INs and OUTs

Northrop Grumman Corp.'s Center for Smart Security Solutions in Reston, Va., shows off all manner of gadgets to create impregnable building security systems. An eye scanner protects the main entrance. Once inside, visitors are greeted by a camera that captures images of their faces, measures the dimensions and checks for resemblances to "friends" or "enemies" in photo archives. Scattered about the rest of the room are devices for monitoring entrances and exits, running background checks, guiding emergency responders and granting the right people access to sensitive computer networks.

The Northrop Grumman center provides a glimpse of how civil servants might gain entry to their offices and log on to their computers in the not-too-distant future. In the showroom, more than 60 companies display access control, surveillance, smart card, biometric and other technology.

It's all ready for sale to agencies eager to comply with a recent presidential order to adopt uniform, governmentwide standards for identifying employees and contractors, and granting them access to federal buildings.

The directive, signed in August 2004, required the Commerce secretary-in consultation with the Defense and Homeland Security department secretaries, the attorney general, and the Office of Management and Budget director-to set common credentialing criteria. Commerce published technical standards for identity cards in February, and the White House has asked agencies to figure out how they will comply by June. By October, agencies must design systems that verify new employees' and contractors' identities. A year after that, they will have to ensure their cards are compatible with those used elsewhere in government.

The smart cards are intended to replace the hodgepodge of access systems agencies have initiated or adopted so far. The Government Accountability Office found that by June 2004, more than half of 52 smart card projects in place in early 2003 had been discontinued because they were eaten up by larger projects or "were deemed no longer feasible." Of 24 projects remaining, 12 were "intended to provide identity credentials to an entire agency's employees or other large group of individuals."

Agencies that haven't launched smart card projects can shop on GSA's supply schedules for the technology to comply with the directive or they can turn to technology integrators such as Northrop Grumman, which offers to knit together all the hardware and software necessary to issue smart cards.

The cards can store up to 15 passwords and can be programmed to limit employees' access based on their jobs and levels of security clearance, for example. Employees can use them to send encrypted e-mail messages and affix electronic signatures. Users must provide a fingerprint or other biometric identifier, or a six- to eight-digit personal identification number, to employ their cards.

John Gist, program manager for identity solutions at Northrop, acknowledges that the move to smart card systems is challenging. So far, the company hasn't been able to transfer its employees onto a single system.

The obstacles Northrop faces are similar to those a large agency might encounter: employees scattered across multiple locations and a partly unionized workforce. Unions object to the cards as invasions of workers' privacy because the technology could be used to track time of entry, time of exit, duration of breaks and other personal information incidental to security.

What's more, because the presidential directive came out in late August, agencies didn't have a chance to incorporate it into their budget requests for fiscal 2006, Gist says. They will have to cover the costs of complying with funds from existing accounts until the next budget cycle, when they can request new money. The good news, says Gist, is the directive is a "top down" mandate that addresses a problem that needs fixing, so agencies are likely to comply.