United States General Accounting Office GAO Report to the Chairman, Subcommittee on Technology and Procurement Policy, House of Representatives January 2003 ELECTRONIC GOVERNMENT Progress in Promoting Adoption of Smart Card Technology GAO-03-144 a January 2003 ELECTRONIC GOVERNMENT Progress in Promoting Adoption of Smart Highlights of GAO-03-144, a report to the Card Technology Chairman, Subcommittee on Technology and Procurement Policy, House of Representatives Smart cards—credit-card-like Progress has been made in implementing smart card technology across devices that use integrated circuit government. As of November 2002, 18 federal agencies had reported chips to store and process data— initiating a total of 62 smart card projects. These projects have provided a offer a range of potential uses for range of benefits and services, ranging from verifying the identity of people the federal government, accessing buildings and computer systems to tracking immunization records. particularly in increasing security for its many physical and information assets. GAO was asked To successfully implement such systems, agency managers have faced a to review the use of smart cards number of substantial challenges: across the federal government • sustaining executive-level commitment in the face of organizational (including identifying potential resistance and cost concerns; challenges), as well as the • obtaining adequate resources for projects that can require extensive effectiveness of the General modifications to technical infrastructures and software; Services Administration (GSA) in • integrating security practices across agencies, a task requiring promoting government adoption of collaboration among separate and dissimilar internal organizations; smart card technologies. • achieving smart card interoperability across the government; • maintaining the security of smart card systems and privacy of personal information. GAO recommends, among other things, that GSA establish In helping agencies to overcome these challenges, not only GSA but also the guidelines for federal building Office of Management and Budget (OMB) and the National Institute of security that address smart card Standards and Technology (NIST) have roles to play. As the federal technology; that OMB establish government’s designated promoter of smart card technology, GSA assists policy on adoption of smart cards agencies in assessing the potential of smart cards and in implementation. for physical and logical security; Although GSA has helped agencies significantly by implementing a and that NIST continue to improve governmentwide, standards-based contracting vehicle, it has not kept and update the government smart guidance up to date and has not addressed important subjects, such as card interoperability specification. building security standards, in its guidance. Further, OMB, which is responsible for setting policies for ensuring the security of federal In commenting on a draft of this report, agency officials generally information and systems, has not issued governmentwide policy on adoption agreed with its content and of smart cards. In its role of setting technical standards, NIST is responsible recommendations. for the government smart card interoperability specification, which does not yet address significant emerging technologies. Updated guidance, policy, and standards would help agencies to take advantage of the potential of smart cards to enhance security and other agency operations. A typical smart card (not to scale) www.gao.gov/cgi-bin/getrpt?GAO-03-144. To view the full report, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at Source: GSA. (202) 512-6240 or firstname.lastname@example.org. Contents Letter 1 Results in Brief 1 Background 5 Objectives, Scope, and Methodology 10 Many Government Smart Card Projects Are under Way or Planned, Offering a Variety of Benefits 11 Successful Adoption of Smart Cards Can Be Achieved If Challenges Are Met 17 GSA’s Effectiveness in Facilitating Federal Smart Card Adoption Has Been Limited 26 Conclusions 34 Recommendations 35 Agency Comments and Our Evaluation 36 Appendix Appendix I: Information about Selected Government Smart Card Projects 38 Department of Defense 38 Department of the Interior 39 Department of Transportation 40 Department of the Treasury 41 Department of Veterans Affairs 42 Immigration and Naturalization Service 43 Western Governors’ Association 43 Glossary 46 Tables Table 1: Summary Information on 62 Federal Smart Card Projects 13 Table 2: Status of Major Tasks from the EPIC and GSA Smart Card Plans 29 Figures Figure 1: A Typical Smart Card 6 Figure 2: Features That May Be Incorporated into Smart Cards 9 Figure 3: Distribution of 62 Federal Projects by Project Phase 12 Page i GAO-03-144 Progress in Promoting Smart Cards Contents Abbreviations CAC Common Access Card DOD Department of Defense EBT electronic benefits transfer EPIC Electronic Processes Initiatives Committee FAA Federal Aviation Administration GSA General Services Administration GSC-IAB Government Smart Card Interagency Advisory Board HPP Health Passport Project ID identification NIST National Institute of Standards and Technology OIG Office of Inspector General OMB Office of Management and Budget PKI public key infrastructure TSA Transportation Security Administration VA Department of Veterans Affairs WGA Western Governors’ Association Page ii GAO-03-144 Progress in Promoting Smart Cards A United States General Accounting Office Washington, D.C. 20548 January 3, 2003 Leter The Honorable Tom Davis Chairman, Subcommittee on Technology and Procurement Policy Committee on Government Reform House of Representatives Dear Mr. Chairman: As you know, technology plays an important role in helping the federal government provide security for its many physical and information assets. In particular, “smart cards”1 offer the potential to significantly improve the process of verifying the identity of people accessing federal buildings and computer systems, especially when used in combination with other technologies, such as biometrics. Further, smart cards can be used to support other business-related functions, such as tracking immunization records or storing cash value for electronic purchases. The General Services Administration (GSA) has promoted the adoption of smart card technology across government based on a goal, set in 1998, of equipping all federal employees with a standardized smart card for a wide range of services. This report responds to your request that we review the federal government’s progress in promoting the use of smart cards as a way to streamline and better secure interactions between individuals and government agencies. Specifically, we agreed to assess (1) the extent to which federal agencies have adopted smart card technologies and realized the associated benefits, (2) the challenges of adopting smart cards within federal agencies, and (3) the effectiveness of GSA in promoting the adoption of smart card technologies within the federal government. Results in Brief As of November 2002, 18 agencies had reported initiating a total of 62 smart card projects in the federal government. These projects have provided a range of benefits and services to agencies and individual cardholders. Until 1 Smart cards are plastic devices—about the size of a credit card—that use integrated circuit chips to store and process data, much like a computer. This processing capability distinguishes these cards from traditional magnetic stripe cards, which cannot process or exchange data with automated information systems. Page 1 GAO-03-144 Progress in Promoting Smart Cards recently, many of these projects were small-scale demonstration projects, involving as few as 100 cardholders and intended to show the value of using smart cards for identification or to store cash value or other personal information. However, over the last 2 years, much larger projects have been initiated to provide agencywide identification credentials and support advanced technologies to verify the identity of people accessing computer systems. To date, the largest smart card program to be implemented in the federal government is the Common Access Card (CAC) program of the Department of Defense (DOD), which is intended to be used for identification by about 4 million military and civilian personnel. Results from projects that are already in place indicate that smart cards offer many useful benefits, such as significantly reducing the processing time required for deploying military personnel, tracking immunization records of children, and verifying the identity of individuals accessing buildings and computer systems. While the technology offers benefits, launching smart card projects— whether large or small—has proved challenging to federal agencies. According to agency officials, the multiple benefits of smart card adoption can be achieved only if key management and technical challenges are understood and addressed. Major implementation challenges include the following: • Sustaining executive-level commitment. Without executive-level support and clear direction, large-scale smart card initiatives may encounter organizational resistance and cost concerns that lead to delays or cancellation. DOD officials stated that having a formal mandate to proceed with their CAC program has been crucial to its success. • Recognizing resource requirements. Implementing a smart card system can be an expensive undertaking. Extensive upgrades may be needed to an agency’s technical infrastructure, such as installing smart card readers on every computer system or developing new back-end systems to process and keep track of the identities associated with each card. If a public key infrastructure (PKI) is implemented in conjunction with smart cards, additional costs may be incurred to modify existing Page 2 GAO-03-144 Progress in Promoting Smart Cards software applications so that they work with smart cards and PKI.2 Nevertheless, to obtain significant benefits such as increasing security over buildings, safeguarding computer systems and data, and conducting financial and nonfinancial transactions more accurately and efficiently, these costs may be justified. • Integrating physical and logical security practices across organizations. The ability of smart card systems to address both physical and “logical” security3 means that unprecedented levels of cooperation may be required among internal organizations that often had not previously collaborated, such as physical security organizations and information technology (IT) organizations. Further, a departmentwide smart card initiative is likely to require substantial changes in existing processes for credentialing individuals, verifying those credentials when presented at building entrances, and accessing and using computer systems. • Achieving interoperability among smart card systems.4 As agencies consider adopting smart cards and plan specific implementations, it will be important to ensure that these implementations are consistent across the government. Developing standards to ensure that smart cards, card readers, and related technologies such as biometrics can interoperate across government will be critical to realizing the benefits that could be achieved by investments in such technologies. • Maintaining the security of smart card systems and privacy of personal information. Although concerns about security are a key driver for the adoption of smart card technology in the federal government, the security of smart card systems themselves is not foolproof and must be addressed when agencies plan the implementation of smart card systems. In addition, protecting the 2 A public key infrastructure is a system of computers, software, and data that relies on certain cryptographic techniques for some aspects of security. For more information, see U.S. General Accounting Office, Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001). 3 Access to computer systems is known as “logical access,” in contrast to “physical access,” which applies to buildings and other physical facilities. 4 Interoperability is the ability of two or more systems or components to exchange information and to use the information exchanged. Page 3 GAO-03-144 Progress in Promoting Smart Cards privacy of personal information is of growing concern and must be addressed with regard to the data contained on smart cards. These challenges have slowed the adoption of smart card technology in past years; however, in the future, these challenges may prove less difficult, not only because of increased management attention to securing federal facilities and information systems, but also because technical advances have improved the capabilities and reduced the cost of smart card systems. GSA’s effectiveness in promoting smart card technology in the federal government has been mixed. The agency has contributed significantly to making it easier for federal agencies to acquire commercial smart card products by implementing a governmentwide contracting vehicle based on technical standards developed in collaboration with the National Institute of Standards and Technology (NIST) and smart card vendors. Further, it has taken action to organize federal smart card managers and share information about the technology. While these activities have been helpful, GSA has not taken other important steps to improve smart card initiatives and deployment strategies. For example, GSA’s effectiveness in demonstrating the value and readiness of smart card technology to other agencies and officials was limited because of problems implementing its own internal smart card systems and coordinating its smart card policies. Further, the agency has not kept its administrative guidelines or implementation strategy up to date. Nor has it established standards for the use of smart cards as a component of federal building security processes. Finally, GSA has not developed a framework for evaluating smart card implementations to help agencies reduce risks and contain costs. While GSA can unilaterally take a number of actions to promote smart card adoption, it shares responsibility for governmentwide guidance with the Office of Management and Budget (OMB) and NIST. OMB has statutory responsibility to develop and oversee policies, principles, standards, and guidelines used by agencies for ensuring the security of federal information and systems, but it has not issued policy or guidance specifically addressing smart cards since designating GSA the lead for promoting the technology in 1996. NIST has continuing responsibility for coordinating the development of technical standards required by GSA’s governmentwide smart card contract. To enhance governmentwide security over federal personnel, buildings, and information systems, we are making recommendations to NIST, GSA, Page 4 GAO-03-144 Progress in Promoting Smart Cards and OMB to take actions aimed at better supporting agency efforts to deploy interoperable smart-card-based identification systems. We received written comments on a draft of this report from the Secretary of Commerce and DOD’s Deputy Chief Information Officer. We also received oral comments from officials of OMB’s Office of Information and Regulatory Affairs, including the Information Policy and Technology Branch Chief; from the Commissioner of the Immigration and Naturalization Service; from GSA’s Associate Administrator for the Office of Governmentwide Policy; and from officials representing FAA, the Maritime Administration, the Transportation Security Administration, and Chief Information Officer of the Department of Transportation. All the agency officials who commented generally agreed with our findings and recommendations. Background Today, federal employees are issued a wide variety of identification (ID) cards, which are used to access federal buildings and facilities, sometimes solely on the basis of visual inspection by security personnel. These cards often cannot be used for other important identification purposes—such as gaining access to an agency’s computer systems—and many can be easily forged or stolen and altered to permit access by unauthorized individuals. In general, the ease with which traditional ID cards—including credit cards—can be forged has contributed to increases in identity theft and related security and financial problems for both individuals and organizations.5 Smart cards are plastic devices about the size of a credit card that contain an embedded integrated circuit chip capable of both storing and processing data.6 Figure 1 shows a typical example of a smart card. The unique advantage of smart cards—as opposed to cards with simpler technology, such as magnetic stripes or bar codes—is that smart cards can exchange data with other systems and process information rather than simply serving 5 See U.S. General Accounting Office, Identity Theft: Available Data Indicate Growth in Prevalence and Cost, GAO-02-424T (Washington, D.C.: Feb. 14, 2002). 6 The term “smart card” may also be used to refer to cards with a computer chip that only stores information without providing any processing capability. Such cards, known as stored-value cards, are widely used for services such as prepaid telephone service or satellite television reception. While this report includes some information on federal use of stored-value cards, it focuses chiefly on cards with processing capability. Page 5 GAO-03-144 Progress in Promoting Smart Cards as static data repositories. By securely exchanging information, a smart card can help authenticate the identity of the individual possessing the card in a far more rigorous way than is possible with simpler, traditional ID cards. A smart card’s processing power also allows it to exchange and update many other kinds of information with a variety of external systems, which can facilitate applications such as financial transactions or other services that involve electronic record keeping. Figure 1: A Typical Smart Card Source: GSA. Smart cards can also be used to significantly enhance the security of an organization’s computer systems by tightening controls over user access. A user wishing to log on to a computer system or network with controlled access must “prove” his or her identity to the system—a process called authentication. Many systems authenticate users by merely requiring them to enter secret passwords, which provide only modest security because they can be easily compromised. Substantially better user authentication can be achieved by supplementing passwords with smart cards. To gain access under this scenario, a user is prompted to insert a smart card into a reader attached to the computer as well as type in a password. This authentication process is significantly harder to circumvent because an intruder would need not only to guess a user’s password but also to possess the same user’s smart card. Page 6 GAO-03-144 Progress in Promoting Smart Cards Even stronger authentication can be achieved by using smart cards in conjunction with biometrics. Smart cards can be configured to store biometric information (such as fingerprint templates or iris scans) in electronic records that can be retrieved and compared with an individual’s live biometric scan as a means of verifying that person’s identity in a way that is difficult to circumvent. A system requiring users to present a smart card, enter a password, and verify a biometric scan provides what security experts call “three-factor” authentication, the three factors being “something you possess” (the smart card), “something you know” (the password), and “something you are” (the biometric). Systems employing three-factor authentication are considered to provide a relatively high level of security. The combination of smart cards and biometrics can provide equally strong authentication for controlling access to physical facilities.7 Smart cards can also be used in conjunction with PKI technology to better secure electronic messages and transactions. A properly implemented and maintained PKI can offer several important security services, including assurance that (1) the parties to an electronic transaction are really whom they claim to be, (2) the information has not been altered or shared with any unauthorized entity, and (3) neither party will be able to wrongfully deny taking part in the transaction. An essential component is the use of electronic encryption keys, called “private keys,” that are unique to each user and must be kept secret and secure. For example, storing and using private keys on a user’s computer leaves them susceptible to attack because a hacker who gains control of that computer may then be able to use the private key stored in it to fraudulently sign messages and conduct electronic transactions. However, if the private key is stored on a user’s smart card, it may be significantly less vulnerable to attack and compromise. Security experts generally agree that PKI technology is most effective when deployed in conjunction with smart cards.8 In addition to enhancing security, smart cards have the flexibility to support a wide variety of uses not related to security. A typical smart card in use today can store and process 16 to 32 kilobytes of data, while newer 7 For more information about biometrics, see U.S. General Accounting Office, Technology Assessment: Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002). 8 For more information about PKI technology, see U.S. General Accounting Office, Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001). Page 7 GAO-03-144 Progress in Promoting Smart Cards cards can accommodate 64 kilobytes. The larger the card’s electronic memory, the more functions can be supported, such as tracking itineraries for travelers, linking to immunization or other medical records, or storing cash value for electronic purchases. Other media—such as magnetic stripes, bar codes, and optical memory (laser-readable) stripes—can be added to smart cards to support interactions with existing systems and services or provide additional storage capacity. For example, an agency that has been using magnetic stripe cards for access to certain facilities could migrate to smart cards that would work with both its existing magnetic stripe readers as well as new smart card readers. Of course, the functions provided by the card’s magnetic stripe, which cannot process transactions, would be much more limited than those supported by the card’s integrated circuit chip. Optical memory stripes (which are similar to the technology used in commercial compact discs) can be used to equip a card with a large memory capacity for storing more extensive data—such as color photos, multiple fingerprint images, or other digitized images—and making that card and its stored data very difficult to counterfeit.9 Smart cards are grouped into two major classes: contact cards and “contactless” cards. Contact cards have gold-plated contacts that connect directly with the read/write heads of a smart card reader when the card is inserted into the device. Contactless cards contain an embedded antenna and work when the card is waved within the magnetic field of a card reader or terminal. Contactless cards are better suited for environments where quick interaction between the card and reader is required, such as high- volume physical access. For example, the Washington Metropolitan Area Transit Authority has deployed an automated fare collection system using contactless smart cards as a way of speeding patrons’ access to the Washington, D.C., subway system. Smart cards can be configured to include both contact and contactless capabilities, but two separate interfaces are needed, because standards for the technologies are very different. Figure 2 shows some of the capabilities and features that can be included in smart cards. 9 Cards with an optical memory stripe are known as laser cards or optical memory cards. Page 8 GAO-03-144 Progress in Promoting Smart Cards Figure 2: Features That May Be Incorporated into Smart Cards Front of smart card John Doe Div 1 Digital photo DOB 01/01/01 ID# 123456 Contacts for integrated circuit chip Barcode Inside of smart card Wire coil antenna Embedded contactless integrated circuit Integrated circuit chip Back of smart card Magnetic stripe Doe, John 1234567 123456 fjdkllasiriekljnklsoiernvmls Optical stripe 7654321 Source: GAO. Page 9 GAO-03-144 Progress in Promoting Smart Cards Since the 1990s, the federal government has considered the use of smart card technology as one option for electronically improving security over buildings and computer systems. In 1996, GSA was tasked with taking the lead in facilitating a coordinated interagency management approach for the adoption of multiapplication smart cards across government. The tasking came from OMB, which has statutory responsibility to develop and oversee policies, principles, standards, and guidelines used by agencies for ensuring the security of federal information and systems. At the time, OMB envisioned broad adoption of smart card technology throughout the government, as evidenced by the President’s budget for fiscal year 1998, which set a goal of enabling every federal employee ultimately to be able to use one smart card for a wide range of purposes, including travel, small purchases, and building access. In January 1998, the President’s Management Council and the Electronic Processing Initiatives Committee10 (EPIC) established an implementation plan for smart cards that called for a governmentwide, multiapplication card that would support a range of functions—including controlling access to government buildings—and operate as part of a standardized system. More recently, several legislative bills have been proposed or enacted in the wake of the events of September 11, 2001, to enhance national security and counterterrorism by using smart card and biometric technologies to better identify individuals entering the country or gaining access to mass transportation systems.11 Objectives, Scope, and Our objectives were to assess (1) the extent to which federal agencies have adopted smart card technologies and realized the associated benefits, Methodology (2) the challenges of adopting smart cards within federal agencies, and (3) the effectiveness of GSA in promoting the adoption of smart card technologies within the federal government. To assess the extent of smart card adoption by federal agencies and identify associated benefits and challenges, we reviewed smart card project documentation, cost estimates, and other studies from GSA; OMB; 10 EPIC, an interagency body, was established to help improve the delivery of electronic commerce activities across government and to assist the President’s Management Council on such issues during the 1990s. In 2000, EPIC was replaced by the Electronic Government Coordinating Committee. 11 These bills included the Enhanced Border Security and Visa Entry Reform Act of 2002, P.L. No. 107-173, 116 Stat. 543, and the Department of Transportation and Related Agencies Appropriations Act, 2003, S.2808, 107th Cong. (2002). Page 10 GAO-03-144 Progress in Promoting Smart Cards the Western Governors’ Association (WGA), which was responsible for a smart card project funded in part by the Departments of Agriculture and Health and Human Services; the Department of Justice’s Immigration and Naturalization Service; DOD; and the Departments of Interior, Transportation, Treasury, and Veterans Affairs (VA). We also held discussions with key officials from these organizations regarding project benefits and challenges. Discussions were also held with representatives of the Smart Card Alliance, an association of smart card technology vendors, regarding smart card technology benefits and challenges. In addition, we reviewed publicly available materials and reports on smart card technology issues and discussed key issues with representatives of these organizations. To assess GSA’s effectiveness in promoting the governmentwide adoption of smart cards, we reviewed contract task orders, examined pilot project documentation, and assessed smart card plans and other reports obtained from the agency. We also held discussions with key officials in GSA’s Office of Governmentwide Policy, Federal Technology Service, and Public Building Service to obtain information on internal pilot projects and other key plans and documents. We analyzed reports and evaluations on the smart card program obtained from GSA’s Office of Inspector General. To obtain information on whether GSA had taken an effective leadership role in fostering the adoption of smart card technology across government, we interviewed officials from NIST; DOD; VA; the Departments of Interior, Transportation, and Treasury; and OMB. We also interviewed officials from WGA. We performed our work between April and October 2002 in accordance with generally accepted government auditing standards. Many Government Since 1998, multiple smart card projects have been launched, addressing an array of capabilities and providing many tangible and intangible benefits, Smart Card Projects such as ways to better authenticate the identity of cardholders, increase Are under Way or security over buildings, safeguard computer systems and data, and conduct financial and nonfinancial transactions more accurately and efficiently. For Planned, Offering a some federal agencies, the benefits of using smart card technology (such as Variety of Benefits improving security over federal buildings and systems and achieving other business-related purposes) have only recently been recognized, and many agencies are still planning projects or evaluating the benefits of this technology before proceeding with more wide-scale initiatives. Still, results Page 11 GAO-03-144 Progress in Promoting Smart Cards from several ongoing smart card projects suggest that the technology offers federal agencies a variety of benefits. According to information obtained from GSA, OMB, and other federal agencies, as of November 2002, 18 federal agencies were planning, testing, operating, or completing a total of 62 smart card projects. These projects varied widely in size and technical complexity, ranging from small-scale, limited-duration pilot projects to large-scale, agencywide initiatives providing multiple services. The projects were reported to be in varying stages of deployment. Specifically, 13 projects were in the planning stage, and 7 were being piloted. An additional 17 projects were listed as operational, and 13 had been completed. No information was provided about the project phase of the remaining 12 initiatives; it is not clear whether these projects had moved beyond the planning or pilot testing phases. Figure 3 shows the status of the 62 federal smart card projects identified by GSA and OMB. Table 1 provides additional summary information about these projects. Figure 3: Distribution of 62 Federal Projects by Project Phase Page 12 GAO-03-144 Progress in Promoting Smart Cards Table 1: Summary Information on 62 Federal Smart Card Projects Number of Federal agency projects Status Description Agriculture 1 1 operational Agriculture has implemented a system using a 24k chip card to automatically collect marketing data from peanut farmers under the peanut quota system. Commerce 5 1 planned NIST is in the planning phase of its smart card project and is completing a 1 pilot feasibility study, exploring PKI and biometrics. The Patent and Trademark (for 3, deployment Office is piloting a smart card for its Patent Work at Home program using two- status information not factor authentication and PKI technology for secure remote logical access. available) This card is also used as a property pass and as a stored-value card for transit subsidies. DOD 26 1 planned Most of these pilots/programs were used within bases or among particular 3 pilot deployments and date back to the mid to late 1990s. The majority of the 10 operational projects, a total of 22, used the smart card’s ability to track various types of 6 completed information: inventory control, food service, manifesting, and personnel (for 6, deployment accountability. Physical and/or logical access capabilities were a part of a little status information not less than half (10) of the projects. The largest DOD deployment of smart available) cards (1.4 million cards), to date, is the CAC program, which is still being implemented. DOD has set policy directing that all its previous smart card programs be integrated into the CAC, with the exception of financial applications. CAC is planned for use by more than 4 million individuals and features PKI, physical and logical access controls, and space reserved for organization-specific applications, in addition to several technologies already in use, such as magnetic stripes and barcodes. Education 1 1 planned The Student Financial Assistance Office plans to use approximately 1,344 smart cards for physical access, transit benefits, and asset management. Energy 1 1 operational Energy has a project to issue cards to 28 employees working to clean up and shut down the Rocky Flats Technology site. The smart cards are to be used for physical access to restricted areas. GSA 3 1 operational GSA headquarters has a smart card in operation for physical and logical 2 completed access. Medical and meeting attendance applications have also been developed for use with this card. A completed pilot at GSA's Willow Wood Facility used a smart card for logical and physical access, for property management, and as a travel/purchase/phone card. Smart cards were also used at the 1997 presidential inauguration for access control, housing, and telephone support; they allowed security personnel to monitor movements within the headquarters facility. HUD 2 1 pilot The completed project used a 2k chip card for internal and physical access at 1 completed HUD’s headquarters building. HUD discontinued the program in 1997 and decided to pursue proximity ID cards. Interior 3 1 planned The National Park Service is planning to implement a Firefighters Training 2 pilot Card that will carry qualification and certification information. The Bureau of (for 1, deployment Land Management has distributed 1,100 cards to employees at five sites for status information not physical access and limited use with PKI-enabled applications. This pilot will available) most likely be expanded agencywide. The Minerals Management Service is piloting a smart card with about half its employees (600 cards) and is planning to test its security applications. Page 13 GAO-03-144 Progress in Promoting Smart Cards (Continued From Previous Page) Number of Federal agency projects Status Description Justice 5 2 planned The organizations within Justice undertaking smart card projects are the (for 3, deployment Management Division, Civil Division, Federal Bureau of Investigation, Office status information not of Inspector General, and National Drug Intelligence Center. available) Labor 1 1 operational Labor has 720 smart cards in use. NASA 1 1 planned PKI certificates will be used to authenticate and grant NASA employees and contractors physical and logical access at NASA facilities. National Science 1 1 planned The National Science Foundation plans to issue 1,500 smart cards. Foundation Social Security 1 1 planned Within the Social Security Administration, 8,868 cards will be used to track Administration government property. State 1 1 operational Approximately 1,250 cards have been issued to State employees for physical and logical access. The cards also carry State PKI certificates. Plans call for 20,000 employees in the national capital region to receive this card in the near future. Transportation 3 3 planned Transportation is planning three pilot projects to implement smart card technology. First, the FAA Identification Media project plans to issue over 10,000 cards to federal employees and contract personnel primarily for physical access to FAA facilities. Second, the Transportation Security Administration’s Transportation Worker Identification Card is planned to be issued to approximately 10–15 million transportation workers for physical and logical access to facilities and systems. Third, a stored value card is planned to be issued to 25,000 Transportation employees as part of the Federal Transit Administration Assistance program. Information gathered using this card will provide better data for ridership analysis and transit route planning. Treasury 2 1 planned Treasury planned to distribute 10,500 cards to test various uses including 1 operational physical and logical access, property management, biometrics, and food service eligibility. Upon validation, officials expect the project to be expanded agencywide. IRS is using smart cards to obtain secure dial-in access to the IRS local area network. U.S. Agency for 1 1 completed The U.S. Agency for International Development implemented a pilot smart- International card-based national electronic payment system in Armenia. The project has Development been discontinued. Veterans Affairs 3 1 operational VA has issued 24,038 cards containing demographic, emergency, and (VA) (for 2, deployment eligibility data as well as PKI certificates to allow digital signatures on status information not electronic service delivery transactions at two sites. An additional two VA available) hospital locations separately tested smart cards as ID badges and for electronic purchases to be used for vending, cash registers, and automatic teller machines. Source: GSA and OMB. Many pilot projects initiated in the late 1990s deployed smart cards for specific, limited purposes in order to demonstrate the usefulness of the technology. For example, GSA distributed smart cards to approximately Page 14 GAO-03-144 Progress in Promoting Smart Cards 3,000 staff and visitors at the 1997 presidential inauguration to control physical access to that event. The cards contained information that granted individuals access to specific event activities and allowed security personnel to monitor movements within the event’s headquarters facility as well as maintain records on those entering secure areas. Likewise, many smart card pilot projects were implemented by the military services to demonstrate the technology’s usefulness in enhancing specific business operations, such as creating electronic manifests to help deploy military personnel more efficiently, managing medical records for military personnel, and providing electronic cash to purchase goods and food services at remote locations. Officials at military bases and installations participating in these pilots reported that smart cards significantly reduced the processing time required for deploying military personnel—from several days to just a few hours. Recently, broader and more permanent projects have begun. Among federal agencies, DOD has made a substantial investment in developing and implementing an agencywide smart card system. DOD’s CAC is to be used to authenticate the identity of nearly 4 million military and civilian personnel and to improve security over on-line systems and transactions. The cards are being deployed in tandem with the rollout of a departmentwide PKI. As of November 2002, DOD had issued approximately 1.4 million CACs to military and civilian personnel and had purchased card readers and middleware12 for about 1 million of its computers. More information about DOD’s program appears in appendix I. The Department of Transportation is also developing two large smart card pilot projects, which will be focused on controlling access to and improving security at the nation’s many transportation hubs as well as at federal facilities controlled by the department. One pilot aims to distribute smart cards to approximately 10,000 FAA employees and contractor personnel for access to the department’s facilities. Subsequent phases will be implemented across the agency to approximately 100,000 employees. In the second pilot, transportation worker identification cards will be issued to about 15 million transportation workers across the United States and is intended to improve physical and logical access to public transportation 12 Middleware is software that allows a software application running on another system to communicate and exchange data with the integrated circuit chip on a smart card. Page 15 GAO-03-144 Progress in Promoting Smart Cards facilities. Transportation plans to document results from the pilot project, including benefits and costs. Other federal agencies are now using smart cards for controlling logical access to computer systems and networks. For example, the Internal Revenue Service (IRS) distributed smart cards to approximately 30,000 of its revenue agents and officers for use when accessing the agency’s network remotely through notebook computers. According to an IRS official, the cards are still in use and working well. In July 2002, the Department of the Treasury announced plans to launch a pilot project to assess the use of smart cards for multiple purposes, including both physical and logical access. Treasury plans to distribute smart cards equipped with biometrics and PKI capabilities to approximately 7,200 employees during its pilot test. Treasury’s main department offices and five Treasury bureaus will be involved in the pilot test: U.S. Secret Service; IRS; Bureau of Alcohol, Tobacco, and Firearms; Bureau of Engraving and Printing; and the Federal Law Enforcement Training Center. According to Treasury officials, if the smart card pilot proves successful, it will be implemented across the department. While efforts such as these represent a recent trend toward adopting agencywide smart cards for security functions, almost half (42 percent) of the projects that have been undertaken to date, as identified by GSA and OMB, involved storing either cash value on the cards for use in making small purchases or other information for use in processing electronic payment transactions, transit benefits, or agency-specific applications. Many of these projects (45 percent) used smart cards that supported a combination of media, such as magnetic stripes, bar codes, and optical memory stripes. Further, the majority (86 percent) of these non–security- oriented projects involved cards used internally, usually to support formerly paper-based functions. For example, in October 1994, the 25th Infantry Division in Hawaii was issued 30,000 smart cards configured to support medical documentation, mobility processing, manifesting, personnel accountability, health care, and food service. In this pilot, the most notable benefit was seen in deployment readiness. The deployment process, which normally took a day or more, was reduced to a matter of hours. In another example of a stored-value card project, the Departments of Agriculture and Health and Human Services supported a project by the WGA to issue smart cards to approximately 12,000 individuals—including Page 16 GAO-03-144 Progress in Promoting Smart Cards pregnant women, mothers, and children—who were eligible for electronic benefits transfer (EBT) programs such as the Women, Infants, and Children program, Head Start, Food Stamps, and other public health programs in three different states. The smart cards contained a circuit chip that included demographic, health, appointment, and EBT information, as well as a magnetic stripe that included Medicaid eligibility information. The smart cards also allowed grocery and retail establishments to track food purchases and rebate offers or coupon redemptions more accurately. Users helped control information stored on the card with a personal identification number and were provided with kiosks to read or view information stored on the card. According to WGA officials, the pilot was a success because participants had immediate access to healthcare appointment and immunization records. In addition, federal and state agencies were able to track benefits and baby formula purchases more accurately, resulting in manufacturers no longer questioning the process used by these government organizations to collect millions in rebate offers. To demonstrate that a single smart card could have many uses and provide many benefits, GSA’s Federal Technology Service introduced a multipurpose smart card to its employees during a pilot project conducted in the summer of 1999. The card functioned as a property management device, boarding pass for American Airlines, credit card for travel, and stored-value calling card. The card used fingerprint biometric technology, as well as digital certificates for use in signing E-mail messages. In addition, the card contained a contactless interface—an embedded antenna—that allowed cardholders to access transit services by waving the card near a card reader to electronically pay for these services. Appendix I provides more detailed information about smart card projects at several government agencies. Successful Adoption of The benefits of smart card adoption identified by agency officials can be achieved only if key management and technical challenges are understood Smart Cards Can Be and met. While these challenges have slowed the adoption of smart card Achieved If Challenges technology in past years, they may be less difficult in the future, not only because of increased management concerns about securing federal Are Met facilities and information systems, but also because technical advances have improved the capabilities and reduced the cost of smart card systems. Major implementation challenges include • sustaining executive-level commitment; Page 17 GAO-03-144 Progress in Promoting Smart Cards • recognizing resource requirements; • coordinating diverse, cross-organizational needs and transforming organizational security practices; • achieving interoperability among smart card systems; and • maintaining security and privacy. Sustaining Executive-Level Nearly all the officials we interviewed indicated that maintaining executive- Commitment level commitment is essential to implementing a smart card system effectively. According to officials both within DOD and in civilian agencies, the formal mandate of the Deputy Secretary of Defense to implement a uniform, common access identification card within DOD was essential to getting a project as large as the CAC initiative launched and funded.13 The Deputy Secretary also assigned roles and responsibilities to the military services and agencies and established a deadline for defining smart card requirements. DOD officials noted that without such executive-level support and clear direction, the smart card initiative likely would have encountered organizational resistance and cost concerns that would have led to significant delays or cancellation. Treasury and Transportation officials also indicated that sustained high- level support had been crucial in launching smart card initiatives within their organizations and that without this support, funding for such initiatives probably would not have been available. In contrast, other federal smart card pilot projects have been cancelled due to lack of executive-level support. Officials at VA indicated that their pilot VA Express smart card project, which issued cards to veterans for use in registering at VA hospitals, would probably not be expanded to full-scale implementation, largely because executive-level priorities had changed, and support for a wide-scale smart card project had not been sustained. Recognizing Resource Smart card implementation costs can be high, particularly if significant Requirements infrastructure modifications are required or other technologies, such as 13 Deputy Secretary of Defense, Memorandum on Smart Card Adoption and Implementation (Washington, D.C.: Nov. 10, 1999). Page 18 GAO-03-144 Progress in Promoting Smart Cards biometrics and PKI, are being implemented in tandem with the cards. However, in light of the benefits of better authenticating personnel, increasing security over access to buildings, safeguarding computer systems and data, and conducting financial and nonfinancial transactions more accurately and efficiently, these costs may be acceptable. Key implementation activities that can be costly include managing contractors and card suppliers, developing systems and interfaces with existing personnel or credentialing systems, installing equipment and systems to distribute the cards, and training personnel to issue and use smart cards. As a result, agency officials stated that obtaining adequate resources was critical to implementing a major government smart card system. For example, Treasury’s project manager estimated the overall cost for the departmentwide effort at between $50 and $60 million; costs for the FAA pilot project, which have not yet been fully determined, are likely to exceed $2.5 million. At least $4.2 million14 was required to design, develop, and implement the WGA Health Passport Project (HPP) in Nevada, North Dakota, and Wyoming and to service up to 30,000 clients. A report on that project acknowledged that it was complicated and costly to manage card issuance activities. The states encountered problems when trying to integrate legacy systems with the smart cards and had difficulty establishing accountability among different organizations for data stored on and transferred from the cards. The report further indicated that help-desk services were difficult to manage because of the number of organizations and outside retailers, as well as different systems and hardware, involved in the project; costs for this service likely would be about $200,000 annually.15 WGA officials said they expect costs to decrease as more clients are provided with smart cards and the technology becomes more familiar to users; they also believe smart card benefits will exceed costs over the long term. The full cost of a smart card system can also be greater than originally anticipated because of the costs of related technologies, such as PKI. For example, DOD initially budgeted about $78 million for the CAC program in 14 According to the project’s final report, additional costs were incurred that have not been quantified. 15 Jenny Bernstein, Robin Koralek, Cheryl Owens, Nancy Pindus, and Barbara Selter, Final Report—The Health Passport Project: Assessment and Recommendations (December 2001). Page 19 GAO-03-144 Progress in Promoting Smart Cards 2000 and 2001 and expected to provide the device to about 4 million military, civilian, and contract employees by 2003. It now expects to expend over $250 million by 2003—more than double the original estimate. Many of the increases in CAC program costs were attributed by DOD officials to underestimating the costs of upgrading and managing legacy systems and processes for card issuance. Card issuance costs likely will exceed $75 million out of the over $250 million now provided for CAC through 2003, based on information provided by DOD. These costs are for installing workstations, upgrading legacy systems, and distributing cards to personnel. According to DOD program officials, the department will likely expend over $1 billion for its smart cards and PKI capabilities by 2005. In addition to the costs mentioned above, the military services and defense agencies were required to fund the purchase of over 2.5 million card readers and the middleware to make them work with existing computer applications, at a cost likely to exceed $93 million by 2003. The military services and defense agencies are also expected to provide funding to enable applications to interoperate with the PKI certificates loaded on the cards. DOD provided about $712 million to issue certificates to cardholders as part of the PKI program but provided no additional funding to enable applications.16 Integrating Physical and The ability of smart card systems to address both physical and logical Logical Security Practices (information systems) security means that unprecedented levels of cooperation may be required among internal organizations that often had Across Organizations not previously collaborated, especially physical security organizations and IT organizations. Nearly all federal officials we interviewed noted that existing security practices and procedures varied significantly across organizational entities within their agencies and that changing each of these well-established processes and attempting to integrate them across the agency was a formidable challenge. Individual bureaus and divisions often have strong reservations about supporting a departmentwide smart card initiative because it would likely result in substantial changes to existing processes for credentialing individuals, verifying those credentials when presented at building entrances, and accessing and using computer systems. 16 Office of the Inspector General, Department of Defense, Implementation of DOD Public Key Infrastructure Policy and Procedures, Report No. D-2002-030 (Dec. 28, 2001). Page 20 GAO-03-144 Progress in Promoting Smart Cards DOD officials stated that it has been difficult to take advantage of the multiapplication capabilities of its CAC for these very reasons. The card is primarily being used for logical access—for helping to authenticate cardholders accessing systems and networks and for digitally signing electronic transactions using PKI. DOD only recently has begun to consider ways to use the CAC across the department to better control physical access over military facilities. Few DOD facilities are currently using the card for this purpose. DOD officials said it had been difficult to persuade personnel responsible for the physical security of military facilities to establish new processes for smart cards and biometrics and to make significant changes to existing badge systems. In addition to the gap between physical and logical security organizations, the sheer number of separate and incompatible existing systems also adds to the challenge to establishing an integrated agencywide smart card system. One Treasury official, for example, noted that departmentwide initiatives, such as its planned smart card project, require the support of 14 different bureaus and services. Each of these entities has different systems and processes in place to control access to buildings, automated systems, and electronic transactions. Agreement could not always be reached on a single business process to address security requirements among these diverse entities. Achieving Interoperability Interoperability is a key consideration in smart card deployment. The value Among Smart Card Systems of a smart card is greatly enhanced if it can be used with multiple systems at different agencies, and GSA has reported that virtually all agencies agree that interoperability at some level is critical to widespread adoption of smart cards across the government. However, achieving interoperability has been difficult because smart card products and systems developed in the past have generally been incompatible in all but very rudimentary ways. With varying products available from many vendors, there has been no obvious choice for an interoperability standard. GSA considered the achievement of interoperability across card systems to be one of its main priorities in developing its governmentwide Smart Access Common ID Card contract. Accordingly, GSA designed the contract Page 21 GAO-03-144 Progress in Promoting Smart Cards to require awardees to work with GSA and NIST17 to develop a government interoperability specification. The specification, as it currently stands, includes an architectural model, interface specifications, conformance testing requirements, and data models. A key aspect of the specification is that it addresses aspects of smart card operations that are not covered by commercial standards. Specifically, the specification defines a uniform set of command and response messages for smart cards to use in communicating with card readers. Vendors can meet the specification by writing software for their cards that translates their unique command and response formats to the government standard. Such a specification previously had not been available. According to NIST officials, the first version of the interoperability specification, completed in August 2000, did not include sufficient detail to establish interoperability among vendors’ disparate smart card products. The officials stated that this occurred because representatives from NIST, the contractors, and other federal agencies had only a very limited time to develop the first version. Version 2,18 released in June 2002, is a significant improvement, providing better definitions of many details, such as how smart cards should exchange information with software applications and card readers. The revised specification also supports DOD’s CAC data model in addition to the common data model developed for the original specification. However, it may take some time before smart card products that meet the requirements of version 2 are made available, because the contractors and vendors (under the Smart Access Common ID contract) will have to update or redesign their products to meet the enhanced specification. Further, potential interoperability issues may arise for those agencies that purchased and deployed smart card products based on the original specification. While version 2 addressed important aspects of establishing interoperability among different vendors’ smart card systems, other aspects remain unaddressed. For example, the version 2 specifications for 17 NIST is the lead agency in the Standards Technical Working Group, which was established by the Government Smart Card Interagency Advisory Board (GSC-IAB) to develop and update the Government Smart Card Interoperability Specification. In addition, NIST is responsible for developing a comprehensive conformance test program for the specification. 18 Government Smart Card Interoperability Specification, Version 2.0, NIST Internal Report 6887 (June 27, 2002). Page 22 GAO-03-144 Progress in Promoting Smart Cards “basic services interface” provide for just 21 common functions, such as establishing and terminating a logical connection with the card in a specified reader. Other fundamental functions—such as changing personal ID numbers and registering cards when they are issued to users—are not included in the basic services interface. For such functions, vendors must use what are known as “extended service interfaces.” Because vendors are free to create their own unique definitions for extended service interfaces and associated software, interoperability problems may occur if interface designs or software programs are incompatible. NIST officials stated that, at the time the specification was finalized, it was not possible to define a standard for the functions not included in the basic services interface because existing commercial products varied too widely. According to the NIST officials, greater convergence is needed among smart card vendors’ products before agreement can be reached on standards for all important card functions—including changing passwords or personal identification numbers—as part of extended service interfaces. In addition, the guidelines do not address interoperability for important technologies such as contactless smart cards, biometrics, and optical memory stripes. GSA and NIST officials indicated that federal agencies are interested in adopting contactless and biometric technologies but that more needs to be done to evaluate the technologies and develop a standard architectural model to ensure interoperability across government. The government has not yet adopted industry-developed contactless and biometric standards, which are generally not extensive enough to ensure interoperability among commercial products from different vendors. According to one NIST official, a thorough risk assessment of optical stripe technology needs to be conducted first, because the security issues for a “passive” technology such as optical stripes are different from those of “active” chip-based smart cards.19 Although there is no work under way to include optical stripe technology as an option within the Government Smart Card Interoperability Specification, the guidance does not preclude the use of this technology. 19 Optical stripe technology is considered “passive” because it simply serves as a platform to store data; it cannot perform any processing functions. Chip-based cards, however, are capable of actively processing information and interacting with other systems. Page 23 GAO-03-144 Progress in Promoting Smart Cards Maintaining the Security of Although concerns about security are a key driver for the adoption of smart Smart Card Systems and card technology in the federal government, the security of smart card systems is not foolproof and must be addressed when agencies plan the Privacy of Personal implementation of a smart card system. As discussed in the background Information section of this report, smart cards can offer significantly enhanced control over access to buildings and systems, particularly when used in combination with other advanced technologies, such as PKI and biometrics. Although smart card systems are generally much harder to attack than traditional ID cards and password-protected systems, they are not invulnerable. In order to obtain the improved security services that smart cards offer, care must be taken to ensure that the cards and their supporting systems do not pose unacceptable security risks. Smart card systems generally are designed with a variety of features designed to thwart attack.20 For example, cards are assigned unique serial numbers to counter unauthorized duplication and contain integrated circuit chips that are resistant to tampering so that their information cannot be easily extracted and used. However, security experts point out that because a smart-card-based system involves many different discrete elements that cannot be physically controlled at all times by an organization’s security personnel, there is at least a theoretically greater opportunity for malfeasance than would exist for a more self-contained system.21 In fact, a smart-card-based system involves many parties (the cardholders, data owner, computing devices, card issuer, card manufacturer, and software manufacturer) that potentially could pose threats to the system. For example, researchers have found ways to circumvent security measures and extract information from smart cards, and an individual cardholder could be motivated to attack his or her card in order to access and modify the stored data on the card—perhaps to change personal information or increase the cash value that may be stored on the card. Further, smart cards are connected to computing devices (such as agency networks, desktop and laptop computers, and automatic teller machines) 20 In this context, an attack is an attempt by one or more parties involved in a smart-card- based transaction to cheat by taking advantage of potential weaknesses in the security of the card. 21 Bruce Schneier and Adam Shostack, “Breaking Up Is Hard to Do: Modeling Security Threats for Smart Cards” in USENIX Workshop on Smart Card Technology (USENIX Press, 1999), pp. 175–185. Page 24 GAO-03-144 Progress in Promoting Smart Cards through card readers that control the flow of data to and from the smart card. Attacks mounted on either the card readers or any of the attached computing systems could compromise the safeguards that are the goals of implementing a smart card system. Smart cards used to support multiple applications may introduce additional risks to the system. For example, if adequate care is not taken in designing and testing each software application, loading new applications onto existing cards could compromise the security of the other applications already stored on the cards. In general, guaranteeing the security of a multiapplication card can be more difficult because of the difficulty of determining which application is running inside a multiapplication smart card at any given time. If an application runs at an unauthorized time, it could gain unauthorized access to data intended only for other applications. As with any information system, the threats to a smart card system must be analyzed thoroughly and adequate measures developed to address potential vulnerabilities. Our 1998 report on effective security management practices used by leading public and private organizations22 and a companion report on risk-based security approaches23 identified key principles that can be used to establish a management framework for an effective information security program. In addition, the National Security Agency’s draft guidelines24 for placing biometrics in smart cards include steps that could be taken to help protect information in smart card systems, such as encrypting all private keys stored in the smart card and defining a system security policy with a user certification process before access to the system is granted. In addition to security, protecting the privacy of personal information is a growing concern and must be addressed with regard to the personal information contained on smart cards. Once in place, smart-card-based systems designed simply to control access to facilities and systems could 22 U.S. General Accounting Office, Information Security Management: Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: May 1998). 23 U.S. General Accounting Office, Information Security Risk Assessment: Practices of Leading Organizations, GAO/AIMD-00-33 (Washington, D.C.: Nov. 1999). 24 National Security Agency, Guidelines for Placing Biometrics in Smartcards, Draft Version 1.0 (Sept. 15, 1998). Page 25 GAO-03-144 Progress in Promoting Smart Cards also be used to track the day-to-day activities of individuals, potentially compromising their privacy. Further, smart-card-based systems could be used to aggregate sensitive information about individuals for purposes other than those prompting the initial collection of the information, which could compromise privacy. The Privacy Act of 197425 requires the federal government to restrict the disclosure of personally identifiable records maintained by federal agencies, while permitting individuals access to their own records and the right to seek amendment of agency records that are inaccurate, irrelevant, untimely, or incomplete. Accordingly, agency officials need to assess and plan for appropriate privacy measures when implementing smart card systems. To address privacy concerns, officials with the WGA indicated that some participants in the HPP were made aware of the information that would be stored on their cards. Kiosks were installed in some grocery stores to encourage individuals to view the information stored on the cards. Similarly, GSA officials provided employees access to information stored on their headquarters ID cards and said they received few complaints about the cards. While individuals involved in these projects had few concerns, others may require more assurances about the information stored on smart cards and how government agencies will use and share data. GSA, NIST, and other agency officials indicated that security and privacy issues are challenging, because governmentwide policies have not yet been established and widespread use of the technology has not yet occurred. As smart card projects evolve and are used more frequently, especially by citizens, agencies are increasingly likely to need policy guidance to ensure consistent and appropriate implementation. GSA’s Effectiveness in GSA’s efforts to promote smart card technology in the federal government have focused on coordination and contracting-related activities. The Facilitating Federal agency has taken several useful actions to organize federal smart card Smart Card Adoption managers and coordinate planning for the technology. Its chief contribution has been to make it easier for federal agencies to acquire commercial smart Has Been Limited card products by implementing a governmentwide contracting mechanism based on a standard developed in collaboration with NIST and smart card 25 5 U.S.C. § 552a. Page 26 GAO-03-144 Progress in Promoting Smart Cards vendors. However, GSA has been less successful in other areas that are also important for promoting adoption of smart cards. For example, officials from other federal agencies indicated that GSA’s effectiveness at demonstrating the technology’s readiness for deployment was limited by its lack of success in implementing smart cards internally or developing a consistent agencywide position on the adoption of smart cards. Further, the agency did not keep its implementation strategy or administrative guidelines up to date. Nor has the agency established standards for the use of smart cards as a component of federal building security processes. Finally, GSA has not developed a framework for evaluating smart card implementations to help agencies reduce risks and contain costs. GSA Has Addressed Many GSA has advanced federal adoption of smart card technology by addressing Planned Tasks Associated many of the major tasks outlined in the 1998 EPIC plan—which called for a standard governmentwide, multipurpose smart card system—and by with Promoting Smart Cards developing its own smart card plan.26 In response to OMB’s 1996 tasking that GSA take the lead in promoting federal adoption of smart cards, the agency first established a technology office to support its smart card initiative and work with the President’s Management Council on deploying the technology across government.27 Beginning in 1998, GSA took steps to address tasks identified in the EPIC plan and its own plan, many of which required the collaboration and support of multiple agencies. For example, GSA worked with the Department of the Navy to establish a technology demonstration center to showcase smart card technology and applications and established a smart card project managers’ group and Government Smart Card Interagency Advisory Board (GSC-IAB).28 The agency also established an interagency team to plan for uniform federal access procedures, digital signatures, and other transactions, and to develop federal smart card interoperability and security guidelines. GSA’s Office of Governmentwide Policy was similarly established to better coordinate and 26 GSA, Office of Smart Card Initiatives—Overview and Concepts (May 1998). The document includes 13 key objectives for implementation in 1998. 27 This office was eventually moved into the Federal Technology Service so that it could also monitor 13 pilot projects aimed at fostering the adoption of smart card technology. 28 In 2000, GSA established the Government Smart Card Interagency Advisory Board to address government smart card issues, standards, and practices as well as to help resolve interoperability problems among agencies. Page 27 GAO-03-144 Progress in Promoting Smart Cards define governmentwide electronic policies and technology standards in collaboration with other federal agencies and stakeholders. For many federal agencies, GSA’s chief contribution to promoting federal adoption of smart cards was its effort in 2000 to develop a standard contracting vehicle for use by federal agencies in procuring commercial smart card products from vendors.29 Under the terms of the contract, GSA, NIST, and the contract’s awardees worked together to develop smart card interoperability guidelines—including an architectural model, interface definitions, and standard data elements—that were intended to guarantee that all the products made available through the contract would be capable of working together. Major federal smart card projects, including DOD’s CAC and Transportation’s planned departmentwide smart card, have used or are planning to use the GSA contract vehicle. GSA’s achievements in promoting the federal adoption of smart card technology can be gauged by the progress it has made in addressing tasks laid out in the EPIC plan and its own smart card plan. Table 2, which provides more detailed information on major tasks from the EPIC and GSA plans and their current status, shows that GSA has taken steps to address many of these tasks. 29 GSA released the solicitation (GS-TFF-99-203) for its Smart Identification Card on January 7, 2000. In May 2000, the contract was awarded to five vendors. Page 28 GAO-03-144 Progress in Promoting Smart Cards Table 2: Status of Major Tasks from the EPIC and GSA Smart Card Plans Task Source Milestone Status Comments Form a customer advisory board to provide EPIC plan July 1997 Addressed GSA established a GSC-IAB in 2000 and ongoing advice on the government’s card service smart card project managers’ group in program 1998. Establish interagency team to evaluate several EPIC plan January Partially GSC-IAB and NIST helped evaluate specific smart card applications 1998 addressed some smart card applications and standards, but not all issues have been addressed. Establish a federal card services risk EPIC plan March 1998 Open Some agencies have completed risk management forum assessments and shared the information with the smart card project managers group, but no forum has been established to address outstanding issues across government. Establish contract for common access ID EPIC, GSA September Addressed The Smart ID contract was made program plans 1998 available for agency use in May 2000. Develop and issue final federal smart card EPIC, GSA June 1998 Addressed Working with NIST, GSA issued the first interoperability guide plans version of the guidelines in August 2000 and revisions in June 2002. Prototype multiapplication cards EPIC plan September Addressed Since 1998, GSA and several other 1998 agencies have prototyped multiapplication cards. Establish a Web-based clearinghouse for smart EPIC plan May 1998 Addressed GSA established its smart card Web site cards at www.smart.gov. Establish interagency work groups to address GSA plan September Addressed Through the GSC-IAB and NIST, common access and core card applications 1998 common access and core card applications and interfaces have been addressed. Implement and evaluate pilot projects GSA plan March 1999 Partially GSA launched several pilot projects but addressed did not always evaluate the initiatives, according to the Office of Inspector General. Work with international governments and GSA plan October Partially GSA and NIST are working with several establish on-line services 1998 addressed international standards groups, but no on-line services have been established. Develop and implement a smart card pilot project GSA plan September Partially Some limited pilot project testing has to improve electronic building access 1998 addressed been completed to improve electronic building access. Work with Sandia National Laboratories to GSA plan September Partially Framework is not yet complete, though develop a high-level vulnerability assessment 1998 addressed some initial analysis has been framework for smart card access controls conducted. Page 29 GAO-03-144 Progress in Promoting Smart Cards (Continued From Previous Page) Task Source Milestone Status Comments Develop a joint security access program and GSA plan September Open Although a technology center has been technology center to demonstrate smart card 1998 established, no work has been completed technology on a joint security access program. NIST and the Department of State recently established an Interagency Interoperability Task Force to address some of these issues. Launch pilot internally and explore business lines GSA plan December Addressed GSA established a business line for for smart cards 1999 smart cards in 1999. Develop biometric application interface program GSA plan September Partially GSC-IAB, GSA, NIST, and DOD are for smart cards and conduct pilot projects 1998 addressed considering standards for biometrics and some pilots are under way. Develop interagency framework for managing GSA plan Fall 1998 Open GSC-IAB, GSA, and NIST are card services across government, including considering evaluation and testing suites evaluating and testing for compliance for smart cards but have not yet developed an interagency framework. Source: GAO. GSA Has Not Fully Although GSA accomplished many of the tasks for promoting smart card Addressed Other Key adoption that were planned in 1998, many additional activities essential to advancing the adoption of smart cards across government still need to be Promotion Activities addressed. Evolving federal security needs and steady advances in smart card technology mean that federal agency needs likely have changed since 1998. For example, in the wake of the events of September 11, 2001, increased management attention has been paid to security both for access to federal buildings as well as for protecting information systems. At the same time, advances in smart card technology have led to commercial products that are both cheaper and more capable, potentially altering cost/benefit calculations that agencies may have made in the past. Thus far, OMB has not issued any further policy or guidance related to smart card technology, although it was in the process of identifying and examining smart card technology issues at the time of our review. In light of factors that have arisen or changed since GSA’s smart card promotion objectives were set in 1998, we identified the following four specific issues that have not been addressed by GSA: • Showing leadership by successfully adopting smart cards internally. A key element of effectively promoting the adoption of a new technology such as smart cards is to demonstrate the technology’s effectiveness in an operational setting by successfully undertaking well-coordinated Page 30 GAO-03-144 Progress in Promoting Smart Cards pilot projects that demonstrate the technology’s benefits. One of the objectives in GSA’s 1998 smart card plan was to lead by example in implementing and showcasing smart cards. Yet GSA’s pilot projects have generally not allowed the agency to lead by example. According to a report completed by GSA’s Office of Inspector General (OIG) in September 2000, there has been “no continued centralized management or direction of GSA’s internal smart card implementation, nor any coordination and monitoring of pilots.”30 For example, the OIG reported that some of GSA’s projects lacked management support and adequate funding, resulting in delays and partially completed project tasks. In terms of coordination, GSA has been unable to develop and implement a strategy to deploy smart card technology in a standard manner across the agency. For example, two divisions within GSA, the Federal Supply Service and the Public Building Service, while operating in areas where smart cards have a known benefit, did not use GSA’s standard governmentwide contracting vehicle, which requires adherence to the government smart card interoperability specification. In addition, draft guidance on implementing a standard smart-card-based identification system across GSA was not prepared until April 2002 and is still incomplete and unapproved. Officials at three federal agencies, actively engaged in developing their own smart card systems, said that GSA’s internal track record for implementation had raised doubts about its ability to promote smart cards governmentwide. A Department of the Interior official stated that GSA had not been successful in building a business case for smart card adoption, and that, as a result, the Public Building Service was not supporting the Federal Technology Service’s efforts to implement smart card technology at government facilities, causing problems for tenant agencies looking to move to smart-card-based systems. Similarly, a DOD official stated that GSA did not have the expertise to successfully implement smart cards or assist others attempting to do so because it lacked practical experience deploying the technology internally and working collaboratively with different organizations on management and technical issues. • Maintaining an up-to-date implementation strategy and smart card guidelines. GSA’s implementation strategy for smart cards consists of 30 Office of Inspector General, GSA, Review of Smart Card Initiatives, Report Number A000874 (Sept. 11, 2000), p. 5. Page 31 GAO-03-144 Progress in Promoting Smart Cards the plan it prepared in 1998 as well as the EPIC plan, also developed in 1998. Neither addresses recent issues related to smart card implementation, such as advances in smart card technology or increased federal security concerns since the attacks of September 11, 2001. In 2002, GSA began to survey federal agencies, through the GSC-IAB, on smart card implementation issues they were experiencing.31 According to GSA officials, the GSC-IAB survey will provide input to the agency that can be used to update its agenda for promoting federal smart card adoption. However, GSA has not yet committed to developing a new planning document with revised objectives and milestones. GSA also has not updated its smart card administrative guidelines since 2000. In October 2000, GSA issued its guidelines for implementing smart cards in federal agencies.32 GSA developed the guidelines “to provide step-by-step guidance for those agencies wishing to utilize the Smart Identification Card contract vehicle to procure and implement an interoperable employee identification card.” Although the stated purpose of this document was to complement the Smart Identification Card contract, the section discussing standards and specifications does not refer to the government smart card interoperability specification recently developed by GSA and NIST, nor does it provide explicit guidance on using the interoperability specification or other critical technologies, such as contactless cards and biometrics. • Coordinating the adoption of standard federal building security processes. GSA has not taken action to develop and coordinate standard procedures for federal building security, which would help agencies implement smart-card-based ID systems in a consistent and effective manner. GSA is responsible for managing security at over 7,300 federal facilities, with widely varying security needs.33 In 1999, several internal 31 GSA contracted with Maximus, a private consulting firm, to conduct a survey of agencies, private sector partners, and others to help identify issues critical to the smart card initiative and define future goals and objectives for the GSC-IAB. 32 GSA, Smart Card Policy and Administrative Guidelines (Oct. 20, 2000). 33 The Department of Justice established five security categories for federal buildings, ranging from facilities that require limited security (category 1) to buildings that require a maximum level of security mechanisms or safeguards (category 5). No criteria exist on the security or electronic devices that need to be installed at facilities that fall within these categories. Page 32 GAO-03-144 Progress in Promoting Smart Cards GSA organizations—including the Office of Governmentwide Policy, the Federal Technology Service, the Federal Supply Service, and the Public Building Service—proposed working together to develop a standard approach for federal building security using smart card technology. However, this proposal has not been adopted, nor has any alternative strategy been developed for deploying smart card technology at federal facilities. Officials in the Federal Technology Service and the Public Building Service said that they intended to work together to develop a strategy for smart card use at federal facilities, but they have not yet begun to do so.34 Although not part of a concerted standards setting process, the Federal Technology Service’s recently launched pilot smart card project could serve in the future as a basis for a federal building security standard. The pilot involved upgrading and standardizing building security systems at three government facilities in Chicago, Illinois. The project is based on smart cards with biometric capabilities to identify employees entering these facilities. At least three federal agencies are expected to participate in the project, and its costs have been estimated to range between $450,000 and $500,000. If the project is successful, it may serve as an example for other federal agencies interested in using smart card technology for their building security processes. • Evaluating projects to reduce implementation risks and costs. Although GSA has developed administrative and business case guidelines to help agencies identify smart card benefits and costs, as well as establishing the smart card program managers’ group and the GSC-IAB to discuss project issues, it has not established a framework for evaluating smart card projects to help agencies minimize implementation costs and risks and achieve security improvements. In September 2000, the GSA OIG reported that measurable standards were needed to assess smart card projects and help GSA lead the smart card program. It also suggested that more information and lessons learned from smart card pilot projects were needed to make improvements in the federal smart card program and to better ensure success.35 GSA 34 For a discussion of the full range of building security technologies, including smart cards, see U.S. General Accounting Office, National Preparedness: Technologies to Secure Federal Buildings, GAO-02-687T (Washington, D.C.: Apr. 25, 2002). 35 Office of the Inspector General, GSA, Review of Smart Card Initiatives, Report A000874 (Sept. 11, 2000). Page 33 GAO-03-144 Progress in Promoting Smart Cards agreed with the issues identified by the OIG but has not yet taken action to address recommendations cited in the report. Officials from other agencies indicated that more information is needed on smart card implementation costs and opportunities for cost savings to help agencies make a business case for the technology and to address implementation challenges. According to one agency official, more information sharing is needed on smart card implementation strategies that work and that help reduce project management costs and problems with software and hardware implementation. Agency officials also indicated that measures are needed to determine whether smart cards are working as intended to improve security over federal buildings, computer systems, and critical information, as called for by the President’s Management Agenda and the Office of Homeland Security. GSA officials indicated that many of these issues likely would be addressed by the GSC-IAB at some later date but that no specific milestones for doing so had been set. Conclusions Progress has been made in implementing smart card technology across government, with increasingly ambitious projects, such as DOD’s CAC, being initiated in recent years as federal managers focus on implementing smart cards to enhance security across organizations. To successfully implement smart-card-based systems, agency managers have faced a number of substantial challenges, including sustaining executive-level commitment, obtaining adequate resources, integrating physical and logical security practices, achieving interoperability among smart card systems, and maintaining system security and privacy of personal information. As both technology and management priorities evolve, these challenges may be becoming less insurmountable, particularly with the increased priority now being placed on heightened security practices to better maintain homeland security. Further, the interoperability challenge may be significantly reduced as continuing efforts are made to increase the scope and usefulness of the government smart card interoperability specification. However, without overall guidance and budgetary direction from OMB, agencies may be unnecessarily reluctant to take advantage of the potential of smart cards to enhance security and other agency operations. Although OMB has statutory responsibility to develop and oversee policies, standards, and guidelines used by agencies for ensuring the security of federal information and systems, it has not issued any guidance or policy Page 34 GAO-03-144 Progress in Promoting Smart Cards on governmentwide adoption of smart cards since 1996, when it designated GSA the lead for promoting federal adoption of the technology. GSA continues to play an important role in assisting agencies as they assess the potential of smart cards and move to implement them. GSA has already provided important technical and management support by developing the Smart Access Common ID contract vehicle, supporting NIST’s development of the government smart card interoperability specification, and setting up the GSC-IAB. However, GSA has not taken all the steps it could have to provide full support to agencies contemplating the adoption of smart cards. Its implementation strategy and administrative guidance have not been kept up to date and do not address current priorities and technological advances. Nor have building security standards been adopted or an evaluation process developed that address implementation of smart card systems. If such tasks were addressed, federal agency IT managers would face fewer risks in deciding how and under what circumstances to implement smart-card-based systems. Recommendations We recommend that the Director, OMB, issue governmentwide policy guidance regarding adoption of smart cards for secure access to physical and logical assets. In preparing this guidance, OMB should seek input from all federal agencies that may be affected by the guidance, with particular emphasis on agencies with smart card expertise, including GSA, the GSC- IAB, and NIST. We recommend that the Director, NIST, continue to improve and update the government smart card interoperability specification by addressing governmentwide standards for additional technologies—such as contactless cards, biometrics, and optical stripe media—as well as integration with PKI, to ensure broad interoperability among federal agency systems. We recommend that the Administrator, GSA, improve the effectiveness of its promotion of smart card technologies within the federal government by • developing an internal implementation strategy with specific goals and milestones to ensure that GSA’s internal organizations support and implement smart card systems, based on internal guidelines drafted in 2002, to provide better service and set an example for other federal agencies; Page 35 GAO-03-144 Progress in Promoting Smart Cards • updating its governmentwide implementation strategy and administrative guidance on implementing smart card systems to address current security priorities, including minimum security standards for federal facilities, computer systems, and data across the government; • establishing guidelines for federal building security that address the role of smart card technology; and • developing a process for conducting ongoing evaluations of the implementation of smart-card-based systems by federal agencies to ensure that lessons learned and best practices are shared across government. Agency Comments and We received written comments on a draft of this report from the Secretary of Commerce and DOD’s Deputy Chief Information Officer. We also Our Evaluation received oral comments from officials of OMB’s Office of Information and Regulatory Affairs, including the Information Policy and Technology Branch Chief; from the Commissioner of the Immigration and Naturalization Service; from GSA’s Associate Administrator for the Office of Governmentwide Policy; and from officials representing FAA, the Maritime Administration, the Transportation Security Administration, and Chief Information Officer of the Department of Transportation. All the agency officials who commented generally agreed with our findings and recommendations. In addition, Commerce commented that a governmentwide smart card program was needed and that a central activity should be created to manage and fund such an initiative. However, we believe that, with sufficient policy guidance and standards to ensure broad interoperability among agency systems, agencies can effectively develop smart card programs tailored to their individual needs that also meet minimum requirements for governmentwide interoperability. DOD commented that NIST should be tasked with taking the lead in developing and maintaining interoperability standards for smart cards and biometrics. DOD also stressed the importance of biometric technology interoperability with smart cards in support of the adoption of a single set of authenticating credentials for governmentwide use. Finally, DOD also commented that the use of smart card technology for federal building security should be strengthened. We believe our recommendations are consistent with the department’s comments. Page 36 GAO-03-144 Progress in Promoting Smart Cards GSA noted that significant work had gone into developing smart card technology and provided additional details about activities it has undertaken that are related to our recommendations. In addition, each agency provided technical comments, which have been addressed where appropriate in the final report. Unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to the Ranking Minority Member, Subcommittee on Technology and Procurement Policy, Committee on Government Reform, and other interested congressional committees. We will also send copies to the Director, OMB; the Director, NIST; and the Administrator, GSA. Copies will be made available to others upon request. In addition, this report also will be available at no charge on our home page at http://www.gao.gov. If you have any questions concerning this report, please call me at (202) 512-6240 or send E-mail to email@example.com. Other major contributors included Barbara Collier, Jamey Collins, John de Ferrari, Steven Law, Freda Paintsil, and Yvonne Vigil. Sincerely yours, Linda D. Koontz Director, Information Management Issues Page 37 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Appendx ies Smart Card Projects Append x Ii As part of our review, we examined smart card projects managed by the Departments of Defense (DOD), Interior, Transportation, Treasury, and Veterans Affairs (VA), as well as the Immigration and Naturalization Service (INS) and the Western Governors’ Association (WGA). These projects supported a variety of applications and used or considered smart card technology to improve logical and physical controls over systems and facilities, as well as to store information for other purposes, such as conducting financial transactions. The following provides more information on these projects. Department of Defense In 1999, the Deputy Secretary of Defense issued a policy directive that called for the implementation of a standard smart-card-based identification system for all active duty military personnel, DOD civilian employees, and eligible contractor personnel, to be called the Common Access Card (CAC) program.36 The directive assigned the Department’s Chief Information Officer overall responsibility to develop departmentwide smart card policy and conduct oversight of the program. Further, the Department of the Navy was made responsible for developing departmentwide interoperability standards for using smart card technology, and the National Security Agency was given the lead for developing a departmentwide public key infrastructure (PKI) program to be integrated with the CAC. In October 2000, Defense began initial rollout with plans to distribute cards to approximately four million individuals across the department by 2003. The CAC is equipped with a 32-kilobyte chip formatted in a standard manner to ensure interoperability among the military services and defense agencies. It also includes a set of PKI credentials, including an encryption key, signing key, and digital certificate. To obtain a CAC, individuals must produce multiple forms of identification. DOD’s PKI-enabled computer systems then examine the digital certificate produced by a user’s card to determine whether the cardholder is granted access to specific DOD systems. DOD is working to adapt its E-mail systems to work with PKI to better ensure that electronic messages are accessible only by designated recipients. In addition, according to DOD, cardholders will be able in the future to electronically sign travel vouchers using the digital certificates on their cards. 36 Deputy Secretary of Defense, Memorandum on Smart Card Adoption and Implementation (Washington, D.C.: Nov. 10, 1999). Page 38 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Smart Card Projects In the future, DOD plans to add biometrics and other advanced capabilities to the CAC. Biometric data will be stored on the card and could include fingerprints, palm prints, iris scans, or facial features. To store these data, the amount of memory on the card would be doubled from 32 kilobytes to 64 kilobytes. DOD also plans to improve physical security controls over installations and bases by adding a contactless chip to the CAC to avoid delays when military personnel enter facilities. Department of the In January 2002, the Department of the Interior’s Bureau of Land Management (BLM) launched a smart card pilot project to help improve Interior security over its sites and employees. The bureau has 164 major sites and approximately 13,000 full- and part-time employees, including contractors. About 1,100 employees were given smart cards for personal identification and to improve safeguards at pilot sites in Nevada and Arizona. The pilot’s goal was to demonstrate the feasibility and interoperability of smart cards and to communicate their potential to employees throughout the bureau. In addition to distributing 1,000 more smart cards to bureau employees by November 2002, the bureau expects to equip about 1,000 of the existing cards with PKI certificates to be used with PKI-enabled software applications to improve security over systems and electronic transactions. According to bureau officials, the project has been a success, and it plans to continue the rollout of smart cards to remaining employees. The bureauwide rollout is scheduled to begin in January 2003. The total estimated cost of the effort is $5.8 million, and according to the bureau’s business case, this effort will break even in 2004. This includes all contracts, labor costs, software, hardware, and maintenance costs over a 5-year life cycle. The full implementation of the smart card system is expected to eliminate redundant administrative processes for personal identification and open up opportunities for additional applications by establishing digital certificates for creating digital signatures. All new and future building locations are planned to be equipped with the smart card technology necessary to pursue this effort, and many existing sites are being upgraded. BLM has reported experiencing a 70 percent drop in the cost of physical access systems since the cards’ initial deployment. In one of the pilot locations, all processes are to be outsourced (except for human resources, physical access, and security officer functions), with bureau employees making all policy and business decisions. Page 39 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Smart Card Projects Department of The Department of Transportation currently has two large smart card projects targeted for deployment. In the first pilot, the Federal Aviation Transportation Administration (FAA) plans to distribute smart cards internally to approximately 10,000 employees and on-site contractor support personnel primarily to secure physical access to the agency’s facilities. Recently, the FAA released a request for proposal outlining minimum requirements for smart card credentials. The agency plans to procure smart cards through the General Services Administration (GSA) Smart Access Common ID contract and will apply GSA’s interoperability specification. The card is planned to be a Java-based37 hybrid (contact and contactless) card, containing a 32-kilobyte chip as well as a magnetic stripe and barcode. The card will likely also feature a biometric for enhanced authentication (most likely fingerprint data). The second pilot is being managed by the Transportation Security Administration (TSA), which is scheduled to be transferred to the Department of Homeland Security on March 1, 2003. For this pilot, the TSA plans to issue smart identification (ID) cards to up to 15 million “transportation workers”—defined as any persons who require unescorted access to a secure area in any transportation venue. The pilot project will be focused on major airports, seaports, and railroad terminals and will include all modes of transportation. TSA’s goal is to create a standardized, universally recognized and accepted credential for the transportation industry. Initially, the transportation worker ID will be used for obtaining physical access to transportation facilities. Subsequently, a phased approach will be used to add logical access capabilities to the card. According to agency officials, the card will be designed to address a minimum set of requirements, but it will remain flexible to support additional requirements as needed. The card will be used to verify the identity and security level of the cardholder, and local authorities will grant access in accordance with local security policies. TSA has established working groups for various aspects of system development, such as card design, identity documentation requirements, and card policy. To share costs and leverage existing resource investments, 37 Java is a high-level, object-oriented programming language developed by Sun Microsystems that is well suited for use on the World Wide Web. Java card technology supports multiple, independently secure applications with a single smart card and is compatible with existing smart card standards from many organizations, such as the internationally recognized International Standards Organization. Page 40 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Smart Card Projects TSA is currently working with INS on its entry/exit project to use established land, air, and sea ports as checkpoints. In addition, TSA has established working relationships with industry groups and coordinated with other agencies, such as Treasury and the Federal Bureau of Investigation, and is looking to develop cost sharing strategies for future implementations. TSA’s budget for fiscal year 2003 was not determined at the time of our review, and agency officials said that the availability of funds would determine how quickly the pilot would be implemented. The pilot will likely be implemented within the next 3 years. According to one agency official, the TSA program, if implemented successfully, would likely become the largest civilian agency smart card initiative to date. Department of the The Department of the Treasury plans to launch a proof of concept project to assess several smart card technologies for possible agencywide use for Treasury both physical and logical access. The project is being funded and managed by Treasury’s Chief Information Officer Council at a cost of $2.8 million. Six Treasury organizations are participating in the pilot: the Secret Service; the Internal Revenue Service; the Bureau of Alcohol, Tobacco and Firearms; the Bureau of Engraving and Printing; the Federal Law Enforcement Training Center; and the main department. The Secret Service has been designated the lead bureau and will also lead the future departmentwide smart card project. In total, Treasury plans to issue about 10,000 smart cards. These cards are to be Java-based devices with 32 kilobytes of storage, capable of supporting multiple technologies for use in various configurations. For example, the cards will support both contact and contactless access, although not all will contain biometrics. All the cards are expected to contain PKI certificates for creating digital signatures and encrypting E-mail messages. The cards are also expected to be equipped with two-dimensional barcodes and a magnetic stripe to enable integration with existing systems. Like DOD, Treasury plans to allocate space on the card for individual bureaus to use in creating their own applications, such as the Federal Law Enforcement Training Center’s plan to use the cards when issuing uniforms to students. A Treasury official believes that using smart cards will simplify certain processes, such as property and inventory management, that are currently paper-based and labor-intensive. Page 41 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Smart Card Projects Information from this proof of concept project will be used to launch an agencywide smart card project. GSA’s Smart Access Common ID Contract and interoperability guidelines will be used to ensure that appropriate smart card technologies are evaluated. The proof of concept is expected to last about 6 months, with the pilot ending in January 2003. At that time, a report will be completed, and a business case for an agencywide smart card solution will likely be prepared. Preliminary cost estimates for implementing a Treasury-wide smart card system, which would support around 160,000 employees, is in the range of $50 to $60 million. Department of In April 2001, the Department of Veterans Affairs (VA) began issuing cards for its VA Express Registration Card pilot project. Initiated in 1999, the Veterans Affairs project was to provide agency customers with a smart card carrying medical and personal information that could be used to speed up registration at VA hospitals. The card was also intended to be usable by non-VA hospitals equipped with the necessary readers to access patients’ VA benefits information. At the time of our review, about 24,000 smart cards had been issued through two VA hospitals located in Milwaukee, Wisconsin, and Iron Mountain, Michigan. The cards are PKI enabled and can also be used throughout VA’s network of hospitals—the majority of which do not have smart card readers—because they include all the same patient information found printed on the front of the older Veteran Identification Cards, which are still in use. The PKI capabilities of the card allow patients with a home computer and card reader to securely access their information on-line and digitally sign forms, saving time and offering convenience for both the patient and the agency. For those without Internet access, kiosks were installed at the two pilot locations, allowing Express Card holders to access their information, make any necessary changes, or request PKI certificates. The VA Express Card program used GSA’s Smart Access Common ID contract for procurement and technical assistance. According to agency officials, using the Express Card reduced registration time at hospitals by 45 minutes. Patients involved in the pilot project had access to express registration services, thus saving time. However, although the Express Card program is still in use, VA officials have decided not to expand beyond the two pilot locations. The reasons given were the expense of back-end automation, complications integrating the new system with legacy systems, and the lack of an existing card reader infrastructure at other VA hospitals. The agency maintains card management, support, Page 42 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Smart Card Projects and issuance capabilities at the pilot locations to support the smart cards that are still in use. Immigration and The Department of Justice’s INS currently has a card-based project under way to control access at the nation’s borders. The project includes two Naturalization Service types of cards—Permanent Resident Cards and Border Crossing Cards (also known as “Laser Visas”). As part of the Border Crossing Cards project, INS is working with the Department of State to produce and distribute the cards. Under the Illegal Immigration Reform and Immigrant Responsibility Act of 1996,38 every Border Crossing Card issued after October 1, 2001, is required to contain a biometric identifier and be machine readable. The Laser Visas will store biographical information along with a photograph of the cardholder and an image of the cardholder’s fingerprints. The Permanent Resident Cards will store similar information. Information from the Laser Visas is stored in a central INS database. As of June 2002, more than five million Laser Visas and approximately six million Permanent Resident Cards had been issued. The Permanent Resident Card and Laser Visa make use of optical stripe technology, with storage capacity ranging from 1.1 megabyte to 2.8 megabytes, to store large amounts of information, but they do not contain integrated circuit chips to process data. As part of a cost-benefit analysis conducted in 1999, INS considered implementing chip-based smart cards and determined that smart card technology was not the best solution. This decision was based, in part, on the limited storage capacity of smart cards at the time. INS examined smart cards with 8 kilobytes of memory, which did not provide enough memory to store the fingerprint data required by law. Smart cards now have a storage capacity of up to 64 kilobytes and are capable of storing color photo images of individuals as well as full fingerprint images. Western Governors’ In June 1999, WGA launched the Health Passport Project (HPP) in three states—Nevada, North Dakota, and Wyoming—to evaluate and test a range Association of applications and technologies based on a common smart card platform. 38 The Illegal Immigration Reform and Immigrant Responsibility Act of 1996 was enacted as division C of the Omnibus Consolidated Appropriations Act, P.L. No. 104–208, 110 Stat. 3009- 546 (1996). Page 43 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Smart Card Projects The project was to be conducted within an 18-month demonstration period and be integrated with other state-administered prenatal, physician care, nutrition, and early childhood education programs. Each state was expected to maintain common demographic information as well as clinical data on individuals participating in the pilot project. Selected sites also tested unique applications related to electronic benefits transfer (EBT), insurance eligibility, and health appointment information. WGA had overall responsibility for managing the HPP contract, and each state was responsible for providing on-site management, technical support, and funding as needed. The Departments of Agriculture and Health and Human Services also provided project funding and support, with GSA providing technical assistance as requested. The HPP initiative involved the distribution of 2,348 cards to individuals in Bismarck, North Dakota; 991 cards in Cheyenne, Wyoming; and 8,459 cards in Reno, Nevada. With additional state funding, the HPP initiative has continued to operate beyond the demonstration period, which concluded in December 2001. The HPP platform consists of smart cards, special card readers attached to health providers’ personal computers, card readers installed at grocery or retail establishments and register systems, servers to maintain backup databases, kiosks, and a network. The health passport card contains an 8-kilobyte chip, storing demographic, health, and benefit information on participants as well as a magnetic stripe for Medicaid eligibility information. Smart card readers are used to read and write information to the card. These devices are linked to HPP workstations and to the Women, Infants, and Children EBT application, which allows benefits to be stored on the card and used at grocery and retail establishments that have card readers installed at point-of-sale register locations. Kiosks are free-standing machines that operate by a touch screen feature and read information stored on the card. In December 2001, the Urban Institute and the Maximus consulting firm prepared a report for WGA, which reviewed the results of the HPP initiative. The report stated that HPP was successful in bringing a concept to life. HPP enabled participants to use the EBT and healthcare appointment and immunization information more effectively and conveniently, because information was stored on the card. Project participants also liked using the cards and kiosks to access their personal information, and many liked being able to electronically track appointments and health care records. In addition, retailers liked the cards and the ability to track EBT data more accurately. WGA officials further noted that HPP has helped federal and state governments maintain more Page 44 GAO-03-144 Progress in Promoting Smart Cards Appendix I Information about Selected Government Smart Card Projects accurate information on EBT distributions and baby formula purchases, which can be used to request coupon rebates from manufacturers. More accurate sales information is available and shared with manufacturers to resolve disputes over rebates and to obtain more timely refunds. Page 45 GAO-03-144 Progress in Promoting Smart Cards Glossary Attack An attempt by one or more parties involved in a smart-card-based transaction to cheat by taking advantage of potential weaknesses in the security of the card. Authentication The process of confirming an asserted identity with a specified or understood level of confidence. Biometrics Measures of an individual’s unique physical characteristics or the unique ways that an individual performs an activity. Physical biometrics include fingerprints, hand geometry, facial patterns, and iris and retinal scans. Behavioral biometrics include voice patterns, written signatures, and keyboard typing techniques. Biometric template A digital record of an individual’s biometric features. Typically, a “livescan” of an individual’s biometric attributes is translated through a specific algorithm into a digital record that can be stored in a database or on an integrated circuit chip card. Card edge The set of command and response messages that allow card readers to communicate effectively with the chips embedded on smart cards. Contactless smart card A smart card that can exchange information with a card reader without coming in physical contact with the reader. Contactless smart cards use 13.56 megahertz radio frequency transmissions to exchange information with card readers. Confidentiality The assurance that information is not disclosed to unauthorized entities or processes. Digital signature A special encrypted code, attached to an electronic message, that can be used to prove to a third party that the message was, in fact, signed by the originator. Digital signatures may also be attached to other electronic information and programs so that the integrity of the information and programs may be verified at a later time. Electronic government Government’s use of technology, particularly Web-based applications, to enhance the access to and delivery of government information and services to citizens, business partners, employees, other agencies, and government entities. Page 46 GAO-03-144 Progress in Promoting Smart Cards Glossary Identification The process of determining to what identity a particular individual corresponds. Interoperability The ability of two or more systems or components to exchange information and to use the information that has been exchanged. Middleware Software that allows a software application running on another system to communicate and exchange data with the integrated circuit chip on a smart card. Nonrepudiation The assurance that the identity of the sender of an electronic message can be proven and that delivery of the message to the recipient can also be proven so that neither party can later deny having processed the message. Privacy The ability of an individual to decide when and on what terms elements of his or her personal information should be revealed. Public key infrastructure (PKI) A system of hardware, software, and policies, and people that, when fully and properly implemented, can provide a suite of information security assurances—including confidentiality, data integrity, authentication, and nonrepudiation—that are important in protecting sensitive communications and transactions. Smart card A tamper-resistant security device—about the size of a credit card—that relies on an integrated circuit chip for information storage and processing. (310433) Page 47 GAO-03-144 Progress in Promoting Smart Cards GAO’s Mission The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full- GAO Reports and text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents Testimony using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select “Subscribe to daily E-mail alert for newly released products” under the GAO Reports heading. Order by Mail or Phone The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548 To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061 To Report Fraud, Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Public Affairs Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548 United States Presorted Standard General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Service Requested
Electronic Government: Progress in Promoting Adoption of Smart Card Technology
Published by the Government Accountability Office on 2003-01-03.
Below is a raw (and likely hideous) rendition of the original report. (PDF)