ITAA favors current smart card specs

Members of the Information Technology Association of America say they hope to persuade federal officials to modify a proposed biometric smart card specification being developed in response to Homeland Security Presidential Directive 12. Federal officials are rushing to ratify the new standard by the end of February.

Officials at ITAA, which represents some of the nation's largest computer hardware and software companies, have asked government officials to build upon federal smart card standards already in use in the Defense Department and several other large agencies. That standard is known as the Government Smart Card Interoperability Specification.

In comments on a draft version of the federal biometric smart card standard, ITAA's leaders also asked federal officials to consider pushing back an Oct. 25 deadline for agencies to begin issuing the new identification cards to executive branch employees and contractors who work in federal buildings. "We want them to move quickly but to take the time to do it right," said Jennifer Kerber, ITAA's director for homeland security.

ITAA officials submitted these and other comments to officials at the National Institute of Standards and Technology, where the card standards are being written. NIST officials say they have received more than 1,900 comments on the proposed biometric smart card specification, Federal Information Processing Standard 201.

NIST officials released a draft document this week containing revised specifications for interfacing with the proposed card standard. The period for public comment on the new document, Special Publication 800-73, ends Feb. 14.

ITAA members asked NIST officials to work with Office of Management and Budget officials to estimate what agencies will have spend to implement HSPD 12, which requires them to quickly adopt a common identification standard for executive branch employees and contractors.

ITAA officials also asked NIST officials to consider requiring agencies to use knowledge-based authentication and document verification technologies to supplement traditional background checks before issuing the cards.

In further advising NIST, ITAA officials said that OMB officials should consider creating an identity and access management line of business and making it part of the IT planning documents known as the Federal Enterprise Architecture. As part of that requirement, they said, agency officials would develop identity and access management business case documents and submit those with their budget requests.

In a separate action last week, NIST officials released a draft biometric data specification for personal identity verification to supplement FIPS 201. The new document, Special Publication 800-76, is a proposed standard for preparing biometric data such as fingerprints and facial images for submission to the FBI for employee background checks.

Government and industry officials and others have until Feb. 7 to submit comments on the document to NIST at the following e-mail address: DraftFips201@nist.gov.

A separate document, which is a final public draft of Special Publication 800-53 on recommended security controls for federal information systems, is also ready for public review, NIST officials said.

The document recommends security controls for low, moderate, and high impact information systems based upon a system's security categorization. A separate NIST document, FIPS 199, tells how to categorize systems for security purposes.

The final public draft is a precursor to a final document that will become FIPS 200 in December. FIPS 199 and FIPS 200 are standards that federal agencies must comply with under the Federal Information Security Management Act of 2002.