Your new ID card
HOME
What it can do now
–
and what it may do in the future
By
STEPHEN
LOSEY
October 16, 2006
Beginning Oct. 27 and continuing over the next two
years, agencies will dispense new smart access cards to all federal employees
and thousands of contractors who work in or frequent federal buildings.
By October 2008, all federal employees will get into their office buildings by waving these smart cards over a reader and having a fingerprint scanned. Once at his desk, an employee will insert the card into a reader hooked up to his computer, press a finger on another scanner, type in a four- to eight-digit personal identification number, and automatically log on to e-mail, instant messaging, databases or other systems without any further logins.
If an employee visits another federal agency, he won’t have to sign in at the door and get a visitor’s badge — just another swipe and fingerprint scan.
And while visiting another federal office, a fed can plug his card into a computer to remotely check his office e-mail or access information on his agency’s database.
But the cards are more than just a fancy way to get into a building or computer system. Advocates say they’ll safeguard information on government laptops, enable secure teleworking, and free employees of the need to keep countless user names and passwords, among other benefits.
What comes with the card beyond that is up to the imaginations
of agency officials, experts say.
“The opportunities that exist are significant,”
said Brendan Peter, senior director for industry affairs for LexisNexis Special
Services Inc.
Each card will have its owner’s photograph; a computer chip containing his name, two encrypted fingerprints, and a PIN; and access information, such as his security clearance and access codes for specific buildings and computer systems. It will be contactless, which means it can be waved over — rather than inserted into — a scanner for quick access.
President Bush ordered all agencies to adopt a common smart card in his August 2004 Homeland Security Presidential Directive 12, or HSPD-12.
The card will be similar to the latest version of the common access card now used by military personnel and Defense Department contractors.
The biggest advantage of the new card is that it will make everyone’s job a little simpler and improve security, said Joe Broghamer, director of authentication technologies for the Homeland Security Department.
“One of the things that you see a lot in publications [when new security measures are enacted] is that, ‘Well, I know it’s going to be more difficult, but you just have to put up with this,’” Broghamer said at a Sept. 19 panel discussion on HSPD-12 in Washington. “That is absolutely, in my mind, false. To make security work it has to increase functionality first, and security [comes] second.”
The ID card cobbles together all the access functions employees need and will be used several times each day, Broghamer said.
Other uses
There are many possible applications for the cards.
For instance, Phil Libin, president of CoreStreet
of Cambridge, Mass., said the cards can help secure and organize a chaotic
disaster scene. Libin’s company sells a handheld card reader called PIVMAN that
he said can check first responders’ credentials and quickly learn their skills.
When scanned at a disaster scene, a first responder’s card could inform
authorities that he has first aid skills, for example, or hazardous material
training, and an organizing officer can quickly direct him to where he is
needed.
The new ID card also could make it tougher for an unauthorized person to get sensitive information out of a government laptop, said Jeff Stratyner, strategic solutions manager for Quest Software of Aliso Viejo, Calif. This has been a serious concern across the government after a rash of laptop thefts from multiple agencies last summer. A Veterans Affairs Department laptop that contained personal data on more than 26 million veterans was stolen in May, but later recovered.
By automatically encrypting all information on laptops and requiring an ID card, fingerprint and PIN for decryption — as suggested by Clay Johnson, Office of Management and Budget deputy director for management, in a June 23 memo — only the most determined hackers would be able to access the data, Stratyner said.
Gordon Hannah, managing director for BearingPoint’s security and identity management solutions group, predicts more federal employees will telecommute once the card is in place. The improved access controls — which OMB has pushed for since the VA laptop theft — will help ease the security concerns many managers have about teleworking, he said.
The General Services Administration has struck a contract, worth up to $104 million over five years, with BearingPoint to offer smart cards to any interested agency. So far, 26 agencies representing more than 400,000 employees have signed up with BearingPoint, Hannah said.
Other companies such as SI International and Lockheed Martin, and the Interior Department’s National Business Center also will provide smart cards.
Hannah expects only a few orders at first. Agencies may only have a handful of cards issued on the first day, Oct. 27. Then orders likely will increase to the low thousands in the first two or three months, he said. Most people will get their cards by the end of 2007 and all will have them by the end of October 2008.
Infrastructure such as card readers should be in place by
June, Hannah said.
The overall costs for the smart card rollout are
unknown, although GSA said cards will cost about $110 each. With more than 1.8
million federal employees as of June, that means the government could see a $205
million bill
—
not counting the costs for card readers, fingerprint scanners and other
infrastructure.
Hannah said BearingPoint could knock up to 30 percent off the $110 cost when it has half a million federal employees signed up for its services. GSA acting associate administrator John Sindelar said costs could decline by more than a third in the program’s second year.
Paying for the cards and equipment is bound to be a challenge. HSPD-12 is an unfunded mandate, meaning that agencies have to pay for their compliance out of their own operating budgets.
Background checks
Everyone getting a smart card will need to have a
background check.
Some fear the background checks could choke the
Office of Personnel Management’s already stressed system. But Kathy Dillaman,
associate director of OPM’s Federal Investigative Services Division, said Sept.
26 at a San Diego conference that people with security clearances won’t need
additional background checks. All others will require a less stringent check
that can largely be automated, Dillaman said.
Under the required National Agency Check with Inquiries, the FBI will check one’s name and fingerprints against its databases to look for a criminal history. OPM, which handles background checks for the vast majority of federal employees and contractors, will then search other law enforcement databases for the last five years, and verify employment, education and last-known addresses.
OPM can handle the additional work, Dillaman said, but she worries that national, state and local record repositories — for example, 26,000 law enforcement agencies nationwide — will not be able to feed information to OPM fast enough.
“The potential number of people cleared under this could be very, very large,” Dillaman said. “We’re going to need a partnership with these feeder systems to handle the requests.”
If an agency doesn’t get someone’s background check back in five days, and if that person’s fingerprint check comes back clean, the agency can issue that person’s card, OMB said in August 2005.
Privacy
Experts say the cards should not provoke privacy
concerns. For instance, the cards will not enable managers to track employees’
online or computer activity any more than they already can now. And the cards
will not have radio frequency identification (RFID) tags by which managers can
monitor the specific whereabouts of employees. A card can only inform a manager
where an employee has swiped it.
“I don’t think there are any real privacy implications,” said Robert Atkinson, vice president and director of the Progressive Policy Institute’s Technology and New Economy Project.
Worth the trouble
Though they may bring headaches at first, advanced
identification cards are worth the trouble, said Varina Bradberry, the director
of resource management for the Army’s Training and Doctrine Command at Fort
Jackson in South Carolina. Bradberry and her employees have been using the
military’s common access card for three years. At first, some employees kept
forgetting the cards at home or in their work computers. But her office has
adjusted, she said, and most are happy with them now. About a quarter of the
networks Bradberry uses, such as the Defense Travel System and Army Knowledge
Online, are accessible with the common access card. In a few months, nearly all
of those she uses will be.
“The general feeling was, it was a little inconvenient before they got used to it,” Bradberry said. “But once all systems are using it, with the added security, it will be a positive change.”
Future uses
There seems to be no limit on ideas on where
agencies can go with the new card.
Several industry officials interviewed by
Federal Times said the card could be used as a debit card for the office
cafeteria, a travel card, or a government purchase card.
Hannah said the Defense Department is thinking about putting official allowance money for Washington’s Metro transit system on its common access card; this could also work for civilian agency cards. That could cut down on small-scale fraud, he said. An employee couldn’t just give his wife the Metro card for her own use, since he needs his card to go to work. And the card could be set up to deactivate during weekends or off hours, so the employee couldn’t use the card on his own time.
Or managers could use it as a time card that would make it
impossible for someone to clock in for a friend.
The cards could ultimately include a digital
signature that can be affixed to electronic contracts
—
saving postage costs and time required to mail paper copies for signatures
—
and e-mails for authentication.
They could serve as a quick identification at border crossings or at security checkpoints at airports as part of a prescreening program.
For those with special medical conditions or needs, the cards could hold valuable information for a doctor in the event of an emergency.
“This is absolutely a good thing,” Atkinson said. “IDs will happen, and they will include biometrics. The only question is, ‘Will the government get with the program?’”
E-mail: slosey@federaltimes.com