperable credentials. Mike McAllister of the Governor’s Office of Commonwealth Preparedness announced that Virginia would be starting its phase two program to issue an additional 2,000 FRAC credentials in December 2008 for emergency responders in Alexandria and Arlington County. Virginia was the first state to issue FRACs and has already issued 2,200, according to McAllister.

Several of the presenters at the Alliance conference applauded the efforts of FEMA’s Craig Wilson, coordinator for National Preparedness, for his leadership in programs to create a trusted, interoperable identity credential that can be used by federal, state and local authorities. To make sure every emergency response official (ERO) is ready to use a FRAC in a disaster, Wilson and his team have organized 13 demonstrations to test various emergency scenarios, including last week’s Autumn Rush in Gettysburg, Pennsylvania. The FRAC builds on the PIV standards and smart cards, but Wilson reminded attendees this is not about technology. It is about capability—enabling law enforcement officials to make an informed decision about whom they can trust and what they can do at a time of crisis. “We don’t want chaos on top of chaos,” Wilson said.

Enterprises are also moving into PIV cards for physical and logical access control. Northrop Grumman expects to fully badge 85 percent of its employees in 2009 with a PIV interoperable card called One Badge, and has already upgraded thousands of physical access control readers to work with the cards, according to Keith Ward of its System Integration and Automation division.

Chris Williams of SAIC says about one-third of the company’s 44,000 employees have smart cards they use for logical access control. One interesting aspect is that all of them requested it, primarily as a replacement for one-time password (OTP) tokens. SAIC employees use the cards for strong authentication to desktops and networks, digital signature and encryption. Smart cards give employees more functionality at a lower cost than OTP tokens, Williams said.

The Smart Card Alliance Identity Council recently published a white paper, Using FIPS 201 and the PIV Card for the Corporate Enterprise, available for free at the Identity Council page on the Smart Card Alliance Web site at www.smartcardalliance.org, along with many other new whitepapers. Newly covered subjects include interoperable air transport identity credentials, what makes a smart card secure and emergency response official credentials (FRAC).

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.