Federal Agencies Continue to Invest in Smart Card Technology
GAO-04-948, Sep 8, 2004
Smart cards--plastic devices about the size of a credit card--use integrated circuit chips to store and process data, much like a computer. Among other uses, these devices can provide security for physical assets and information by helping to verify the identity of people accessing buildings and computer systems. They can also support functions such as tracking immunization records or storing cash value for electronic purchases. Government adoption of smart card technology is being facilitated by the General Services Administration (GSA), which has implemented a governmentwide Smart Card Access Common ID contract, which federal agencies can use to procure smart card products and services. GAO was asked to update information that it reported in January 2003 on the progress made by the federal government in promoting smart card technology. Specific objectives were to (1) determine the current status of smart card projects identified in GAO's last review, (2) identify and determine the status of projects initiated since the last review, and (3) identify integrated agencywide smart card projects currently under way. To accomplish these objectives, GAO surveyed the 24 major federal agencies. In commenting on a draft of this report, officials from GSA and the Office of Management and Budget generally agreed with its content.
According to GAO's survey results, as of June 2004, more than half of the smart card projects previously reported as ongoing (28 out of 52) had been discontinued because they were absorbed into other smart card projects or were deemed no longer feasible. Of the remaining 24 projects, 16 are in planning, pilot, or operational phases and are intended to support a variety of uses (agencies did not provide current information for 8 projects). Twelve of the 16 projects are large-scale projects intended to provide identity credentials to an entire agency's employees or other large group of individuals. For example, the Department of Defense's (DOD) Common Access Card is to be issued to an estimated 3.5 million DOD-related personnel, and the Transportation Security Administration's Transportation Worker Identification Credential is to be used by an estimated 6 million transportation industry workers. The other 4 projects are smaller in scale, and are intended to provide access or other services to limited groups of people. For example, the Department of Commerce's Geophysical Fluid Dynamics Laboratory Access Card is to be issued to about 612 employees, contractors, and research collaborators. Further, in response to the survey, agencies reported 8 additional smart card projects that were ongoing at the time of the last review. These projects include 4 planned for multiple applications (such as identity credentials and access) and 4 for single applications, including stored value, access to computer systems, and processing travel documents. Based on GAO's survey of federal agencies, 10 additional smart card projects have been initiated since the last review. These projects vary widely in size and scope. Included are small-scale projects, involving cards issued to as few as 126 cardholders (such as a project in the Department of Labor's Employment and Training Administration), and large-scale agencywide initiatives, such as the Department of Veterans Affairs Authentication and Authorization Infrastructure card, which is to be issued to an estimated 500,000 employees and contractors. Four agencies reported purchases under GSA's Smart Card Access Common ID contracting vehicle, and others likewise have plans to use this contract. Specifically, five agencies--the Departments of Defense, Homeland Security, the Interior, and Veterans Affairs, and the National Aeronautics and Space Administration--are planning to make an aggregated purchase of up to 40 million cards over the next 4 years using the GSA contract. Finally, nine agencies are developing and implementing integrated agencywide smart card initiatives. These projects are intended to use one card to support multiple functions, such as providing identification credentials, accessing computer systems, and storing monetary values.