Status of U.S. Smart Card Deployment

1
Status of U.S. Smart Card Deployment

• Jim Dray
• Porvoo 7/ World eID Meeting
• May 2005

2
History

• Government Smart Card Program 2000
• Interoperability Specification NISTIR 6887
• Basis for some agency deployments
• Department of Defense Common Access Card
• Transportation Worker Identification Card
• No strong mandate for card deployment across
  agencies
• Gradual progress up to 27 August 2004...

3
Homeland Security Presidential Directive 12

• Signed by the President 27 August 2004
• Federal agencies are directed to deploy secure
  and reliable forms of authentication for
  employees and contractors that can be rapidly
  authenticated electronically
• NIST is directed to develop the technical
  framework and promulgate a Federal Information
  Processing Standard for Personal Identity
  Verification

4
Federal Information Processing Standard 201

• Published 25 February 2005
• Technical framework for Personal Identity
  Verification (PIV)
• Two implementation phases
• Meet control objectives by October 2005 (I)
• Deploy interoperable PIV card systems (II)
• Each agency will negotiate a Phase II completion
  date with the Office of Mangement and Budget

5
Special Publication 800-73

• Interfaces for Personal Identity Verification
  8 April 2005
• Technical specifications for PIV card interface,
  client API, and data model
• Based on evolution of GSC concepts
• Unified card interface
• Technology neutral (VM card, file system card)
• Standards compliant (ISO)

6
Other PIV Special Publications

• SP800-76 Biometric Data Specification for
  Personal Identity Verification (Draft)
• SP800-78 Cryptographic Algorithms and Key Sizes
  for Personal Identity Verification
• SP800-79 Issuer Organization Accreditation
  Guidance (comment draft 17 June)

7
Non-government Standards

• ISO 24727 Smart card interoperability framework
• Considering a national standard (ANSI) to fill
  the gap between GSC and ISO 24727

8
ISO 24727

• ISO JTC1/SC17 WG4/TF9
• Teresa Schwarzhoff(NIST), Convener
• http//www.iso.org/jtc1/sc17/wg4/tf9
• Standardize a set of programming interfaces for
  Identification, Authentication, Signature
• The primary focus is interoperability between
  applications, middleware, cards

9
ISO 24727 Document Status

• Part 1
• Overarching framework
• Status First Committee Draft ballot completed,
  CD resolution of comments May 31, 2005
• Part 2
• Describes common card interface
• Status In CD ballot stage, closes August 2005
• Part 3
• New territory for smart card standards Client
  API, middleware
• Set of services connection, discovery,
  retrieval, identity, cryptography
• Status Possible CD candidate by Oct 2005

10
U.S. Smart Card Landscape

• GSC Interoperability Specification is a legacy
  card framework
• ISO 24727 is the future framework
• PIV (SP800-73) is a card application
  specification looking for a framework
• A U.S. National Standard may provide an
  intermediate path between GSC and ISO 24727?

11
U.S. GSC Planned Work

• Formal Standards, international coordination
• PIV Reference Implementation (25 June)
• PIV Conformance Test Program (25 August)
• Procurement Guidance General Services
  Administration
• Deployment Guidance Office of Management and
  Budget
• And so on...

12
Major Challenges

• PIV Infrastructure
• Business model changes for Federal agencies
• Positioning the PIV application specification
  with respect to ISO 24727
• Conformance testing
• Commercial product availability does NOT appear
  to be a problem in the SP800-73 domain
• 3 cards already claim PIV compliance (beta)!

13
Conclusion

• Our PIV work in the U.S. has only begun, but the
  timing is good. After all, I retire in eight
  years so I may live to see full deployment of PIV
  cards.

14
Contact Details

• james.dray_at_nist.gov GSC Chief Architect
• teresa.schwarzhoff_at_nist.gov GSC Standards
  Program Manager
• william.barker_at_nist.gov PIV Project Manager
• PIV Website http//csrc.nist.gov/piv-project