Electronic Government: Federal Agencies Continue to Invest in
Smart Card Technology (08-SEP-04, GAO-04-948).
Smart cards--plastic devices about the size of a credit card--use
integrated circuit chips to store and process data, much like a
computer. Among other uses, these devices can provide security
for physical assets and information by helping to verify the
identity of people accessing buildings and computer systems. They
can also support functions such as tracking immunization records
or storing cash value for electronic purchases. Government
adoption of smart card technology is being facilitated by the
General Services Administration (GSA), which has implemented a
governmentwide Smart Card Access Common ID contract, which
federal agencies can use to procure smart card products and
services. GAO was asked to update information that it reported in
January 2003 on the progress made by the federal government in
promoting smart card technology. Specific objectives were to (1)
determine the current status of smart card projects identified in
GAO's last review, (2) identify and determine the status of
projects initiated since the last review, and (3) identify
integrated agencywide smart card projects currently under way. To
accomplish these objectives, GAO surveyed the 24 major federal
agencies. In commenting on a draft of this report, officials from
GSA and the Office of Management and Budget generally agreed with
its content.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-04-948
ACCNO: A12184
TITLE: Electronic Government: Federal Agencies Continue to
Invest in Smart Card Technology
DATE: 09/08/2004
SUBJECT: Electronic government
Identification cards
Identity verification
Program evaluation
Smart cards
Information technology
Computer security
Facility security
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-04-948
United States Government Accountability Office
GAO Report to the Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census, Committee on Government Reform,
House of Representatives
September 2004
ELECTRONIC GOVERNMENT
Federal Agencies Continue to Invest in Smart Card Technology
a
GAO-04-948
Highlights of GAO-04-948, a report to the Subcommittee on Technology,
Information Policy, Intergovernmental Relations, and the Census, Committee
on Government Reform, House of Representatives
Smart cards-plastic devices about the size of a credit card-use integrated
circuit chips to store and process data, much like a computer. Among other
uses, these devices can provide security for physical assets and
information by helping to verify the identity of people accessing
buildings and computer systems. They can also support functions such as
tracking immunization records or storing cash value for electronic
purchases. Government adoption of smart card technology is being
facilitated by the General Services Administration (GSA), which has
implemented a governmentwide Smart Card Access Common ID contract, which
federal agencies can use to procure smart card products and services.
GAO was asked to update information that it reported in January 2003 on
the progress made by the federal government in promoting smart card
technology. Specific objectives were to (1) determine the current status
of smart card projects identified in GAO's last review, (2) identify and
determine the status of projects initiated since the last review, and (3)
identify integrated agencywide smart card projects currently under way. To
accomplish these objectives, GAO surveyed the 24 major federal agencies.
In commenting on a draft of this report, officials from GSA and the Office
of Management and Budget generally agreed with its content.
www.gao.gov/cgi-bin/getrpt?GAO-04-948.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Linda Koontz at (202)
512-6249 or [email protected].
September 2004
ELECTRONIC GOVERNMENT
Federal Agencies Continue to Invest in Smart Card Technology
According to GAO's survey results, as of June 2004, more than half of the
smart card projects previously reported as ongoing (28 out of 52) had been
discontinued because they were absorbed into other smart card projects or
were deemed no longer feasible. Of the remaining 24 projects, 16 are in
planning, pilot, or operational phases and are intended to support a
variety of uses (agencies did not provide current information for 8
projects). Twelve of the 16 projects are large-scale projects intended to
provide identity credentials to an entire agency's employees or other
large group of individuals. For example, the Department of Defense's (DOD)
Common Access Card is to be issued to an estimated 3.5 million DOD-related
personnel, and the Transportation Security Administration's Transportation
Worker Identification Credential is to be used by an estimated 6 million
transportation industry workers. The other 4 projects are smaller in
scale, and are intended to provide access or other services to limited
groups of people. For example, the Department of Commerce's Geophysical
Fluid Dynamics Laboratory Access Card is to be issued to about 612
employees, contractors, and research collaborators. Further, in response
to the survey, agencies reported 8 additional smart card projects that
were ongoing at the time of the last review. These projects include 4
planned for multiple applications (such as identity credentials and
access) and 4 for single applications, including stored value, access to
computer systems, and processing travel documents.
Based on GAO's survey of federal agencies, 10 additional smart card
projects have been initiated since the last review. These projects vary
widely in size and scope. Included are small-scale projects, involving
cards issued to as few as 126 cardholders (such as a project in the
Department of Labor's Employment and Training Administration), and
large-scale agencywide initiatives, such as the Department of Veterans
Affairs Authentication and Authorization Infrastructure card, which is to
be issued to an estimated 500,000 employees and contractors. Four agencies
reported purchases under GSA's Smart Card Access Common ID contracting
vehicle, and others likewise have plans to use this contract.
Specifically, five agencies-the Departments of Defense, Homeland Security,
the Interior, and Veterans Affairs, and the National Aeronautics and Space
Administration-are planning to make an aggregated purchase of up to 40
million cards over the next 4 years using the GSA contract.
Finally, nine agencies are developing and implementing integrated
agencywide smart card initiatives. These projects are intended to use one
card to support multiple functions, such as providing identification
credentials, accessing computer systems, and storing monetary values.
Contents
Letter
Results in Brief
Background
Status of Previously Ongoing Smart Card Efforts
Agencies across the Government Continue to Invest in Smart Card
Projects Implementation of Agencywide Smart Card Initiatives Summary
Agency Comments and Our Evaluation
1 2 3 9
18 21 22 23
Appendix
Appendix I: Objectives, Scope, and Methodology
Table 1: Summary Information on 52 Projects
Tables Reported as Ongoing
as of January 2003 11
Table 2: Detailed Status of 16 Previously Reported
Projects That
Remain Active as of June 2004 14
Table 3: Status of 8 Ongoing Smart Card Projects
That Were Not
Previously Reported 17
Table 4: Status of 10 Recently Initiated Smart 19
Card Projects
Table 5: Agencywide Smart Card Projects 22
Figure 1: A Typical Smart Card Figure 2:
Figures Distribution by Project Phase of 52 Federal 5
Projects
Previously Reported as Ongoing 10
Figure 3: Deployment Phases for 8 Projects That
Were Not
Previously Reported 16
Figure 4: Deployment Phases for 10 Recently 18
Initiated Projects
Contents
Abbreviations
CAC Common Access Card
DHS Department of Homeland Security
DOD Department of Defense
FICC Federal Identity Credentialing Committee
GSA General Services Administration
NASA National Aeronautics and Space Administration
NIST National Institute of Standards and Technology
OMB Office of Management and Budget
PKI public key infrastructure
TSA Transportation Security Administration
VA Department of Veterans Affairs
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
A
United States Government Accountability Office Washington, D.C. 20548
September 8, 2004
The Honorable Adam H. Putnam
Chairman, Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census Committee on Government Reform
House of Representatives
Dear Mr. Chairman:
As you know, technology plays an important role in helping the federal
government provide security for its many physical and information assets.
In particular, "smart cards"1 offer the potential to significantly improve
the process of verifying the identity of people accessing federal
buildings and computer systems-especially when these cards are used in
combination with other technologies, such as biometrics. Further, smart
cards can be used to support other business-related functions, such as
tracking immunization records or storing cash value for electronic
purchases.
The General Services Administration (GSA) has promoted the adoption of
smart card technology across the government based on a goal of equipping
all federal employees with a standardized smart card for a wide range of
services. In support of this goal, GSA has implemented a governmentwide,
standards-based contracting vehicle, the Smart Card Access Common ID
contract, which federal agencies can use to procure smart card products
and services. The contract specifies adherence to the government smart
card interoperability2 specification, which has been developed by the
National Institute of Standards and Technology (NIST) and is intended to
ensure that government smart card implementations achieve a minimum level
of interoperability.
1Smart cards are plastic devices-about the size of a credit card-that use
integrated circuit chips to store and process data, much like a computer.
This processing capability distinguishes these cards from traditional
magnetic stripe cards, which cannot process or exchange data with
automated information systems.
2Interoperability is the ability of two or more systems or components to
exchange information and to use the information exchanged.
In January 2003, we reported on progress that the federal government had
made in promoting the adoption of smart card technology.3 This report
responds to your request that we update this information. Specifically,
our objectives were to (1) determine the current status of smart card
projects under way at the time of our last review, (2) identify and
determine the status of projects initiated since our last review was
completed, and (3) identify integrated agencywide smart card projects that
are currently under way.
To address these objectives, we surveyed the 24 major federal agencies
(i.e., agencies covered by the Chief Financial Officers Act as well as the
Department of Homeland Security (DHS)) regarding the status of their smart
card projects. We also obtained supporting documentation where available
and conducted follow-up interviews with agency officials responding to the
survey to ensure that the information provided was current and accurate.
In addition, we contacted GSA officials to discuss agencies' use of the
Smart Card Access Common ID contract and other governmentwide
implementation issues. Further details of our objectives, scope, and
methodology are given in appendix I.
We performed our work between November 2003 and July 2004, in accordance
with generally accepted government auditing standards.
Results in Brief Of the 52 smart card projects that we reported as ongoing
in January 2003, 28 had been discontinued as of June 2004 because they
were absorbed into other smart card projects or were deemed no longer
feasible. Of the remaining 24 projects, 16 are in planning, pilot, or
operational phases and are intended to support a variety of uses (the
agencies did not provide current information on the remaining 8). Twelve
of the 16 projects are large-scale projects intended to provide identity
credentials to an entire agency's employees or other large group of
individuals. Examples include the Department of Defense's (DOD) Common
Access Card (CAC), which is to be issued to an estimated 3.5 million
DOD-related personnel, and the Transportation Security Administration's
Transportation Worker Identification Credential, which is to be used by an
estimated 6 million transportation industry workers. The other 4 projects
are smaller in scale, intended to provide access or other services to
limited groups of people.
3GAO, Electronic Government: Progress in Promoting Adoption of Smart Card
Technology, GAO-03-144 (Washington, D.C.: Jan. 3, 2003).
For example, the Department of Commerce's Geophysical Fluid Dynamics
Laboratory access card will be issued to about 612 employees, contractors,
and research collaborators. Further, in response to our survey, agencies
reported 8 additional smart card projects that were ongoing at the time of
our last review but not reported at that time.
Based on our survey of federal agencies, 10 additional smart card projects
have been initiated since our last review was completed. These projects
vary widely in size and scope. Included are small-scale projects,
involving cards issued to as few as 126 cardholders (such as a project in
the Department of Labor's Employment and Training Administration), and
large-scale agencywide initiatives, such as the Department of Veterans
Affairs (VA) Authentication and Authorization Infrastructure card, which
is to be issued to an estimated 500,000 employees and contractors. Four of
these agencies reported purchases under GSA's Smart Card Access Common ID
contracting vehicle, and others likewise have plans to use this contract.
Specifically, five agencies-including the Departments of Defense, Homeland
Security, the Interior, and Veterans Affairs, and the National Aeronautics
and Space Administration (NASA)-are planning to make an aggregated
purchase of up to 40 million cards over the next 4 years using the GSA
contract.
Nine agencies are developing and implementing integrated agencywide smart
card initiatives. These projects are intended to use one card to support
multiple functions, such as providing identification credentials,
accessing computer systems, and storing monetary values.
We received oral comments on a draft of this report from GSA's Associate
Administrator, Office of Governmentwide Policy, and from officials of the
Office of Management and Budget's (OMB) Office of Information and
Regulatory Affairs and its Office of General Counsel. Both GSA and OMB
generally agreed with the content in the draft report. Technical comments
provided by GSA and OMB have been addressed as appropriate.
Background Today, federal employees are issued a wide variety of
identification (ID) cards, which are used to access federal buildings and
facilities, sometimes solely on the basis of visual inspection by security
personnel. These cards often cannot be used for other important
identification purposes-such as gaining access to an agency's computer
systems-and many can be easily forged or stolen and altered to permit
access by unauthorized individuals. In general, the ease with which
traditional ID cards-including credit
cards-can be forged has contributed to increases in identity theft and
related security and financial problems for both individuals and
organizations. One means to address such problems is offered by the use of
smart cards.
Smart cards are plastic devices about the size of a credit card that
contain an embedded integrated circuit chip capable of both storing and
processing data.4 Figure 1 shows a typical example of a smart card. The
unique advantage of smart cards-as opposed to cards with simpler
technology, such as magnetic stripes or bar codes-is that smart cards can
exchange data with other systems and process information rather than
simply serving as static data repositories. By securely exchanging
information, a smart card can help authenticate the identity of the
individual possessing the card in a far more rigorous way than is possible
with simpler traditional ID cards. A smart card's processing power also
allows it to exchange and update many other kinds of information with a
variety of external systems, which can facilitate applications such as
financial transactions or other services that involve electronic
record-keeping.
4The term "smart card" may also be used to refer to cards with a computer
chip that only stores information without providing any processing
capability. Such cards, known as stored-value cards, are widely used for
services such as prepaid telephone service or satellite television
reception. This report includes information on federal use of stored-value
cards as well as smart ID cards.
Figure 1: A Typical Smart Card
Source: GSA.
Smart cards can also be used to significantly enhance the security of an
organization's computer systems by tightening controls over user access. A
user wishing to log on to a computer system or network with controlled
access must "prove" his or her identity to the system-a process called
authentication. Many systems authenticate users by merely requiring them
to enter secret passwords, which provide only modest security because they
can be easily compromised. Substantially better user authentication can be
achieved by supplementing passwords with smart cards. To gain access under
this scenario, a user is prompted to insert a smart card into a reader
attached to the computer as well as type in a password. This
authentication process is significantly harder to circumvent because an
intruder would need not only to guess a user's password but also to
possess the same user's smart card.
Even stronger authentication can be achieved by using smart cards in
conjunction with biometrics. Smart cards can be configured to store
biometric information (such as fingerprint templates or iris scans) in
electronic records that can be retrieved and compared with an individual's
live biometric scan as a means of verifying that person's identity in a
way that is difficult to circumvent. A system requiring users to present a
smart card, enter a password, and verify a biometric scan provides what
security experts call "three-factor" authentication, the three factors
being "something you possess" (the smart card), "something you know" (the
password), and "something you are" (the biometric). Systems employing
three-factor authentication are considered to provide a relatively high
level of security. The combination of smart cards and biometrics can
provide equally strong authentication for controlling access to physical
facilities.5
Smart cards can also be used in conjunction with public key infrastructure
(PKI) technology to better secure electronic messages and transactions.6 A
properly implemented and maintained PKI can offer several important
security services, including assurance that (1) the parties to an
electronic transaction are really who they claim to be, (2) the
information has not been altered or shared with any unauthorized entity,
and (3) neither party will be able to wrongfully deny taking part in the
transaction. Security experts generally agree that PKI technology is most
effective when deployed in conjunction with smart cards.
In addition to enhancing security, smart cards have the flexibility to
support a wide variety of uses not related to security. A typical smart
card in use today can store and process 16 to 32 kilobytes of data, while
newer cards can accommodate 64 kilobytes. The larger the card's electronic
memory, the more functions can be supported, such as tracking itineraries
for travelers, linking to immunization or other medical records, or
storing cash value for electronic purchases.
Smart cards are grouped into two major classes: contact cards and
"contactless" cards. Contact cards have gold-plated contacts that connect
directly with the read/write heads of a smart card reader when the card is
inserted into the device. Contactless cards contain an embedded antenna
and work when the card is waved within the magnetic field of a card reader
or terminal. Contactless cards are better suited for environments where
quick interaction between the card and the reader is required, such as
highvolume physical access. For example, the Washington Metropolitan Area
Transit Authority has deployed an automated fare collection system using
contactless smart cards as a way of speeding patrons' access to the
Washington, D.C., subway system. Smart cards can be configured to include
both contact and contactless capabilities, but two separate
5For more information about biometrics, see GAO, Technology Assessment:
Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov.
15, 2002).
6A public key infrastructure is a system of computers, software, and data
that relies on certain cryptographic techniques for some aspects of
security. For more information, see GAO, Information Security: Advances
and Remaining Challenges to Adoption of Public Key Infrastructure
Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001).
interfaces are needed because standards for the technologies are very
different.
Since the 1990s, the federal government has considered the use of smart
card technology as one option for electronically improving security over
buildings and computer systems. In 1996, GSA was tasked with taking the
lead in facilitating a coordinated interagency management approach for the
adoption of multiapplication smart cards across government. The tasking
came from OMB, which has statutory responsibility to develop and oversee
policies, principles, standards, and guidelines used by agencies for
ensuring the security of federal information and systems. To make it
easier for federal agencies to acquire commercial smart card products, GSA
developed the governmentwide Smart Card Access Common ID contracting
vehicle, which also specified adherence to the government smart card
interoperability specification that NIST developed in collaboration with
smart card vendors.
In 2003, OMB, in accordance with the President's vision of creating a more
responsive and cost-effective government, issued a memorandum to federal
chief information officers outlining details of the E-Authentication
E-Government initiative on authentication and identity management. OMB
also created the Federal Identity Credentialing Committee (FICC) to make
policy recommendations and develop the Federal Identity Credentialing
component of the Federal Enterprise Architecture, to include services such
as identity proofing and credential management for the federal government.
In February 2004, FICC issued policy guidance on the use of smart
card-based systems in badge, identification, and credentialing systems
with the objective of helping agencies plan, budget, establish, and
implement credentialing and identification systems for government
employees and their agents.
In our January 2003 report on smart cards, we made recommendations to OMB,
NIST, and GSA. Specifically, we recommended that
o the Director, OMB, issue governmentwide policy guidance regarding
adoption of smart cards for secure access to physical and logical assets;
o the Director, NIST, continue to improve and update the government smart
card interoperability specification by addressing governmentwide standards
for additional technologies-such as contactless cards, biometrics, and
optical stripe media-as well as integration with PKI; and
o the Administrator, GSA, improve the effectiveness of its promotion of
smart card technologies within the federal government by (1) developing an
internal implementation strategy with specific goals and milestones to
ensure that GSA's internal organizations support and implement smart card
systems consistently; (2) updating its governmentwide implementation
strategy and administrative guidance on implementing smart card systems to
address current security priorities; (3) establishing guidelines for
federal building security that address the role of smart card technology;
and (4) developing a process for conducting ongoing evaluations of the
implementation of smart card-based systems by federal agencies to ensure
that lessons learned and best practices are shared across government.
To date, all three agencies have taken actions to address the
recommendations made to them. In response to our recommendation, OMB
issued a July 3, 2003, memorandum to major departments and agencies
directing them to coordinate and consolidate investments related to
authentication and identity management, including the implementation of
smart card technology. NIST has responded by improving and updating the
government smart card interoperability specification to address additional
technologies, including contactless cards and biometrics.7 GSA responded
to our recommendations by updating its "Smart Card Policy and
Administrative Guidance" to better address security priorities, including
minimum security standards for federal facilities, computer systems, and
data across the government. However, three of our four recommendations to
GSA are still outstanding. GSA officials stated that they are working to
address the recommendations to develop an internal GSA smart card
implementation strategy, develop a process for conducting evaluations of
smart card implementations, and share lessons learned and best practices
across government. The responsibility for one recommendation- establishing
guidelines for federal building security that address the role of smart
card technology-was transferred to DHS.
7NIST, Government Smart Card Interoperability Specification, Version 2.1,
Interagency Report 6887 (July 2003).
Status of Previously Ongoing Smart Card Efforts
In January 2003, we reported that 18 federal agencies were planning,
testing, operating, or completing 62 smart card projects. These projects
varied widely in size and technical complexity, ranging from small-scale,
limited-duration pilot projects to large-scale, agencywide initiatives
providing multiple services. The projects were reported in varying stages
of deployment. Specifically, 17 projects were listed as operational, 13
projects were in the planning stage, and 7 were being piloted. In
addition, 10 were reported at that time as having been completed8 or
discontinued for various reasons. No information was provided about the
project phase of the remaining 15 initiatives.
In responding to our survey regarding the 52 projects listed as ongoing in
our previous report, agencies reported that as of June 2004, 28 had been
terminated. Of the remaining projects, 11 were operational, 5 were in the
planning or pilot phase, and agencies did not provide current information
on 8. The operational and planned projects consist mostly of large-scale
projects intended to provide identity credentials to an entire agency's
employees or other large groups of individuals. Figure 2 shows the current
status of the 52 federal smart card projects that were previously reported
as continuing. Table 1 provides summary information on the status of
individual projects, providing reasons for any terminations.
8"Completed" projects involved applications that were never intended to be
permanent, such as smart cards to be used at the 2001 Presidential
transition.
Figure 2: Distribution by Project Phase of 52 Federal Projects Previously
Reported as Ongoing
Number of projects
28
d
Terminateal n
gPlannin
Pilot
owUnkn
perationO
Project phases
Source: GAO.
Table 1: Summary Information on 52 Projects Reported as Ongoing as of January
2003
Previously Federal Number of reported Current agency projects status
status Comments
Agriculture 1 1 operational 1 terminated The Farm Service Agency
terminated the Peanut Smart Card project after the 2002 Farm Bill ended
the Peanut Program.
Commerce 5 1 planned 1 terminated NIST terminated its Network Security and
Access Control project after
determining that the technology did not
meet its needs and that the
project was too costly.
1 terminated The Patent and Trademark Office
1 pilot terminated its Patent Work at Home
program because of legal and union
issues.
3 of unknown 1 unknown Commerce did not provide current information on the
previously status a reported Bureau of Industry & Security project.
2 operational The U.S. Census Bureau Travel Management Information System
and the National Oceanic and Atmospheric Administration Geophysical Fluid
Dynamics Laboratory Remote Access projects are now fully operational.
Defense 20 1 planned 1 terminated The Naval Academy Campus pilot did
not advance past the discussion
stage. No funding was provided to
support implementation.
3 terminated Of the 3 pilot projects, the Common
3 pilot Access Card (CAC) absorbed 2, and
1 was terminated because the project
achieved its objectives in the pilot
phase.
10 The CAC and Eagle Cash card continue
2 operational as operational programs.
operational
6 of unknown 14 Of 14 terminated projects, 5 were absorbed by CAC, 3 were
absorbed by
status a terminated EZPay (a previously unreported project), 1 was
terminated because it did not receive funding for a planned upgrade, and 2
were terminated because there was no funding or sustainment support
available for implementation. The last 3 were reported to be CAC
applications rather than separate smart card programs.
DHS 1 1 planned 1 pilot The Transportation Worker
Identification Credential program was
transferred from the Department of
Transportation to DHS as part of the
Transportation Security Administration.
Education 1 1 terminated The Financial Student Aid Campus card
1 planned project was terminated because
it was incompatible with an existing
proximity card system installed in
Education's headquarters buildings.
Energy 1 1 operational 1 unknown A project was previously reported on the
use of smart cards to permit physical access to restricted areas by
employees working to clean up and shut down the Rocky Flats Technology
site. However, Energy officials did not provide current information about
this project.
General 1 1 operational 1 terminated GSA's smart card for physical and
logical access was terminated and
Services replaced by GSA's new nationwide ID effort.
Administration
Housing and 1 1 pilot 1 unknown Department officials did not provide
current information about this
Urban previously reported pilot project.
Development
(Continued From Previous Page)
Previously
Federal Number of reported Current
agency projects status status Comments
The Incident Qualification and
Interior 4 Certification System
1 planned 1 operational (previously reported
as the Firefighters Training
Card) is now operational.
The Bureau of Land Management
2 pilot 1 operational previously piloted the
E-Authentication project. This
initiative is now operational
but not fully
deployed.
The Minerals Management
Service is planning a smart
1 planning card project to
provide credentials for
physical and logical access.
1 of unknown 1 unknown No current information was provided for a project
that was previously status a reported at the Fish and Wildlife Service.
Justice 5 2 planned 1 pilot/testing The FBI is piloting the PKI portion of
itsTrilogy program, to provide
1 unknown b logical access. This program is a
36-month effort to enhance
effectiveness through technologies
that facilitate better organization,
access, and analysis of information.
Department officials did not provide
current information about the other
previously reported project.
3 of unknown 3 unknown Justice did not provide current information on
these previously reported status a projects.
Labor 1 1 operational 1 operational The Bureau of Labor Statistics is
operating the Internal PKI Infrastructure project to provide logical
access to computer systems.
NASA is testing a project to use
NASA 1 1 planned 1 planning/ PKI certificates to authenticate
and
grant employees and contractors
testing physical and logical access at
its
facilities.
National 1 1 terminated The planned project was
1 planned terminated for lack of funding.
Science
Foundation
The planned Property
1 1 terminated Accountability and Pass Project
Social Security 1 planned did not proceed
Administration beyond the concept stage.
State 1 1 operational 1 operational State employees use smart cards, which
include PKI certificates, for physical and logical access.
Transportation 2 2 planned 1 operational The Volpe Security Upgrade
Project provides physical access for employees and contractors.
1 planning The Federal Aviation Administration Identification Media System
project is in the planning phase.
Treasury 2 1 planned 1 operational The Electronic Treasury Enterprise Card
is now operational.
1 operational 1 operational The Internal Revenue Service is using smart
cards to provide secure dial-in access to its local area network.
Veterans 3 1 operational 1 terminated VA terminated the One VA Express
registration project because
Affairs registration data could be obtained using existing network-centric
enterprise information systems.
2 of unknown 2 terminated The VA Bronx and VA Tampa Stored Value/ID
projects were terminated
status a because of low volumes of activity, as well as operational and
technical challenges.
Source: GAO analysis of data reported by federal agencies.
aDeployment status information was not provided.
Agencies reported that the majority (28) of the above projects had been
terminated since our last review was conducted. According to agency
officials, reasons for termination were primarily that the projects were
absorbed into other smart card projects or were deemed no longer feasible.
For example, DOD terminated 14 of 26 previously reported projects by
substituting functionality provided by two large-scale smart card
projects, the Common Access Card (CAC) and the EZPay (a project that was
not previously reported). DOD's CAC card is to be used to authenticate the
identity of nearly 3.5 million military and civilian personnel and to
improve security over online systems and transactions. The EZPay program
is a stored-value card given to recruits at training installations to
accelerate the processing time and thus maximize training time.
Table 2 provides further details on the remaining 16 ongoing projects. As
the table shows, 12 of these are large-scale projects. Agencywide smart
card projects are ongoing at NASA and the Departments of Defense, the
Interior, State, and the Treasury.
These and other large projects will serve populations ranging up to 6
million. The cards will be used for identity credentials, physical access
to buildings, logical access to computer systems, and stored value. The
remaining 4 projects are used for similar purposes. However, they are
smaller in scale, serving populations ranging from 612 to 3,100
individuals. For example, the Interior's Minerals Management Service is
planning a smart card program for use as identity credentials, and
physical and logical access for about 2,100 employees.
Table 2: Detailed Status of 16 Previously Reported Projects That Remain
Active as of June 2004
Number Population Federal Number of of cards to be agency projects Status
Sizea issuedb served Description
Commerce 2 1 operational Large 5,313 As needed The U.S. Census Bureau's
Travel Management Information System Plus is an administrative travel
application that provides users with the capability to process
transactions using electronic technology.
1 operational Small 204 612 National Oceanic and Atmospheric
Administration's Geophysical Fluid Dynamics Laboratory has remote access
cards to facilitate login to computer systems.
Defense 2 1 operational Large 2,750,859 3,457,975 The CAC is an agencywide
standard identification card for DOD. This is the principal card used to
enable physical access to buildings, installations, and controlled spaces;
it will also be used to enable information technology systems and
applications that access the department's computer networks.
1 operational Large 46,105 15,000 The Department of the Army's EagleCash
card is a
stored-value card that replaces U.S.
per year currency,
minimizes counterfeiting, and improves
financial
controls and administration at
deployed overseas
military bases.
DHS 1 1 pilot Large 0 6 million The Transportation Security
Administration's Transportation Worker Identification Credential (TWIC) c
is to be issued to each worker requiring unescorted physical or logical
access to secure areas of the nation's transportation facilities
(including maritime, aviation, transit, rail, and other surface modes).
Interior 3 1 planning Small 0 2,100 The Minerals Management Service is
planning a program to provide smart cards for identity credentials and for
physical and logical access.
1 operational Large 0 70,000 The Incident Qualification and Certification
System (IQCS)-previously reported as the Firefighters Training Card-is an
interagency application within the fire management community, including
the National Park Service, Bureau of Land Management, Fish and Wildlife
Service, Bureau of Indian Affairs, and the U.S. Forest Service. IQCS cards
will be used during incidents (such as wildland fires) for identification,
basic personal information used to track personnel on the incident, and
individual qualifications. The Bureau of Land Management is the managing
partner for this project.
(Continued From Previous Page)
Number Population Federal Number of of cards to be agency projects Status
Sizea issuedb served Description
1 operational Large 7,100 90,000 The Bureau of Land Management is the lead
agency for the agencywide E-Authentication project, which is intended to
provide identification, physical, and logical access for Interior
employees. Interior plans to implement this project agencywide by fiscal
year 2005.
Justice 1 1 pilot Large 31 50,000 The FBI is piloting the PKI
portion of its Trilogy
Program, for logical access.
Labor 1 Small 768 The Bureau of Labor Statistics
1 operational 3,100 has partially
implemented an Internal PKI
Infrastructure project for
accessing computer systems.
NASA 1 0 The One NASA Smart Card Badge
1 planning/ Large 85,000 Project is
testing agencywide and is being designed
to provide cards
for identity, physical access,
and login to computer
systems.
State 1 1 operational Large 25,000 25,000 The Domestic Smart Card Access
Control project is a joint effort with the department's PKI effort. This
project is agencywide and is responsible for badge creation and physical
access tokens.
Transportation 2 1 operational Small 1,200 1,200 The Volpe Security
Upgrade Project is partially operational and developed for physical
access. Smart cards are issued to federal employees and contractors.
1 planning Large 0 98,853 The Federal Aviation Administration
Identification Media System project is planned to provide cards for
identity credentials and for physical and logical access. The Federal
Aviation Administration plans to issue the cards to both federal employees
and contractors.
Treasury 2 1 operational Large 2,500 7,500 The Electronic Treasury
Enterprise Card is currently in proof of concept operation at the Treasury
Headquarters and the Bureau of Engraving and Printing. Agencywide
deployment is planned to occur pending funding approval.
1 operational Large 30,528 75,000 The Internal Revenue Service is
operating agencywide Secure Dial In cards for logical access.
Source: GAO analysis of data reported by federal agencies.
aCategorized by the population served. Small projects have issued fewer
than 5,000 cards. Large-scale projects had 5,000 or more cards issued.
bIn our survey, we asked agencies to report the number of cards issued as
of December 31, 2003.
cAt the time of our previous report, the TWIC was listed as a Department
of Transportation project.
In response to our survey, agency officials reported 8 additional smart
card projects that were ongoing at the time of our last review but not
previously reported.9 Four of the 8 projects were planned for multiple
applications such as identity credentials and physical and logical access.
The remaining 4 projects were planned for single applications such as
stored value, logical access to computer systems and networks, or
processing travel documents. Figure 3 shows the number of these projects
by the type of applications planned and the stage of reported deployment.
Table 3 provides more detailed status information on these projects.
Figure 3: Deployment Phases for 8 Projects That Were Not Previously
Reported Number of projects
4
3
3
2
1
0 Planning Operational
Project phases
Single applications
Multiple applications
Source: GAO.
9The information in our previous report was based primarily on data
collected by OMB and GSA. In contrast, for the current review, we
conducted an independent survey of 24 major federal departments and
agencies.
Table 3: Status of 8 Ongoing Smart Card Projects That Were Not Previously
Reported
Number Population Federal of Cards to be agency projects Status issued a
served Project description
Defense 2 1 operational 16,724 350,000 The Navy Cash System is a joint
Treasury/Navy program and manages personal funds for Navy and Marine Corps
deployed members. It is a "cashless" ATM system on Navy ships that allows
members access to home banks or credit unions when deployed. The
application supported is stored value.
1 operational 578,197 300,000 The EZPay program provides cards at all
U.S. Army and Air
Force basic training installations to
per year accelerate recruit processing
and maximize training time. This initiative
is a partnership
involving the Defense Finance and
Accounting Service, the
Treasury, and the Army. The application
supported is stored
value.
Environmental 1 1 planning 0 1,820 The Region 2 EPA Access Card is an
identity credential and
Protection physical access card initiative.
The project is integrated with
Agency (EPA) GSA's smart card project at the New
York Federal Civic Center.
Health and 2 18 2,950 The Food and Drug Administration's
1 operational Office of Regulatory Affairs
Human is implementing a Trust Service and
Identity Management with
Services Level 4 Assurance Project to
provide identity credentials for
physical and logical access. The purpose of this project is to establish a
trust framework that can be combined with infrastructure security services
to provide confidentiality, integrity, authentication through digital
signatures, and nonrepudiation of electronic transactions.
1 operational 133 150 The Centers for Disease Control and Prevention is
implementing a September Compliance Project that uses smart cards.
Planning for this identity credential and physical access application
began in April 2002.
DHS 1 1 planned 0 Not provided DHS has established the United States
Visitor and Immigrant Status Indicator Technology (US VISIT) project to
collect, maintain, and share information, including biometric identifiers,
on selected foreign nationals who travel to the United States. The
smart-card phase of the US-VISIT project is currently in planning.
The Virtual Private
Social Security 1 1 operational 15,490 As needed Network Smart Card became
fully
operational in November
Administration 2000. The purpose of this
smart card is
to provide remote access
to designated computer
network users.
The agency intends to
purchase additional cards
as needed.
Transportation 1 1 planning 1 Not provided The National Highway Traffic
Safety Administration Smart Card Project is in the planning phase. The
purpose is to provide identity credentials, physical and logical access,
and asset management applications. Additional cards are to be issued when
the project becomes operational.
Source: GAO analysis of data reported by federal agencies.
aAs of December 31, 2003.
Agencies across the In response to our survey, agencies reported 10 smart
card projects that
were initiated since our last review was completed. Based on
theseGovernment Continue reported projects, more agencies are using GSA's
Smart Card Access to Invest in Smart Card Common ID contracting vehicle to
acquire smart card technology.
Projects
Federal Investments in The 10 new projects identified in response to our
survey vary in size, scope,
Smart Card Projects and stage of deployment: planning, pilot, and
operational. All of the projects are planned for multiple applications
such as identity credentials and physical and logical access. Figure 4
shows the number of these projects by the type of application planned and
the stage of reported deployment.
Figure 4: Deployment Phases for 10 Recently Initiated Projects
Number of projects (multiple applications) 5
4
4
3
2
1
0
Project phases
Source: GAO.
Planning Pilot Operational
These 10 projects vary widely in size, including small-scale projects-
involving smart cards issued to as few as 126 cardholders-as well as much
larger scale initiatives. For example, Department of Labor officials
reported that the Employment and Training Administration physical access
control smart card was issued to 126 federal employees and contractors as
of December 2003. This card is operational and will be issued to 175
cardholders when fully deployed; it is used for identity credentials and
physical access to buildings and other facilities. In contrast, VA plans
to issue an estimated 500,000 smart cards to employees and contractors
under its Authentication and Authorization Infrastructure Project. Through
this initiative, smart cards will be used for identity credentials,
accessing buildings or other facilities, and accessing computer systems.
Production began in July 2004.
Another example of a large-scale project is GSA's Nationwide ID card. GSA
plans to issue cards to 61,000 federal employees, contractors, and tenant
agencies. Using this card, GSA plans to implement nationwide uniform
credentials based on smart card technology by providing a single standard
credential card for identification, building access, property management,
and other applications. Table 4 provides status information on the 10
recently initiated smart card projects.
Table 4: Status of 10 Recently Initiated Smart Card Projects
Number of Cards Population
Federal projects issued a to be
agency Status served Project description
Commerce 1 10,700 The U.S. Patent and
1 planning 2,626 Trademark Office has established an
Internal PKI/Smart Card Project.
Applications supported are
identity credentials and physical
and logical access.
61,000 GSA is implementing
General 1 1 operational 40,000 nationwide uniform credentials based
on
Services smart card technology, so that every
GSA associate,
Administration contractor, and visitor will be able
to use a single standard
credential card for identification,
building access, property
management, and other applications.
Health and 1 1 operational 30 100 The Food and Drug Administration is
implementing Select
Human Agent Labs that will be equipped with
biometric readers that will
Services use smart cards. The planning phase began in
October 2003.
Applications supported are identity
credentials and physical
access.
(Continued From Previous Page)
Number of Cards Population
Federal projects issued a to be agency Status served Project description
DHS 3 1 pilot 0 Not provided The Transportation Security Administration's
Registered Traveler Program is intended to improve the security screening
process at airports by identifying approved travelers that will be allowed
to go through expedited security screening.
1 planning 0 Not provided The Transportation Security Administration's
Armed Law Enforcement Officer verification smart card program will test
the use of biometric technology to verify the identity of armed law
enforcement officers boarding commercial airplanes. Project applications
planned are identity credentials and physical access.
1 pilot 600 250,000 The DHS Identification and Credentialing Program is
intended to serve as a comprehensive identification and credentialing
program for the entire department when it is fully deployed. Applications
supported include identity credentials, physical and logical access, asset
management, and stored value.
Labor 2 1 planning 0 900 The E-Authentication Smart Card pilot began in
February 2004. The goal is to provide credentials that employees can use
to electronically access departmental resources in a manner that is
compatible with the federal government's E-Authentication Gateway.
Applications supported are identity credentials and physical and logical
access. Full implementation across the department is planned for fiscal
year 2007.
1 operational 126 175 The Office of Technology Physical Access Control
project addresses the Employment and Training Administration's security
requirements for access control to its facilities and sensitive areas.
Applications supported are identity credentials and physical access.
State 1 1 operational 0 72,000 The Global Look ID project, a joint effort
with the State Department's Domestic Smart Card Access Control project, is
designed to support badge creation. Applications supported are identity
credentials, physical and logical access, e-mail, and Web-based access
controls.
Veterans 1 1 pilot 250 500,000 The Authentication and Authorization
Infrastructure Project is
Affairs intended to provide the capability to authenticate
users and
systems with certainty and grant them access to
information
systems necessary to perform business functions.
Source: GAO analysis of data reported by federal agencies.
aAs of December 31, 2003.
Agencies' Reported Use of GSA developed the Smart Card Access Common ID
contracting vehicle to
GSA's Contracting Vehicle help make it easier for federal agencies to
acquire commercial smart card products and services. According to the
director of GSA's Center for Smart Card Solutions, further guidance is
planned that will require agencies to
use the contracting vehicle or provide justification for not using it. The
Director also stated that using GSA's contract should help reduce the cost
of smart cards and ensure that vendors incorporate interoperability
specifications. Between December 2004 and December 2008, five
agencies-including NASA and the Departments of Defense, Homeland Security,
the Interior, and Veterans Affairs-are planning to make an aggregated
purchase of up to 40 million cards through the GSA contract. As a part of
this purchase, these agencies are scheduled to begin making quarterly
procurements beginning in December 2004 of approximately 1.2 million
cards.
In response to our survey, the majority of the agencies (4 of 7) that
reported new initiatives told us that they purchased smart cards under the
GSA contract. The remaining agencies cited reasons for not acquiring smart
cards under the GSA contract, such as purchase arrangements with another
agency or purchases under other types of contracts.
Implementation of Agencywide Smart Card Initiatives
Agencies continue to move towards integrated agencywide initiatives that
use smart cards as identity credentials that agency employees can use to
gain both physical access to facilities, such as buildings, and logical
access to computer systems and networks. In some cases, additional
functions, such as asset management and stored value, are also being
included. Nine agencies reported such projects: 4 of these were reported
in our prior report, and 5 are recently initiated efforts. These projects
are in various stages of deployment.
One of the largest agencywide efforts is DHS's identification and
credentialing project. The agency plans to issue 250,000 cards to
employees and contractors. This is a comprehensive identification and
credentialing effort that will use PKI technology for logical access and
proximity chips for physical access. Authentication will rely on
biometrics with a personal identification number as a backup. Other
recently initiated agencywide smart card projects include GSA's Nationwide
Identification, VA's Authentication and Authorization Infrastructure
Project, and the Department of Labor's E-Authentication project. Table 5
summarizes both previously reported and recently initiated agencywide
smart card efforts.
Table 5: Agencywide Smart Card Projects
Reported Estimated
Federal Project name status completion Applications
agency supported
Defense Common Access Card
(CAC) Operational Apr. 2004 Identity credential
Physical access
Logical access
Homeland Security Identification and Credentialing Program Pilot
- Identity credential Physical access Logical access Asset management
Stored Value
General Services Nationwide Identification Operational Dec. 2004 Identity
credential Administration Physical access
Interior E-Authentication Operational Jan. 2006 Identity credential
Physical access Logical access E-signature
Labor E-Authentication Planning Apr. 2005 Identity
credential
Physical access
Logical access
NASA Identity
One NASA Smart Card Badge Planning/pilot Sept. 2004 credential
Physical access
Logical access
State Global Look ID Operational Sept. 2006 Identity credential Physical
access Logical access E-mail (signature & encryption)
Treasury Electronic Treasury Enterprise Card Operational Sept.
2004 Identity credential Physical access Logical access Asset management
Veterans Affairs Authentication and Authorization Pilot Sept. 2007
Identity credential Infrastructure Project Physical access Logical access
Source: GAO analysis of data reported by federal agencies.
Summary Agencies across the government continue to invest in smart card
projects with plans to issue millions of new cards to employees and other
personnel. These projects are intended to provide a range of benefits and
services, ranging from verifying the identity of people accessing
buildings and computer systems to managing assets and storing monetary
value. Agencies are also moving toward integrated agencywide credentialing
projects, with several agencies planning to consolidate their smart card
purchases through GSA's Smart Card Access Common ID contract.
Agency Comments and We received oral comments on a draft of this report
from GSA's Associate Administrator, Office of Governmentwide Policy, and
from officials of
Our Evaluation OMB's Office of Information and Regulatory Affairs and its
Office of General Counsel. Both GSA and OMB generally agreed with the
content in the draft report. In addition, each agency provided technical
comments, which have been addressed where appropriate in the final report.
We will provide copies of this report to the Director of OMB and the
Administrator of GSA, and the report will be available at no charge on the
GAO Web site at http://www.gao.gov.
Should you have any questions on matters contained in this report, please
contact me at (202) 512-6240 or John de Ferrari, Assistant Director, at
(202) 512-6335. We can also be reached by e-mail at [email protected] and
[email protected], respectively. Other key contributors to this report
were Tonia Brown, Barbara Collier, Felipe Colon, Pamlutricia Greenleaf,
and Joel Grossman.
Sincerely yours,
Linda D. Koontz Director, Information Management Issues
Appendix I
Objectives, Scope, and Methodology
Our objectives were to (1) determine the current status of smart card
projects under way at the time of our last review, (2) identify and
determine the status of projects initiated since our last review was
completed, and (3) identify integrated agencywide smart card projects that
are currently under way.
To address these objectives, we developed a questionnaire and surveyed 24
federal agencies. These included agencies that are subject to the
provisions of the Chief Financial Officers Act as well as the Department
of Homeland Security. The survey included the 18 agencies pursuing smart
card projects that were identified in our previous report.
The practical difficulties of conducting any survey may introduce errors.
For example, differences in how a particular question is interpreted, the
sources of information available to respondents, or the types of people
who do not respond can introduce unwanted variability into the survey
results. We included steps in both the data collection and data analysis
stages for the purpose of minimizing such errors.
We analyzed information obtained through the survey to develop summary
results and identify trends. To ensure the reliability of the information
reported through the survey, we obtained available supporting
documentation-such as project plans and descriptions-to verify (1)
reported planning and implementation dates and (2) the numbers of smart
cards issued as of December 31, 2003, or planned for issuance. As needed,
we conducted follow-up interviews with agency officials responding to the
survey to further ensure that the information provided was current and
accurate. In addition, we contacted GSA officials to discuss agencies' use
of the Smart Card Access Common ID contract and other governmentwide
implementation issues.
We performed our work in Washington, D.C., and Atlanta, Georgia, between
November 2003 and July 2004, in accordance with generally accepted
government auditing standards.
GAO's Mission The Government Accountability Office, the audit, evaluation
and investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of The fastest and easiest way to obtain copies of GAO
documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO postsGAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To Testimony have GAO e-mail you a list of newly posted products
every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact:
Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470
Congressional Gloria Jarmon, Managing Director, [email protected] (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125
Relations Washington, D.C. 20548
Public Affairs Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
Presorted Standard
Postage & Fees Paid
GAO
Permit No. GI00
United States
Government Accountability Office
Washington, D.C. 20548-0001
Official Business
Penalty for Private Use $300
Address Service Requested
*** End of document. ***