Managing Smart Cards

ith dozens of smart card projects under way in the past year alone and millions of cards already in use, it's clear that the federal government sees great benefit to the technology. Not only do smart cards provide secure access to computer networks and buildings, they also can be used for a host of other purposes, including procurement and identification. And because the cards contain embedded microchips, they are very secure, offering tamper-resistant protection in a variety of circumstances.

But along with the benefits come challenges. Even the Defense Department's highly touted Common Access Card program, considered the pioneer of smart card technology in government, has had its share of problems.

Defense recently acknowledged that it did not meet its goal of deploying the last of its 4 million smart cards by October 2003. Instead, officials pushed the date back to April 2004, citing "unforeseen delays."

Mary Dixon, director of Defense's Access Card Office, says unanticipated military operations in Iraq and Afghanistan caused the armed services to deploy more reserve troops than anyone could have foreseen, and that contributed to delays. "There were so many being mobilized that we couldn't get through the [smart card issuance] process fast enough," she says. Early problems in "scaling up" the smart card system so it could be widely implemented also contributed to delays, she says. In retrospect, Dixon says the team could have performed more comprehensive testing to make sure the system could be expanded. She says such problems have been addressed and shouldn't reoccur.

The lessons that Defense learned so painfully should help other agencies, says Bob Donelson, senior property manager at the Interior Department's Bureau of Land Management and chairman of the National Institute of Standards and Technology's Interoperability Advisory Board. Donelson says his team at BLM has learned a great deal from Defense's experience with the Common Access Card. "We looked at DoD heavily when we were developing our cards," he says. "We found areas to leverage what they did, and we found areas to improve upon, such as the cost model. And I can imagine that someone who looks at our implementation model would be able to improve upon it further as well."

Learning lessons from other government smart card implementations, many agree, is the best way to address the numerous challenges that can occur during deployment. Problems in both the management and technical arenas can slow or halt a project in its tracks if not addressed effectively. Management issues, which often must be tackled before considering technical challenges, include educating those involved with buying and choosing smart cards, gaining executive buy-in, setting realistic expectations, establishing schedules, and ensuring that ongoing issues are resolved quickly and reasonably.

Setting the right expectations and managing them are vital to the success of any smart card project, Donelson says. Deployment teams, he says, must show all potential users the benefits of smart cards in concrete terms. After that, the team should keep users apprised of new applications as they develop, he advises. Making sure the smart card team includes stakeholders from every part of the organization helps manage expectations and ensures acceptance and support at all levels. "We need people in all of those camps to become diplomats," Donelson says.

Along with managing expectations comes the need for constant communication-something that's especially important in complex projects where the scope or requirements can change quickly and unexpectedly.

A good technology rollout starts with a comprehensive project plan with realistic time lines and a readiness to be flexible in implementation, says Randy Vanderhoof, acting president and CEO of the Princeton Junction, N.J.-based Smart Card Alliance. "If there isn't good monitoring of progress or sufficient room in the schedule to adjust for changes as the program rolls out, it can cause real problems," he says.

Communication must extend all the way through to a project's completion and even beyond, says Kristine Conrath, director of emerging technologies in the Treasury Department's Financial Management Service, which has issued more than 1 million smart cards. Although it took several years to learn this lesson, the FMS team now performs thorough evaluations after each implementation, consisting of site surveys, audits and weekly conference calls. "It results in a smoother rollout, where people aren't stressed and the customer feels more comfortable that things are on track. That makes them want to use the card, so they communicate to others that they like it," Conrath says.

TECHNICAL DIFFICULTIES

In their own way, technical challenges can be just as daunting as management challenges. Common technical difficulties include resolving interoperability and integration issues, deciding whether to put several application technologies on the same card, and determining how deeply to involve those who control physical access to facilities in the process.

For many agencies, especially early adopters, interoperability has been the thorniest issue. Using smart cards, software and card readers manufactured by different vendors can be difficult. But many agencies don't want to be tied to one vendor throughout the life of a project. "When we started this program, it was considered a vertical implementation, where one vendor would provide the smart cards, the reader and the middleware, and everything would work together," Dixon says. "We knew we needed the ability to use multiple vendors, and the only way we could do that was by ensuring that the products would be interoperable." To accomplish its goal, Defense relied on NIST's interoperability specifications, developed by the agency's Interagency Advisory Board. Since the specifications were developed in 2000, interoperability has been less of an issue.

Deciding whether to put more than one application technology on a card also can be perplexing. For example, while FMS' smart card is used mainly to store funds for the purchase of goods and services, some cards have an additional, nonfinancial application that uses magnetic stripe technology. To make the dual-use card as glitch-free as possible, the team vowed to make sure that all processes were clearly defined and documented and that lines of ownership for each application were clear, Conrath says.

The Defense Department has an even more complicated scenario, with five different applications residing on the current version of the Common Access Card, using technology that includes a two-dimensional bar code, a linear bar code, a magnetic stripe and a microchip.

"If any one of those media fails, we have to issue a new card. It's not too bad if it's the chip, but if your magstripe doesn't last as long as it should, that's a lot of money to pay for a magstripe card," Dixon says. "It's just too many points of failure."

Looking back, Dixon says it probably would have been better to eliminate some of the media on the smart card, if possible.

Another common mistake is failing to include those responsible for physical access to buildings in original smart card planning sessions, says Gordon Hannah, manager of secure access and identity management for BearingPoint in McLean, Va. "You want the physical access community to embrace this credential so they will honor it to get into a building, while you may be using it for other things like property control, network access and secure signing of documents," Hannah says.