All major agencies are required to submit implementation plans to the White House Office of Management and Budget that describe how they intend to meet the smart-card requirements outlined in Federal Information Processing Standard 201. The cards must support two-factor authentication via digital certificates, a password or personal identification number, and biometric identifiers.
The effort required for most agencies to conform to the mandates makes meeting the two October deadlines “very challenging,” said John Moore, chairman of the Federal Smart Card Project Managers Group and director of the Office of Governmentwide Policy at the General Services Administration in Washington.
Because the Personal Identity Verification (PIV) cards will control access to both physical and IT assets, IT departments within agencies have to work with their counterparts on the physical security side, as well as with badging and access-control staffers and human resources personnel, Moore said. The specification is designed to make the smart cards more interoperable than existing ones, said Curt Barker, NIST’s FIPS-201 program manager.
For instance, the U.S. Department of Defense has rolled out more than 4 million of the previous-generation cards. Although Barker said the transition is intended to be “evolutionary,” he noted that agencies such as the DOD could find things “a bit more complex” than agencies that are implementing smart-card technology for the first time.
Some of the technical details of the smart cards themselves are still in draft form, said Neville Pattison, director of technology and government affairs at Axalto Inc., a smart-card manufacturer in Austin. Large-scale manufacturing of PIV cards is unlikely to happen before the second half of next year, said Pattison, who was on a team that acted as a liaison between agencies and technology vendors.
http://www.computerworld.com/securitytopics/security/story/0,10801,102778,00.html