US Government
Home Up

U.S. Government Smart Card / PKI Initiatives & NIST Specifications

The United States government has established a multitude of specifications and compliance requirements needed to deploy cryptographic security and access smart card functions across it's many agencies. These agencies have coordination and steering committees as well as test facilities.

Two important industry-shaping activities on the security and identity management side of the smart card industry have been Presidential Directive HSPD-12, and the U.S. State Department's rush towards electronic passports that are built with contactless chip technology.

The specifications for Presidential Directive 12, which mandates a strong ID credential for all government employees, will be released by the end of February 2005 and government agencies will be under a time clock to comply with those specs. This presidential directive set in motion a federal enterprise-wide smart card standardization effort.

In addition, there was the much publicized U.S. Passport offices ePassport program that goes into effect in 2005 along with other high profile projects from the Department of Defense, Department of Homeland Security, NASA, Veterans Affairs, and even some state governments.

Neither project directly relates to the other but both projects are breaking new ground in defining interoperability on a national and international scale. The level of standards engagement and policy-making by powerful bodies like ICAO, NIST, ANSI, and ISO and the smart card industry is unprecedented.

The ePassport testing and procurement program has been delayed twice but is now underway again after a vendor protest led to the Bureau of Consular Affairs inviting four additional vendors to join the evaluation process and resulting in a total of eight awards.

Department of Homeland Security

Homeland Security announced in October, 2004 the adoption of its first biometric facial recognition standard, designed to be consistent with international standards for biometrics used in such applications as travel documents.

The standard will help improve long-term security by using and comparing all digitally stored photographs, the undersecretary for science and technology said. Homeland Security will use the standard as technical criteria upon which to design equipment such as cameras and software for facial recognition.

NIST GSC-IS smart card specification

Officials from the National Institute of Standards and Technology (NIST), Office of Management and Budget (OMB) and other agencies drafted the Federal Information Processing Standard (FIPS) 201 which was approved in February 2005 and specifies the minimum technical and operational requirements for such a system and card. More than 80 organizations and individuals commented on the proposal.

FIPS 201 describes requirements needed to meet the control and security requirements within HSPD-12, including the process to prove an individual's identity. It also explains the components and processes to support a smart-card platform, which would contain biographic data, a printed photograph, and biometric information two electronically stored fingerprints on an electronic chip. The card would also contain a password or personal identification number so card holders would be in control on releasing the information to requesting entities.

Information and specifications for the GSC-IS specifications. These specifications are a guide to the next generation of smart card used throughout most US government agencies. The GSC-IS specification is split into parts: host side software stack (BSI), on-card APDU specification for Java Cards, and on-card APDU specification for file-system cards.

The computer scientists at NIST have for decades helped the FBI improve the automation process for matching prints found at crime scenes against the FBI's master file of fingerprints. NIST also works with systems that match facial images. While facial recognition systems employ different algorithms than fingerprint systems, many of the underlying methods for testing the accuracy of these systems are the same.

NIST Special Publication 800-63 - Biometric e-Authentication

Computer Security Division - Computer Security Resource Center - National Institute of Standards and Technology

1. How can Federal agencies and other organizations use biometrics to authenticate unsupervised remote claimants whose computers and workstations they do not manage or control?

2. How do we compare the authentication assurance provided by unsupervised biometric methods to the conventional methods now defined in NIST Special Publication 800-63 ?

3. In what way could biometrics be appropriately used for each of the four authentication levels?

4. What constraints and protections need to be in place to use biometrics in a secure solution?

DON-CIO Test Site

Information and test facilities to test your DoD Common Access Card with HTTP/SSL authentication.

Department of Defense DoD PKE

Information on PKE-enabling applications and the requirements for validating PKI applications for use inside the government.

Joint Interoperability Test Command

Information on how to validate your products for use inside government agencies. JITC performs testing and analysis on various hardware and software products.

SETD Army Website

Information on how to validate smart card and PKI products for use inside the US Army.

Department of Defense Biometric Management Office

"Working with our DOD and U.S. government partners, DOD Biometrics has taken significant steps to improve our use of biometric technologies, particularly in supporting U.S. efforts in the global war on terrorism," said BMO director John Woodward. 

"We continue to work this area as an urgent priority and welcome Dr. Joseph Guzman to our team. Dr. Guzman's expertise will help [BMO] advance our mission to bring biometrics closer to the warfighter."

Government Computer Smart Card News - search results for articles in Government Computer News

Smart Cards in eGovernment Conference 2005 March 9-11

March 8 Pre-conference--Government Secure Credentialing workshop:

* Smart card standards from GSC-IS to FIPS 201
* Smart card security, NIST SP800.73
* External and internal attributes of a secure credential
* Contactless smart cards
* Implementation and integration of logical and physical security
* Card issuance
* Roundtable with industry experts.

March 9

* 9-noon: Federal Smart Card Project Managers Group meeting 
* Starting at 2:45: Keynote address on Presidential Directive 12, Moving Government Towards a Common Identity Credential 
* The Federal Identity Management Handbook, Judith Spencer, Federal Credentialing Committee chair, GSA.
* U.S. ePassports: Meeting the New ICAO Standards, Frank Moss, deputy assistant secretary, passport services, Bureau of Consular Affairs, U.S. Department of State.
* Government Printing Office: New Directions and Challenges for Secure Documents, Larry Jellen, general manager, GPO's Security and Intelligent Document Unit.
* The Legislative Environment for Identity Management Reform, Rob Atkinson, vice president, Progressive Policy Institute.

March 10 (Concurrent Sessions)

Track 1: Technology and Standards

* Overview of FIPS 201 and SP800.73, Jim Dray, NIST.
* IAB Committee panel on Data Models, Card Interface and Card API.
* IAB Committee Panel on Business Policy, Conformance, and Acquisition.
* FIPS Position on Card Management.
* NIST Special Publication on Biometrics.
* Industry Panel: Meeting the HSPD-12 Challenge (card industry, readers, middleware, and integrator approaches).

Track 2: Business and Implementation Issues

* Panel: Alternative Approaches to Identity Management and Security (Visa and passports, ID cards, networks, driver's licenses).
* Cross Credentialing: Breaking down the Barriers.
* Convergence of Logical and Physical Security, Making the Pieces Fit.
* Convergence of Transit Payment and Government ID.
* Examples of Government Smart Cards in Action (DOD's Common Access Card, Department of Homeland Security, General Services Administration, NASA, and Veterans Administration.

Following the concurrent sessions, there will be an invitation-only briefing for CIOs and CFOs of federal agencies on HSPD-12.

March 11 - (Concurrent Sessions:)

Track 1, Technology and Standards

* Panel: Contactless chips in ePassports and eVisas (ICAO mandatory and optional standards, Fact versus fiction on Passport Vulnerabilities, Managing Biometrics on Passports).
* Java versus .Net Security and Applications.
* More from GSC to ASNI to ISO.
* Panel: Conformance and Certification (New FIPS 140-3 Chip Security Tests, Pre-Issuance Testing and security, ANSI B10 testing models). Contactless and Dual Interface Chips, examining the security issues. Advances in Biometrics Developments.

Track 2, Business and Implementation Issues

* Panel: HSPD-12 Policy and Implementation Guidelines (interpreting the directive, identity proofing, implementation issues).
* Panel: Implementation Guidance, Navigating the FICC Manual. Multi-agency Aggregate Buying.
* Central versus De-Centralized Card Issuance.
* Examples of Government Smart Cards in Action (from the Department of State and U.S. Treasury and others).
* Public Facing Government ID Cards (TWIC and Registered Traveler).

Global Information Grid (GIG)

The Global Information Grid (GIG), as it is being defined by the U.S. Department of Defense (DoD), provides a fundamental shift away from centralized "information-push" technologies, toward a new era of information sharing by authorized users, anywhere, anytime. Building on the currently available Internet technologies, the GIG will provide to the U.S. DoD, its allies and coalition partners, a secure, highly available, and globally interconnected information environment to meet the real-time and near real-time information needs for security, military, diplomatic, and civil government purposes as well as for commercial enterprises.

Department of Homeland Security Access Card

03/05 - WASHINGTON -- A new smartcard, the type privacy advocates fear because it combines biometric data with radio tags, will soon be one of the most common ID cards in Washington.

Department of Homeland Security workers in May will begin using the new ID card, called the DAC, to gain access to secure areas, log on to government computers and even pay their Metro subway fares.

The DAC, which stands for Department of Homeland Security Access Card, will carry a digital copy of its bearer's fingerprint and other personally identifiable information. It will use radio-frequency identification and Bluetooth technologies to communicate with reader devices at the department's offices.

RFID Invades the Capital - Wired News Story - continued