A New Identity
Agencies work to issue standard smart cards as employee credentials.
Ready or not, federal agencies and managers are about to be hit with new requirements for credentialing millions of employees and contractors. The National Institute of Standards and Technology has spent months developing rules that require agencies to use smart cards with integrated circuit chips containing employee data and biometric fingerprint scans.
President Bush issued a directive last summer ordering agencies to meet a governmentwide standard for worker credentials. The goal is to make them compatible across agencies, secure against fraud and effective at tracking workers' activities.
When the rules take effect in October, many agencies either will have to issue new smart cards or adjust existing ones. Agencies have grappled for years with administering their own credentialing programs. They've had to set their own standards, determine which workers need credentials and conduct background checks on employees. Some say the governmentwide rules create more headaches and challenges.
Federal managers have voiced concerns about the new requirements, such as meeting the aggressive time line for compliance, ensuring privacy and civil rights protections, whether they will have to distribute new cards to workers who already have them, and whether they will have to negotiate with federal unions over issuing credentials. Another concern is the cost of issuing new cards. The Social Security Administration, for example, estimates that it will need up to $35 million to process cards for more than 100,000 employees and private sector contractors.
Karen Evans, OMB's administrator for electronic government and information technology, believes that government managers will be able to adjust to the credentialing requirements without much difficulty and agencies should be able to cover any additional costs through their existing budgets. "Agencies are already investing substantial resources in the management of employee and contractor identities," she says. "We expect those resources to be redirected toward this effort."
One of the biggest challenges for agencies is to develop an internal structure for credentialing workers, according to Randy Vanderhoof, executive director of the Smart Card Alliance. The organization includes representatives from 18 government agencies and 85 companies and nonprofit organizations. Vendors are ready to assist agencies and are well-schooled in credentialing technology, Vanderhoof says, but agencies first must know what they need.
The Federal Identity Credentialing Committee plans to issue a handbook in March on using smart cards, and the Government Smart Card Interagency Advisory Board will offer briefings to senior managers at all agencies.
Agency officials especially want to know whether their existing smart cards and credentialing systems will be compliant with the new rules. The interagency advisory board has made recommendations to NIST for migration to the new standards to ensure that those cards do not immediately become obsolete.
But federal managers should already be planning for upcoming deadlines, Vanderhoof says. Agencies must submit documents to the Office of Management and Budget outlining their compliance with the new smart card rules by the end of June. "Is it going to be difficult? Yes," he says. "But is there help and support out there for agencies that are proactive in finding it? That answer is also yes."
OMB will issue guidelines in March to help agencies implement the new rules. "The time frames mandated by the directive are aggressive," says Evans. "But we will be working with the General Services Administration to establish shared services, group buying opportunities and [provide] other streamlined contracting vehicles to assist agencies" with credentialing.
One of the most ambitious worker identification efforts is the Transportation Worker Identification Credential program at the Transportation Security Administration. When it's finalized, the program will comply with the new standards.
In November, TWIC began a seven-month pilot at four sites to develop administrative and business processes, collect transportation worker data, issue credentials, install card readers at its facilities and track use of the cards. About 200,000 workers involved in mari-time, rail, aviation and ground transportation are expected to participate in the pilot, which will expand to 34 sites by spring.
Justin Oberman, director of TSA's office of national risk assessment, says five main challenges in implementing TWIC could apply to any federal credentialing program:
- Determine what is at risk and needs protection through credentialing.
- Evaluate statutory requirements.
- Develop a business model that provides an appropriate division of labor between the public and private sector, and a funding plan that determines whether new fees should be assessed.
- Determine whether a new regulation, such as requiring certain workers to carry identification cards, is needed and the strategy for getting it approved and implemented.
- Effectively administer the entire effort.
Critics say the government has not provided enough policy guidance on how to ensure that workers' privacy and civil rights are protected. Ari Schwartz, associate director of the Center for Democracy and Technology, says the government is doing things backwards. "The people, the process and the technology are all equally important. But there's been more of an emphasis on the technology," he says. "They are coming out with technical guidelines first and then will come out with policy guidelines."
Schwartz is confident that developing a governmentwide ID card is feasible, given that multinational corporations already do it for their workers. But, like others, he predicts the road to using a common smart card will be a bumpy one. "I don't think we can expect that, come October, everything is going to work smoothly," he says. "It will have to be an incremental process. But it is the government's job to be able to manage its employees, and this is a logical step."
NEXT STORY: Building the Medical Internet