Electronic Government:

Progress in Promoting Adoption of Smart Card Technology

GAO-03-144: Published: Jan 3, 2003. Publicly Released: Feb 4, 2003.

Additional Materials:

Contact:

Linda D. Koontz
(202) 512-7487
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Smart cards--credit-card-like devices that use integrated circuit chips to store and process data--offer a range of potential uses for the federal government, particularly in increasing security for its many physical and information assets. GAO was asked to review the use of smart cards across the federal government (including identifying potential challenges), as well as the effectiveness of the General Services Administration (GSA) in promoting government adoption of smart card technologies.

Progress has been made in implementing smart card technology across government. As of November 2002, 18 federal agencies had reported initiating a total of 62 smart card projects. These projects have provided a range of benefits and services, ranging from verifying the identity of people accessing buildings and computer systems to tracking immunization records. To successfully implement such systems, agency managers have faced a number of substantial challenges: (1) sustaining executive-level commitment in the face of organizational resistance and cost concerns; (2) obtaining adequate resources for projects that can require extensive modifications to technical infrastructures and software; (3) integrating security practices across agencies, a task requiring collaboration among separate and dissimilar internal organizations; (4) achieving smart card interoperability across the government; and (5) maintaining the security of smart card systems and privacy of personal information. In helping agencies to overcome these challenges, not only GSA but also the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have roles to play. As the federal government's designated promoter of smart card technology, GSA assists agencies in assessing the potential of smart cards and in implementation. Although GSA has helped agencies significantly by implementing a governmentwide, standards-based contracting vehicle, it has not kept guidance up to date and has not addressed important subjects, such as building security standards, in its guidance. Further, OMB, which is responsible for setting policies for ensuring the security of federal information and systems, has not issued governmentwide policy on adoption of smart cards. In its role of setting technical standards, NIST is responsible for the government smart card interoperability specification, which does not yet address significant emerging technologies. Updated guidance, policy, and standards would help agencies to take advantage of the potential of smart cards to enhance security and other agency operations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Administrator, GSA, should improve the effectiveness of its promotion of smart card technologies within the federal government by establishing guidelines for federal building security that address the role of smart card technology.

    Agency Affected: General Services Administration

    Status: Closed - Implemented

    Comments: The recommendation for improving the effectiveness of smart card technology by establishing guidelines for federal building security was transferred to the Department of Homeland Security (DHS) because the Federal Protective Service had been moved to DHS when the department was created. In February 2005 the National Institute of Standards and Technology published the mandatory, governmentwide standard for secure and reliable forms of identification for federal government employees and contractors that access government-controlled facilities and information systems, titled the Federal Information Processing Standards (FIPS) Publication 201. In addition, the Government Smart Card Interagency Advisory Board's Physical Security Interagency Interoperability Working Group, which includes representatives from the Department of Homeland Security, developed the publication "Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems (PACS)". This document provides guidance on physical access and is referenced and supported by FIPS 201. As a result, DHS has helped to enhance the security of federal buildings and agency officials' abilities to implement smart card systems in a consistent and effective manner.

    Recommendation: The Administrator, GSA, should improve the effectiveness of its promotion of smart card technologies within the federal government by updating its governmentwide implementation of strategy and administrative guidance on implementing smart card systems to address current security priorities, including minimum security standards for federal facilities, computer systems, and data across the government.

    Agency Affected: General Services Administration

    Status: Closed - Implemented

    Comments: In February 2004 GSA issued the "Government Smart Card Handbook" to share lessons learned and provide guidance to better address security priorities, including minimum security standards for federal facilities, computer systems, and data across the government. The handbook, which updated the "Smart Card Policy and Administrative Guidance" published in October 2000, also provides guidance on security strategies to federal agencies contemplating the development and deployment of smart card systems with other technologies such as PKI and biometrics. In addition, the handbook sets the NIST Smart Card Interoperability Specification as the minimum security standard for smart card systems interoperability. Furthermore, in March 2004 the Federal Identity Credentialing Committee issued guidance to federal agencies on the use of smart card based technology in badge, identification, and credentialing systems.

    Recommendation: The Administrator, GSA, should improve the effectiveness of its promotion of smart card technologies within the federal government by developing an internal implementation strategy with specific goals and milestones to ensure that GSA's internal organizations support and implement smart card systems, based on internal guidelines drafted in 2002, to provide better service and set an example for other federal agencies.

    Agency Affected: General Services Administration

    Status: Closed - Implemented

    Comments: In August 2005 the President issued Homeland Security Presidential Directive 12 (HSPD-12), which outlined a government-wide strategy for implementing smart card-based federal identity cards across the federal government. On June 27, 2005, GSA submitted to OMB its implementation plan that outlines specific goals and milestones in support of this strategy.

    Recommendation: The Director, NIST, should continue to improve and update the government smart card interoperability specification by addressing governmentwide standards for additional technologies--such as contactless cards, biometrics, and optical stripe media--as well as integration with public key infrastructure, to ensure broad interoperability among federal agency systems.

    Agency Affected: Department of Commerce: National Institute of Standards and Technology

    Status: Closed - Implemented

    Comments: As recommended, NIST has continued to improve and update the government smart card interoperability specification by addressing additional technologies, such as contactless cards and biometrics, in version 2.1, published on July 18, 2003. In addition, NIST has taken steps to integrate smart card technology and public key infrastructure through its involvement in the newly established Federal Identity and Credentialing Committee and by assisting in the development of an interagency framework. By taking these steps, NIST has better ensured that smart card technology will interoperate among federal agencies and across government.

    Recommendation: The Director, Office of Management and Budget (OMB), should issue governmentwide policy guidance regarding adoption of smart cards for secure access to physical and logical assets. In preparing this guidance, OMB should seek input from all federal agencies that may be affected by the guidance, with particular emphasis on agencies with smart card expertise, including the General Services Administration (GSA), the Government Smart Card Interagency Advisory Board (GSC-IAB), and the National Institute of Standards and Technology (NIST).

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: On July 3, 2003, OMB issued a memorandum to major departments and agencies to coordinate and consolidate investments related to authentication and identity management, including the implementation of smart card technology. The memorandum calls for improvements in security protections for physical and electronic resources and common authentication and identity management processes across government, beginning by December 2003. Agencies were also directed to consult with the Federal Identity and Credentialing Committee (FICC) and E-Authentication Gateway before acquiring authentication technologies, including smart cards. As a result of the action taken by OMB, the Government Smart Card Interagency Advisory Board, the former Federal PKI Steering Committee, and Interagency Security Committee are for the first time coordinating efforts through the FICC to improve and provide consistent physical and computer security and guidance across government.

    Recommendation: The Administrator, GSA, should improve the effectiveness of its promotion of smart card technologies within the federal government by developing a process for conducting ongoing evaluations of the implementation of smart-card based systems by federal agencies to ensure that lessons learned and best practices are shared across government.

    Agency Affected: General Services Administration

    Status: Closed - Implemented

    Comments: In August 2005 the President issued Homeland Security Presidential Directive 12 (HSPD-12), which outlined a strategy for implementing smart federal identity cards across the federal government. Within GSA's role, as defined by HSPD-12 and OMB, GSA has among other things (1) published the Federal Identity Management Handbook, which is an implementation guide to agency officials as they pursue compliance with HSPD-12 and the Federal Information Processing Standards (FIPS) Publication 201, (2) issued acquisition guidance to federal agencies, and (3) developed testing for smart card products to ensure they are interoperable with each other. As a result of GSA's efforts, important information regarding planning for, acquiring, and implementing smart cards is available to federal agencies to enable them to make educated and cost-effective decisions when implementing smart card systems.

    Aug 7, 2014

    Jul 30, 2014

    Jul 29, 2014

    Jul 22, 2014

    Jun 17, 2014

    Jun 11, 2014

    Jun 10, 2014

    May 28, 2014

    May 21, 2014

    May 12, 2014

    Looking for more? Browse all our products here