Electronic Government
Federal Agencies Continue to Invest in Smart Card Technology Gao ID: GAO-04-948 September 8, 2004Smart cards--plastic devices about the size of a credit card--use integrated circuit chips to store and process data, much like a computer. Among other uses, these devices can provide security for physical assets and information by helping to verify the identity of people accessing buildings and computer systems. They can also support functions such as tracking immunization records or storing cash value for electronic purchases. Government adoption of smart card technology is being facilitated by the General Services Administration (GSA), which has implemented a governmentwide Smart Card Access Common ID contract, which federal agencies can use to procure smart card products and services. GAO was asked to update information that it reported in January 2003 on the progress made by the federal government in promoting smart card technology. Specific objectives were to (1) determine the current status of smart card projects identified in GAO's last review, (2) identify and determine the status of projects initiated since the last review, and (3) identify integrated agencywide smart card projects currently under way. To accomplish these objectives, GAO surveyed the 24 major federal agencies. In commenting on a draft of this report, officials from GSA and the Office of Management and Budget generally agreed with its content.
According to GAO's survey results, as of June 2004, more than half of the smart card projects previously reported as ongoing (28 out of 52) had been discontinued because they were absorbed into other smart card projects or were deemed no longer feasible. Of the remaining 24 projects, 16 are in planning, pilot, or operational phases and are intended to support a variety of uses (agencies did not provide current information for 8 projects). Twelve of the 16 projects are large-scale projects intended to provide identity credentials to an entire agency's employees or other large group of individuals. For example, the Department of Defense's (DOD) Common Access Card is to be issued to an estimated 3.5 million DOD-related personnel, and the Transportation Security Administration's Transportation Worker Identification Credential is to be used by an estimated 6 million transportation industry workers. The other 4 projects are smaller in scale, and are intended to provide access or other services to limited groups of people. For example, the Department of Commerce's Geophysical Fluid Dynamics Laboratory Access Card is to be issued to about 612 employees, contractors, and research collaborators. Further, in response to the survey, agencies reported 8 additional smart card projects that were ongoing at the time of the last review. These projects include 4 planned for multiple applications (such as identity credentials and access) and 4 for single applications, including stored value, access to computer systems, and processing travel documents. Based on GAO's survey of federal agencies, 10 additional smart card projects have been initiated since the last review. These projects vary widely in size and scope. Included are small-scale projects, involving cards issued to as few as 126 cardholders (such as a project in the Department of Labor's Employment and Training Administration), and large-scale agencywide initiatives, such as the Department of Veterans Affairs Authentication and Authorization Infrastructure card, which is to be issued to an estimated 500,000 employees and contractors. Four agencies reported purchases under GSA's Smart Card Access Common ID contracting vehicle, and others likewise have plans to use this contract. Specifically, five agencies--the Departments of Defense, Homeland Security, the Interior, and Veterans Affairs, and the National Aeronautics and Space Administration--are planning to make an aggregated purchase of up to 40 million cards over the next 4 years using the GSA contract. Finally, nine agencies are developing and implementing integrated agencywide smart card initiatives. These projects are intended to use one card to support multiple functions, such as providing identification credentials, accessing computer systems, and storing monetary values.
GAO-04-948, Electronic Government: Federal Agencies Continue to Invest in Smart Card Technology
This is the accessible text file for GAO report number GAO-04-948
entitled 'Electronic Government: Federal Agencies Continue to Invest in
Smart Card Technology' which was released on September 08, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census, Committee on Government
Reform, House of Representatives:
September 2004:
ELECTRONIC GOVERNMENT:
Federal Agencies Continue to Invest in Smart Card Technology:
GAO-04-948:
GAO Highlights:
Highlights of GAO-04-948, a report to the Subcommittee on Technology,
Information Policy, Intergovernmental Relations, and the Census,
Committee on Government Reform, House of Representatives
Why GAO Did This Study:
Smart cards”plastic devices about the size of a credit card”use
integrated circuit chips to store and process data, much like a
computer. Among other uses, these devices can provide security for
physical assets and information by helping to verify the identity of
people accessing buildings and computer systems. They can also support
functions such as tracking immunization records or storing cash value
for electronic purchases. Government adoption of smart card technology
is being facilitated by the General Services Administration (GSA),
which has implemented a governmentwide Smart Card Access Common ID
contract, which federal agencies can use to procure smart card products
and services.
GAO was asked to update information that it reported in January 2003 on
the progress made by the federal government in promoting smart card
technology. Specific objectives were to (1) determine the current
status of smart card projects identified in GAO‘s last review, (2)
identify and determine the status of projects initiated since the last
review, and (3) identify integrated agencywide smart card projects
currently under way. To accomplish these objectives, GAO surveyed the
24 major federal agencies.
In commenting on a draft of this report, officials from GSA and the
Office of Management and Budget generally agreed with its content.
What GAO Found:
According to GAO‘s survey results, as of June 2004, more than half of
the smart card projects previously reported as ongoing (28 out of 52)
had been discontinued because they were absorbed into other smart card
projects or were deemed no longer feasible. Of the remaining 24
projects, 16 are in planning, pilot, or operational phases and are
intended to support a variety of uses (agencies did not provide current
information for 8 projects). Twelve of the 16 projects are large-scale
projects intended to provide identity credentials to an entire agency‘s
employees or other large group of individuals. For example, the
Department of Defense‘s (DOD) Common Access Card is to be issued to an
estimated 3.5 million DOD-related personnel, and the Transportation
Security Administration‘s Transportation Worker Identification
Credential is to be used by an estimated 6 million transportation
industry workers. The other 4 projects are smaller in scale, and are
intended to provide access or other services to limited groups of
people. For example, the Department of Commerce‘s Geophysical Fluid
Dynamics Laboratory Access Card is to be issued to about 612 employees,
contractors, and research collaborators. Further, in response to the
survey, agencies reported 8 additional smart card projects that were
ongoing at the time of the last review. These projects include 4
planned for multiple applications (such as identity credentials and
access) and 4 for single applications, including stored value, access
to computer systems, and processing travel documents.
Based on GAO‘s survey of federal agencies, 10 additional smart card
projects have been initiated since the last review. These projects vary
widely in size and scope. Included are small-scale projects, involving
cards issued to as few as 126 cardholders (such as a project in the
Department of Labor‘s Employment and Training Administration), and
large-scale agencywide initiatives, such as the Department of Veterans
Affairs Authentication and Authorization Infrastructure card, which is
to be issued to an estimated 500,000 employees and contractors. Four
agencies reported purchases under GSA‘s Smart Card Access Common ID
contracting vehicle, and others likewise have plans to use this
contract. Specifically, five agencies”the Departments of Defense,
Homeland Security, the Interior, and Veterans Affairs, and the National
Aeronautics and Space Administration”are planning to make an aggregated
purchase of up to 40 million cards over the next 4 years using the GSA
contract.
Finally, nine agencies are developing and implementing integrated
agencywide smart card initiatives. These projects are intended to use
one card to support multiple functions, such as providing
identification credentials, accessing computer systems, and storing
monetary values.
www.gao.gov/cgi-bin/getrpt?GAO-04-948.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Linda Koontz at (202)
512-6249 or koontzl@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Status of Previously Ongoing Smart Card Efforts:
Agencies across the Government Continue to Invest in Smart Card
Projects:
Implementation of Agencywide Smart Card Initiatives:
Summary:
Agency Comments and Our Evaluation:
Appendix:
Appendix I: Objectives, Scope, and Methodology:
Tables:
Table 1: Summary Information on 52 Projects Reported as Ongoing as of
January 2003:
Table 2: Detailed Status of 16 Previously Reported Projects That Remain
Active as of June 2004:
Table 3: Status of 8 Ongoing Smart Card Projects That Were Not
Previously Reported:
Table 4: Status of 10 Recently Initiated Smart Card Projects:
Table 5: Agencywide Smart Card Projects:
Figures:
Figure 1: A Typical Smart Card:
Figure 2: Distribution by Project Phase of 52 Federal Projects
Previously Reported as Ongoing:
Figure 3: Deployment Phases for 8 Projects That Were Not Previously
Reported:
Figure 4: Deployment Phases for 10 Recently Initiated Projects:
Abbreviations:
CAC: Common Access Card:
DHS: Department of Homeland Security:
DOD: Department of Defense:
FICC: Federal Identity Credentialing Committee:
GSA: General Services Administration:
NASA: National Aeronautics and Space Administration:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
PKI: public key infrastructure:
TSA: Transportation Security Administration:
VA: Department of Veterans Affairs:
Letter September 8, 2004:
The Honorable Adam H. Putnam:
Chairman, Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census:
Committee on Government Reform:
House of Representatives:
Dear Mr. Chairman:
As you know, technology plays an important role in helping the federal
government provide security for its many physical and information
assets. In particular, "smart cards"[Footnote 1] offer the potential to
significantly improve the process of verifying the identity of people
accessing federal buildings and computer systems--especially when these
cards are used in combination with other technologies, such as
biometrics. Further, smart cards can be used to support other business-
related functions, such as tracking immunization records or storing
cash value for electronic purchases.
The General Services Administration (GSA) has promoted the adoption of
smart card technology across the government based on a goal of
equipping all federal employees with a standardized smart card for a
wide range of services. In support of this goal, GSA has implemented a
governmentwide, standards-based contracting vehicle, the Smart Card
Access Common ID contract, which federal agencies can use to procure
smart card products and services. The contract specifies adherence to
the government smart card interoperability[Footnote 2] specification,
which has been developed by the National Institute of Standards and
Technology (NIST) and is intended to ensure that government smart card
implementations achieve a minimum level of interoperability.
In January 2003, we reported on progress that the federal government
had made in promoting the adoption of smart card technology.[Footnote
3] This report responds to your request that we update this
information. Specifically, our objectives were to (1) determine the
current status of smart card projects under way at the time of our last
review, (2) identify and determine the status of projects initiated
since our last review was completed, and (3) identify integrated
agencywide smart card projects that are currently under way.
To address these objectives, we surveyed the 24 major federal agencies
(i.e., agencies covered by the Chief Financial Officers Act as well as
the Department of Homeland Security (DHS)) regarding the status of
their smart card projects. We also obtained supporting documentation
where available and conducted follow-up interviews with agency
officials responding to the survey to ensure that the information
provided was current and accurate. In addition, we contacted GSA
officials to discuss agencies' use of the Smart Card Access Common ID
contract and other governmentwide implementation issues. Further
details of our objectives, scope, and methodology are given in appendix
I.
We performed our work between November 2003 and July 2004, in
accordance with generally accepted government auditing standards.
Results in Brief:
Of the 52 smart card projects that we reported as ongoing in January
2003, 28 had been discontinued as of June 2004 because they were
absorbed into other smart card projects or were deemed no longer
feasible. Of the remaining 24 projects, 16 are in planning, pilot, or
operational phases and are intended to support a variety of uses (the
agencies did not provide current information on the remaining 8).
Twelve of the 16 projects are large-scale projects intended to provide
identity credentials to an entire agency's employees or other large
group of individuals. Examples include the Department of Defense's
(DOD) Common Access Card (CAC), which is to be issued to an estimated
3.5 million DOD-related personnel, and the Transportation Security
Administration's Transportation Worker Identification Credential,
which is to be used by an estimated 6 million transportation industry
workers. The other 4 projects are smaller in scale, intended to provide
access or other services to limited groups of people. For example, the
Department of Commerce's Geophysical Fluid Dynamics Laboratory access
card will be issued to about 612 employees, contractors, and research
collaborators. Further, in response to our survey, agencies reported 8
additional smart card projects that were ongoing at the time of our
last review but not reported at that time.
Based on our survey of federal agencies, 10 additional smart card
projects have been initiated since our last review was completed. These
projects vary widely in size and scope. Included are small-scale
projects, involving cards issued to as few as 126 cardholders (such as
a project in the Department of Labor's Employment and Training
Administration), and large-scale agencywide initiatives, such as the
Department of Veterans Affairs (VA) Authentication and Authorization
Infrastructure card, which is to be issued to an estimated 500,000
employees and contractors. Four of these agencies reported purchases
under GSA's Smart Card Access Common ID contracting vehicle, and others
likewise have plans to use this contract. Specifically, five agencies-
-including the Departments of Defense, Homeland Security, the Interior,
and Veterans Affairs, and the National Aeronautics and Space
Administration (NASA)--are planning to make an aggregated purchase of
up to 40 million cards over the next 4 years using the GSA contract.
Nine agencies are developing and implementing integrated agencywide
smart card initiatives. These projects are intended to use one card to
support multiple functions, such as providing identification
credentials, accessing computer systems, and storing monetary values.
We received oral comments on a draft of this report from GSA's
Associate Administrator, Office of Governmentwide Policy, and from
officials of the Office of Management and Budget's (OMB) Office of
Information and Regulatory Affairs and its Office of General Counsel.
Both GSA and OMB generally agreed with the content in the draft report.
Technical comments provided by GSA and OMB have been addressed as
appropriate.
Background:
Today, federal employees are issued a wide variety of identification
(ID) cards, which are used to access federal buildings and facilities,
sometimes solely on the basis of visual inspection by security
personnel. These cards often cannot be used for other important
identification purposes--such as gaining access to an agency's computer
systems--and many can be easily forged or stolen and altered to permit
access by unauthorized individuals. In general, the ease with which
traditional ID cards--including credit cards--can be forged has
contributed to increases in identity theft and related security and
financial problems for both individuals and organizations. One means to
address such problems is offered by the use of smart cards.
Smart cards are plastic devices about the size of a credit card that
contain an embedded integrated circuit chip capable of both storing and
processing data.[Footnote 4] Figure 1 shows a typical example of a
smart card. The unique advantage of smart cards--as opposed to cards
with simpler technology, such as magnetic stripes or bar codes--is that
smart cards can exchange data with other systems and process
information rather than simply serving as static data repositories. By
securely exchanging information, a smart card can help authenticate the
identity of the individual possessing the card in a far more rigorous
way than is possible with simpler traditional ID cards. A smart card's
processing power also allows it to exchange and update many other kinds
of information with a variety of external systems, which can facilitate
applications such as financial transactions or other services that
involve electronic record-keeping.
Figure 1: A Typical Smart Card:
[See PDF for image]
[End of figure]
Smart cards can also be used to significantly enhance the security of
an organization's computer systems by tightening controls over user
access. A user wishing to log on to a computer system or network with
controlled access must "prove" his or her identity to the system--a
process called authentication. Many systems authenticate users by
merely requiring them to enter secret passwords, which provide only
modest security because they can be easily compromised. Substantially
better user authentication can be achieved by supplementing passwords
with smart cards. To gain access under this scenario, a user is
prompted to insert a smart card into a reader attached to the computer
as well as type in a password. This authentication process is
significantly harder to circumvent because an intruder would need not
only to guess a user's password but also to possess the same user's
smart card.
Even stronger authentication can be achieved by using smart cards in
conjunction with biometrics. Smart cards can be configured to store
biometric information (such as fingerprint templates or iris scans) in
electronic records that can be retrieved and compared with an
individual's live biometric scan as a means of verifying that person's
identity in a way that is difficult to circumvent. A system requiring
users to present a smart card, enter a password, and verify a biometric
scan provides what security experts call "three-factor" authentication,
the three factors being "something you possess" (the smart card),
"something you know" (the password), and "something you are" (the
biometric). Systems employing three-factor authentication are
considered to provide a relatively high level of security. The
combination of smart cards and biometrics can provide equally strong
authentication for controlling access to physical facilities.[Footnote
5]
Smart cards can also be used in conjunction with public key
infrastructure (PKI) technology to better secure electronic messages
and transactions.[Footnote 6] A properly implemented and maintained PKI
can offer several important security services, including assurance that
(1) the parties to an electronic transaction are really who they claim
to be, (2) the information has not been altered or shared with any
unauthorized entity, and (3) neither party will be able to wrongfully
deny taking part in the transaction. Security experts generally agree
that PKI technology is most effective when deployed in conjunction with
smart cards.
In addition to enhancing security, smart cards have the flexibility to
support a wide variety of uses not related to security. A typical smart
card in use today can store and process 16 to 32 kilobytes of data,
while newer cards can accommodate 64 kilobytes. The larger the card's
electronic memory, the more functions can be supported, such as
tracking itineraries for travelers, linking to immunization or other
medical records, or storing cash value for electronic purchases.
Smart cards are grouped into two major classes: contact cards and
"contactless" cards. Contact cards have gold-plated contacts that
connect directly with the read/write heads of a smart card reader when
the card is inserted into the device. Contactless cards contain an
embedded antenna and work when the card is waved within the magnetic
field of a card reader or terminal. Contactless cards are better suited
for environments where quick interaction between the card and the
reader is required, such as high-volume physical access. For example,
the Washington Metropolitan Area Transit Authority has deployed an
automated fare collection system using contactless smart cards as a way
of speeding patrons' access to the Washington, D.C., subway system.
Smart cards can be configured to include both contact and contactless
capabilities, but two separate interfaces are needed because standards
for the technologies are very different.
Since the 1990s, the federal government has considered the use of smart
card technology as one option for electronically improving security
over buildings and computer systems. In 1996, GSA was tasked with
taking the lead in facilitating a coordinated interagency management
approach for the adoption of multiapplication smart cards across
government. The tasking came from OMB, which has statutory
responsibility to develop and oversee policies, principles, standards,
and guidelines used by agencies for ensuring the security of federal
information and systems. To make it easier for federal agencies to
acquire commercial smart card products, GSA developed the
governmentwide Smart Card Access Common ID contracting vehicle, which
also specified adherence to the government smart card interoperability
specification that NIST developed in collaboration with smart card
vendors.
In 2003, OMB, in accordance with the President's vision of creating a
more responsive and cost-effective government, issued a memorandum to
federal chief information officers outlining details of the
E-Authentication E-Government initiative on authentication and
identity management. OMB also created the Federal Identity
Credentialing Committee (FICC) to make policy recommendations and
develop the Federal Identity Credentialing component of the Federal
Enterprise Architecture, to include services such as identity proofing
and credential management for the federal government. In February 2004,
FICC issued policy guidance on the use of smart card-based systems in
badge, identification, and credentialing systems with the objective of
helping agencies plan, budget, establish, and implement credentialing
and identification systems for government employees and their agents.
In our January 2003 report on smart cards, we made recommendations to
OMB, NIST, and GSA. Specifically, we recommended that:
* the Director, OMB, issue governmentwide policy guidance regarding
adoption of smart cards for secure access to physical and logical
assets;
* the Director, NIST, continue to improve and update the government
smart card interoperability specification by addressing governmentwide
standards for additional technologies--such as contactless cards,
biometrics, and optical stripe media--as well as integration with PKI;
and:
* the Administrator, GSA, improve the effectiveness of its promotion of
smart card technologies within the federal government by (1) developing
an internal implementation strategy with specific goals and milestones
to ensure that GSA's internal organizations support and implement smart
card systems consistently; (2) updating its governmentwide
implementation strategy and administrative guidance on implementing
smart card systems to address current security priorities;
(3) establishing guidelines for federal building security that address
the role of smart card technology; and (4) developing a process for
conducting ongoing evaluations of the implementation of smart card-
based systems by federal agencies to ensure that lessons learned and
best practices are shared across government.
To date, all three agencies have taken actions to address the
recommendations made to them. In response to our recommendation, OMB
issued a July 3, 2003, memorandum to major departments and agencies
directing them to coordinate and consolidate investments related to
authentication and identity management, including the implementation of
smart card technology. NIST has responded by improving and updating the
government smart card interoperability specification to address
additional technologies, including contactless cards and
biometrics.[Footnote 7]GSA responded to our recommendations by updating
its "Smart Card Policy and Administrative Guidance" to better address
security priorities, including minimum security standards for federal
facilities, computer systems, and data across the government. However,
three of our four recommendations to GSA are still outstanding. GSA
officials stated that they are working to address the recommendations
to develop an internal GSA smart card implementation strategy, develop
a process for conducting evaluations of smart card implementations, and
share lessons learned and best practices across government. The
responsibility for one recommendation--establishing guidelines for
federal building security that address the role of smart card
technology--was transferred to DHS.
Status of Previously Ongoing Smart Card Efforts:
In January 2003, we reported that 18 federal agencies were planning,
testing, operating, or completing 62 smart card projects. These
projects varied widely in size and technical complexity, ranging from
small-scale, limited-duration pilot projects to large-scale,
agencywide initiatives providing multiple services. The projects were
reported in varying stages of deployment. Specifically, 17 projects
were listed as operational, 13 projects were in the planning stage, and
7 were being piloted. In addition, 10 were reported at that time as
having been completed[Footnote 8] or discontinued for various reasons.
No information was provided about the project phase of the remaining 15
initiatives.
In responding to our survey regarding the 52 projects listed as ongoing
in our previous report, agencies reported that as of June 2004, 28 had
been terminated. Of the remaining projects, 11 were operational, 5 were
in the planning or pilot phase, and agencies did not provide current
information on 8. The operational and planned projects consist mostly
of large-scale projects intended to provide identity credentials to an
entire agency's employees or other large groups of individuals. Figure
2 shows the current status of the 52 federal smart card projects that
were previously reported as continuing. Table 1 provides summary
information on the status of individual projects, providing reasons for
any terminations.
Figure 2: Distribution by Project Phase of 52 Federal Projects
Previously Reported as Ongoing:
[See PDF for image]
[End of figure]
Table 1: Summary Information on 52 Projects Reported as Ongoing as of
January 2003:
Federal agency: Agriculture;
Number of projects: 1;
Previously reported status: 1 operational;
Current status: 1 terminated;
Comments: The Farm Service Agency terminated the Peanut Smart Card
project after the 2002 Farm Bill ended the Peanut Program.
Federal agency: Commerce;
Number of projects: 5;
Previously reported status: 1 planned;
Current status: 1 terminated;
Comments: NIST terminated its Network Security and Access Control
project after determining that the technology did not meet its needs
and that the project was too costly.
Federal agency: Commerce;
Previously reported status: 1 pilot;
Current status: 1 terminated;
Comments: The Patent and Trademark Office terminated its Patent Work at
Home program because of legal and union issues.
Federal agency: Commerce;
Previously reported status: 3 of unknown status[A];
Current status: 1 unknown;
Comments: Commerce did not provide current information on the
previously reported Bureau of Industry & Security project.
Federal agency: Commerce;
Previously reported status: 3 of unknown status[A];
Current status: 2 operational;
Comments: The U.S. Census Bureau Travel Management Information System
and the National Oceanic and Atmospheric Administration Geophysical
Fluid Dynamics Laboratory Remote Access projects are now fully
operational.
Federal agency: Defense;
Number of projects: 20;
Previously reported status: 1 planned;
Current status: 1 terminated;
Comments: The Naval Academy Campus pilot did not advance past the
discussion stage. No funding was provided to support implementation.
Federal agency: Defense;
Previously reported status: 3 pilot;
Current status: 3 terminated;
Comments: Of the 3 pilot projects, the Common Access Card (CAC)
absorbed 2, and 1 was terminated because the project achieved its
objectives in the pilot phase.
Federal agency: Defense;
Previously reported status: 10 operational;
Current status: 2 operational;
Comments: The CAC and Eagle Cash card continue as operational programs.
Federal agency: Defense;
Previously reported status: 6 of unknown status[A];
Current status: 14 terminated;
Comments: Of 14 terminated projects, 5 were absorbed by CAC, 3 were
absorbed by EZPay (a previously unreported project), 1 was terminated
because it did not receive funding for a planned upgrade, and 2 were
terminated because there was no funding or sustainment support
available for implementation. The last 3 were reported to be CAC
applications rather than separate smart card programs.
Federal agency: DHS;
Number of projects: 1;
Previously reported status: 1 planned;
Current status: 1 pilot;
Comments: The Transportation Worker Identification Credential program
was transferred from the Department of Transportation to DHS as part of
the Transportation Security Administration.
Federal agency: Education;
Number of projects: 1;
Previously reported status: 1 planned;
Current status: 1 terminated;
Comments: The Financial Student Aid Campus card project was terminated
because it was incompatible with an existing proximity card system
installed in Education's headquarters buildings.
Federal agency: Energy;
Number of projects: 1;
Previously reported status: 1 operational;
Current status: 1 unknown;
Comments: A project was previously reported on the use of smart cards
to permit physical access to restricted areas by employees working to
clean up and shut down the Rocky Flats Technology site. However, Energy
officials did not provide current information about this project.
Federal agency: General Services Administration;
Number of projects: 1;
Previously reported status: 1 operational;
Current status: 1 terminated;
Comments: GSA's smart card for physical and logical access was
terminated and replaced by GSA's new nationwide ID effort.
Federal agency: Housing and Urban Development;
Number of projects: 1;
Previously reported status: 1 pilot;
Current status: 1 unknown;
Comments: Department officials did not provide current information
about this previously reported pilot project.
Federal agency: Interior;
Number of projects: 4;
Previously reported status: 1 planned;
Current status: 1 operational;
Comments: The Incident Qualification and Certification System
(previously reported as the Firefighters Training Card) is now
operational.
Federal agency: Interior;
Previously reported status: 2 pilot;
Current status: 1 operational;
Comments: The Bureau of Land Management previously piloted the E-
Authentication project. This initiative is now operational but not
fully deployed.
Federal agency: Interior;
Previously reported status: 2 pilot;
Current status: 1 planning;
Comments: The Minerals Management Service is planning a smart card
project to provide credentials for physical and logical access.
Federal agency: Interior;
Previously reported status: 1 of unknown status[A];
Current status: 1 unknown;
Comments: No current information was provided for a project that was
previously reported at the Fish and Wildlife Service.
Federal agency: Justice;
Number of projects: 5;
Previously reported status: 2 planned;
Current status: 1 pilot/testing 1 unknown[B];
Comments: The FBI is piloting the PKI portion of its Trilogy program,
to provide logical access. This program is a 36-month effort to enhance
effectiveness through technologies that facilitate better organization,
access, and analysis of information. Department officials did not
provide current information about the other previously reported
project.
Previously reported status: 3 of unknown status[A];
Current status: 3 unknown;
Comments: Justice did not provide current information on these
previously reported projects.
Federal agency: Labor;
Number of projects: 1;
Previously reported status: 1 operational;
Current status: 1 operational;
Comments: The Bureau of Labor Statistics is operating the Internal PKI
Infrastructure project to provide logical access to computer systems.
Federal agency: NASA;
Number of projects: 1;
Previously reported status: 1 planned;
Current status: 1 planning/ testing;
Comments: NASA is testing a project to use PKI certificates to
authenticate and grant employees and contractors physical and logical
access at its facilities.
Federal agency: National Science Foundation;
Number of projects: 1;
Previously reported status: 1 planned;
Current status: 1 terminated;
Comments: The planned project was terminated for lack of funding.
Federal agency: Social Security Administration;
Number of projects: 1;
Previously reported status: 1 planned;
Current status: 1 terminated;
Comments: The planned Property Accountability and Pass Project did not
proceed beyond the concept stage.
Federal agency: State;
Number of projects: 1;
Previously reported status: 1 operational;
Current status: 1 operational;
Comments: State employees use smart cards, which include PKI
certificates, for physical and logical access.
Federal agency: Transportation;
Number of projects: 2;
Previously reported status: 2 planned;
Current status: 1 operational;
Comments: The Volpe Security Upgrade Project provides physical access
for employees and contractors.
Federal agency: Transportation;
Number of projects: 2;
Current status: 1 planning;
Comments: The Federal Aviation Administration Identification Media
System project is in the planning phase.
Federal agency: Treasury;
Number of projects: 2;
Previously reported status: 1 planned;
Current status: 1 operational;
Comments: The Electronic Treasury Enterprise Card is now operational.
Previously reported status: 1 operational;
Current status: 1 operational;
Comments: The Internal Revenue Service is using smart cards to provide
secure dial-in access to its local area network.
Federal agency: Veterans Affairs;
Number of projects: 3;
Previously reported status: 1 operational;
Current status: 1 terminated;
Comments: VA terminated the One VA Express registration project because
registration data could be obtained using existing network-centric
enterprise information systems.
Federal agency: Veterans Affairs;
Previously reported status: 2 of unknown status[A];
Current status: 2 terminated;
Comments: The VA Bronx and VA Tampa Stored Value/ID projects were
terminated because of low volumes of activity, as well as operational
and technical challenges.
Source: GAO analysis of data reported by federal agencies.
[A] Deployment status information was not provided.
[End of table]
Agencies reported that the majority (28) of the above projects had been
terminated since our last review was conducted. According to agency
officials, reasons for termination were primarily that the projects
were absorbed into other smart card projects or were deemed no longer
feasible. For example, DOD terminated 14 of 26 previously reported
projects by substituting functionality provided by two large-scale
smart card projects, the Common Access Card (CAC) and the EZPay (a
project that was not previously reported). DOD's CAC card is to be used
to authenticate the identity of nearly 3.5 million military and
civilian personnel and to improve security over online systems and
transactions. The EZPay program is a stored-value card given to
recruits at training installations to accelerate the processing time
and thus maximize training time.
Table 2 provides further details on the remaining 16 ongoing projects.
As the table shows, 12 of these are large-scale projects. Agencywide
smart card projects are ongoing at NASA and the Departments of Defense,
the Interior, State, and the Treasury.
These and other large projects will serve populations ranging up to
6 million. The cards will be used for identity credentials, physical
access to buildings, logical access to computer systems, and stored
value. The remaining 4 projects are used for similar purposes. However,
they are smaller in scale, serving populations ranging from 612 to
3,100 individuals. For example, the Interior's Minerals Management
Service is planning a smart card program for use as identity
credentials, and physical and logical access for about 2,100 employees.
Table 2: Detailed Status of 16 Previously Reported Projects That Remain
Active as of June 2004:
Federal agency: Commerce;
Number of projects: 2;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 5,313;
Population to be served: As needed;
Description: The U.S. Census Bureau's Travel Management Information
System Plus is an administrative travel application that provides
users with the capability to process transactions using electronic
technology.
Federal agency: Commerce;
Number of projects: 2;
Status: 1 operational;
Size[A]: Small;
Number of cards issued[B]: 204;
Population to be served: 612;
Description: National Oceanic and Atmospheric Administration's
Geophysical Fluid Dynamics Laboratory has remote access cards to
facilitate login to computer systems.
Federal agency: Defense;
Number of projects: 2;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 2,750,859;
Population to be served: 3,457,975;
Description: The CAC is an agencywide standard identification card for
DOD. This is the principal card used to enable physical access to
buildings, installations, and controlled spaces; it will also be used
to enable information technology systems and applications that access
the department's computer networks.
Federal agency: Defense;
Number of projects: 2;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 46,105;
Population to be served: 15,000 per year;
Description: The Department of the Army's EagleCash card is a stored-
value card that replaces U.S. currency, minimizes counterfeiting, and
improves financial controls and administration at deployed overseas
military bases.
Federal agency: DHS;
Number of projects: 1;
Status: 1 pilot;
Size[A]: Large;
Number of cards issued[B]: 0;
Population to be served: 6 million;
Description: The Transportation Security Administration's
Transportation Worker Identification Credential (TWIC) is to be issued
to each worker requiring unescorted physical or logical access to
secure areas of the nation's transportation facilities (including
maritime, aviation, transit, rail, and other surface modes).
Federal agency: Interior;
Number of projects: 3;
Status: 1 planning;
Size[A]: Small;
Number of cards issued[B]: 0;
Population to be served: 2,100;
Description: The Minerals Management Service is planning a program to
provide smart cards for identity credentials and for physical and
logical access.
Federal agency: Interior;
Number of projects: 3;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 0;
Population to be served: 70,000;
Description: The Incident Qualification and Certification System
(IQCS)--previously reported as the Firefighters Training Card--is an
interagency application within the fire management community, including
the National Park Service, Bureau of Land Management, Fish and Wildlife
Service, Bureau of Indian Affairs, and the U.S. Forest Service. IQCS
cards will be used during incidents (such as wildland fires) for
identification, basic personal information used to track personnel on
the incident, and individual qualifications. The Bureau of Land
Management is the managing partner for this project.
Federal agency: Interior;
Number of projects: 3;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 7,100;
Population to be served: 90,000;
Description: The Bureau of Land Management is the lead agency for the
agencywide E- Authentication project, which is intended to provide
identification, physical, and logical access for Interior employees.
Interior plans to implement this project agencywide by fiscal year
2005.
Federal agency: Justice;
Number of projects: 1;
Status: 1 pilot;
Size[A]: Large;
Number of cards issued[B]: 31;
Population to be served: 50,000;
Description: The FBI is piloting the PKI portion of its Trilogy
Program, for logical access.
Federal agency: Labor;
Number of projects: 1;
Status: 1 operational;
Size[A]: Small;
Number of cards issued[B]: 768;
Population to be served: 3,100;
Description: The Bureau of Labor Statistics has partially implemented
an Internal PKI Infrastructure project for accessing computer systems.
Federal agency: NASA;
Number of projects: 1;
Status: 1 planning/testing;
Size[A]: Large;
Number of cards issued[B]: 0;
Population to be served: 85,000;
Description: The One NASA Smart Card Badge Project is agencywide and
is being designed to provide cards for identity, physical access, and
login to computer systems.
Federal agency: State;
Number of projects: 1;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 25,000;
Population to be served: 25,000;
Description: The Domestic Smart Card Access Control project is a joint
effort with the department's PKI effort. This project is agencywide
and is responsible for badge creation and physical access tokens.
Federal agency: Transportation;
Number of projects: 2;
Status: 1 operational;
Size[A]: Small;
Number of cards issued[B]: 1,200;
Population to be served: 1,200;
Description: The Volpe Security Upgrade Project is partially
operational and developed for physical access. Smart cards are issued
to federal employees and contractors.
Federal agency: Transportation;
Number of projects: 2;
Status: 1 planning;
Size[A]: Large;
Number of cards issued[B]: 0;
Population to be served: 98,853;
Description: The Federal Aviation Administration Identification Media
System project is planned to provide cards for identity credentials
and for physical and logical access. The Federal Aviation
Administration plans to issue the cards to both federal employees and
contractors.
Federal agency: Treasury;
Number of projects: 2;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 2,500;
Population to be served: 7,500;
Description: The Electronic Treasury Enterprise Card is currently in
proof of concept operation at the Treasury Headquarters and the Bureau
of Engraving and Printing. Agencywide deployment is planned to occur
pending funding approval.
Federal agency: Treasury;
Number of projects: 2;
Status: 1 operational;
Size[A]: Large;
Number of cards issued[B]: 30,528;
Population to be served: 75,000;
Description: The Internal Revenue Service is operating agencywide
Secure Dial In cards for logical access.
Source: GAO analysis of data reported by federal agencies.
[A] Categorized by the population served. Small projects have issued
fewer than 5,000 cards. Large-scale projects had 5,000 or more cards
issued.
[B] In our survey, we asked agencies to report the number of cards
issued as of December 31, 2003.
[C] At the time of our previous report, the TWIC was listed as a
Department of Transportation project.
[End of table]
In response to our survey, agency officials reported 8 additional
smart card projects that were ongoing at the time of our last review
but not previously reported.[Footnote 9] Four of the 8 projects were
planned for multiple applications such as identity credentials and
physical and logical access. The remaining 4 projects were planned for
single applications such as stored value, logical access to computer
systems and networks, or processing travel documents. Figure 3 shows
the number of these projects by the type of applications planned and
the stage of reported deployment. Table 3 provides more detailed status
information on these projects.
Figure 3: Deployment Phases for 8 Projects That Were Not Previously
Reported:
[See PDF for image]
[End of figure]
Table 3: Status of 8 Ongoing Smart Card Projects That Were Not
Previously Reported:
Federal agency: Defense;
Number of projects: 2;
Status: 1 operational;
Cards issued[A]: 16,724;
Population to be served: 350,000;
Project description: The Navy Cash System is a joint Treasury/Navy
program and manages personal funds for Navy and Marine Corps deployed
members. It is a "cashless" ATM system on Navy ships that allows
members access to home banks or credit unions when deployed. The
application supported is stored value.
Federal agency: Defense;
Number of projects: 2;
Status: 1 operational;
Cards issued[A]: 578,197;
Population to be served: 300,000 per year;
Project description: The EZPay program provides cards at all U.S. Army
and Air Force basic training installations to accelerate recruit
processing and maximize training time. This initiative is a partnership
involving the Defense Finance and Accounting Service, the Treasury,
and the Army. The application supported is stored value.
Federal agency: Environmental Protection Agency (EPA);
Number of projects: 1;
Status: 1 planning;
Cards issued[A]: 0;
Population to be served: 1,820;
Project description: The Region 2 EPA Access Card is an identity
credential and physical access card initiative. The project is
integrated with GSA's smart card project at the New York Federal Civic
Center.
Federal agency: Health and Human Services;
Number of projects: 2;
Status: 1 operational;
Cards issued[A]: 18;
Population to be served: 2,950;
Project description: The Food and Drug Administration's Office of
Regulatory Affairs is implementing a Trust Service and Identity
Management with Level 4 Assurance Project to provide identity
credentials for physical and logical access. The purpose of this
project is to establish a trust framework that can be combined with
infrastructure security services to provide confidentiality, integrity,
authentication through digital signatures, and nonrepudiation of
electronic transactions.
Federal agency: Health and Human Services;
Number of projects: 2;
Status: 1 operational;
Cards issued[A]: 133;
Population to be served: 150;
Project description: The Centers for Disease Control and Prevention is
implementing a September Compliance Project that uses smart cards.
Planning for this identity credential and physical access application
began in April 2002.
Federal agency: DHS;
Number of projects: 1;
Status: 1 planned;
Cards issued[A]: 0;
Population to be served: Not provided;
Project description: DHS has established the United States Visitor and
Immigrant Status Indicator Technology (US VISIT) project to collect,
maintain, and share information, including biometric identifiers, on
selected foreign nationals who travel to the United States. The smart-
card phase of the US-VISIT project is currently in planning.
Federal agency: Social Security Administration;
Number of projects: 1;
Status: 1 operational;
Cards issued[A]: 15,490;
Population to be served: As needed;
Project description: The Virtual Private Network Smart Card became
fully operational in November 2000. The purpose of this smart card is
to provide remote access to designated computer network users. The
agency intends to purchase additional cards as needed.
Federal agency: Transportation;
Number of projects: 1;
Status: 1 planning;
Cards issued[A]: 1;
Population to be served: Not provided;
Project description: The National Highway Traffic Safety Administration
Smart Card Project is in the planning phase. The purpose is to provide
identity credentials, physical and logical access, and asset management
applications. Additional cards are to be issued when the project
becomes operational.
Source: GAO analysis of data reported by federal agencies.
[A] As of December 31, 2003.
[End of table]
Agencies across the Government Continue to Invest in Smart Card
Projects:
In response to our survey, agencies reported 10 smart card projects
that were initiated since our last review was completed. Based on
these reported projects, more agencies are using GSA's Smart Card
Access Common ID contracting vehicle to acquire smart card technology.
Federal Investments in Smart Card Projects:
The 10 new projects identified in response to our survey vary in size,
scope, and stage of deployment: planning, pilot, and operational. All
of the projects are planned for multiple applications such as identity
credentials and physical and logical access. Figure 4 shows the number
of these projects by the type of application planned and the stage of
reported deployment.
Figure 4: Deployment Phases for 10 Recently Initiated Projects:
[See PDF for image]
[End of figure]
These 10 projects vary widely in size, including small-scale projects-
-involving smart cards issued to as few as 126 cardholders--as well as
much larger scale initiatives. For example, Department of Labor
officials reported that the Employment and Training Administration
physical access control smart card was issued to 126 federal employees
and contractors as of December 2003. This card is operational and will
be issued to 175 cardholders when fully deployed; it is used for
identity credentials and physical access to buildings and other
facilities. In contrast, VA plans to issue an estimated 500,000 smart
cards to employees and contractors under its Authentication and
Authorization Infrastructure Project. Through this initiative, smart
cards will be used for identity credentials, accessing buildings or
other facilities, and accessing computer systems. Production began in
July 2004.
Another example of a large-scale project is GSA's Nationwide ID card.
GSA plans to issue cards to 61,000 federal employees, contractors, and
tenant agencies. Using this card, GSA plans to implement nationwide
uniform credentials based on smart card technology by providing a
single standard credential card for identification, building access,
property management, and other applications. Table 4 provides status
information on the 10 recently initiated smart card projects.
Table 4: Status of 10 Recently Initiated Smart Card Projects:
Federal agency: Commerce;
Number of projects: 1;
Status: 1 planning;
Cards issued[A]: 2,626;
Population to be served: 10,700;
Project description: The U.S. Patent and Trademark Office has
established an Internal PKI/Smart Card Project. Applications supported
are identity credentials and physical and logical access.
Federal agency: General Services Administration;
Number of projects: 1;
Status: 1 operational;
Cards issued[A]: 40,000;
Population to be served: 61,000;
Project description: GSA is implementing nationwide uniform credentials
based on smart card technology, so that every GSA associate,
contractor, and visitor will be able to use a single standard
credential card for identification, building access, property
management, and other applications.
Federal agency: Health and Human Services;
Number of projects: 1;
Status: 1 operational;
Cards issued[A]: 30;
Population to be served: 100;
Project description: The Food and Drug Administration is implementing
Select Agent Labs that will be equipped with biometric readers that
will use smart cards. The planning phase began in October 2003.
Applications supported are identity credentials and physical access.
Federal agency: DHS;
Number of projects: 3;
Status: 1 pilot;
Cards issued[A]: 0;
Population to be served: Not provided;
Project description: The Transportation Security Administration's
Registered Traveler Program is intended to improve the security
screening process at airports by identifying approved travelers that
will be allowed to go through expedited security screening.
Federal agency: DHS;
Number of projects: 3;
Status: 1 planning;
Cards issued[A]: 0;
Population to be served: Not provided;
Project description: The Transportation Security Administration's
Armed Law Enforcement Officer verification smart card program will
test the use of biometric technology to verify the identity of armed
law enforcement officers boarding commercial airplanes. Project
applications planned are identity credentials and physical access.
Federal agency: DHS;
Number of projects: 3;
Status: 1 pilot;
Cards issued[A]: 600;
Population to be served: 250,000;
Project description: The DHS Identification and Credentialing Program
is intended to serve as a comprehensive identification and
credentialing program for the entire department when it is fully
deployed. Applications supported include identity credentials,
physical and logical access, asset management, and stored value.
Federal agency: Labor;
Number of projects: 2;
Status: 1 planning;
Cards issued[A]: 0;
Population to be served: 900;
Project description: The E-Authentication Smart Card pilot began in
February 2004. The goal is to provide credentials that employees can
use to electronically access departmental resources in a manner that
is compatible with the federal government's E- Authentication Gateway.
Applications supported are identity credentials and physical and
logical access. Full implementation across the department is planned
for fiscal year 2007.
Federal agency: Labor;
Number of projects: 2;
Status: 1 operational;
Cards issued[A]: 126;
Population to be served: 175;
Project description: The Office of Technology Physical Access Control
project addresses the Employment and Training Administration's
security requirements for access control to its facilities and
sensitive areas. Applications supported are identity credentials and
physical access.
Federal agency: State;
Number of projects: 1;
Status: 1 operational;
Cards issued[A]: 0;
Population to be served: 72,000;
Project description: The Global Look ID project, a joint effort with
the State Department's Domestic Smart Card Access Control project, is
designed to support badge creation. Applications supported are identity
credentials, physical and logical access, e- mail, and Web-based
access controls.
Federal agency: Veterans Affairs;
Number of projects: 1;
Status: 1 pilot;
Cards issued[A]: 250;
Population to be served: 500,000;
Project description: The Authentication and Authorization
Infrastructure Project is intended to provide the capability to
authenticate users and systems with certainty and grant them access to
information systems necessary to perform business functions.
Source: GAO analysis of data reported by federal agencies.
[A] As of December 31, 2003.
[End of table]
Agencies' Reported Use of GSA's Contracting Vehicle:
GSA developed the Smart Card Access Common ID contracting vehicle to
help make it easier for federal agencies to acquire commercial smart
card products and services. According to the director of GSA's Center
for Smart Card Solutions, further guidance is planned that will require
agencies to use the contracting vehicle or provide justification for
not using it. The Director also stated that using GSA's contract should
help reduce the cost of smart cards and ensure that vendors incorporate
interoperability specifications. Between December 2004 and December
2008, five agencies--including NASA and the Departments of Defense,
Homeland Security, the Interior, and Veterans Affairs--are planning to
make an aggregated purchase of up to 40 million cards through the GSA
contract. As a part of this purchase, these agencies are scheduled to
begin making quarterly procurements beginning in December 2004 of
approximately 1.2 million cards.
In response to our survey, the majority of the agencies (4 of 7) that
reported new initiatives told us that they purchased smart cards under
the GSA contract. The remaining agencies cited reasons for not
acquiring smart cards under the GSA contract, such as purchase
arrangements with another agency or purchases under other types of
contracts.
Implementation of Agencywide Smart Card Initiatives:
Agencies continue to move towards integrated agencywide initiatives
that use smart cards as identity credentials that agency employees can
use to gain both physical access to facilities, such as buildings, and
logical access to computer systems and networks. In some cases,
additional functions, such as asset management and stored value, are
also being included. Nine agencies reported such projects: 4 of these
were reported in our prior report, and 5 are recently initiated
efforts. These projects are in various stages of deployment.
One of the largest agencywide efforts is DHS's identification and
credentialing project. The agency plans to issue 250,000 cards to
employees and contractors. This is a comprehensive identification and
credentialing effort that will use PKI technology for logical access
and proximity chips for physical access. Authentication will rely on
biometrics with a personal identification number as a backup. Other
recently initiated agencywide smart card projects include GSA's
Nationwide Identification, VA's Authentication and Authorization
Infrastructure Project, and the Department of Labor's E-Authentication
project. Table 5 summarizes both previously reported and recently
initiated agencywide smart card efforts.
Table 5: Agencywide Smart Card Projects:
Federal agency: Defense;
Project name: Common Access Card (CAC);
Reported status: Operational;
Estimated completion: Apr. 2004;
Applications supported:
Identity credential;
Physical access;
Logical access.
Federal agency: Homeland Security;
Project name: Identification and Credentialing Program;
Reported status: Pilot;
Estimated completion: --;
Applications supported:
Identity credential;
Physical access;
Logical access;
Asset management;
Stored Value.
Federal agency: General Services Administration;
Project name: Nationwide Identification;
Reported status: Operational;
Estimated completion: Dec. 2004;
Applications supported:
Identity credential;
Physical access.
Federal agency: Interior;
Project name: E-Authentication;
Reported status: Operational;
Estimated completion: Jan. 2006;
Applications supported:
Identity credential;
Physical access;
Logical access;
E-signature.
Federal agency: Labor;
Project name: E-Authentication;
Reported status: Planning;
Estimated completion: Apr. 2005;
Applications supported:
Identity credential;
Physical access;
Logical access.
Federal agency: NASA;
Project name: One NASA Smart Card Badge;
Reported status: Planning/pilot;
Estimated completion: Sept. 2004;
Applications supported:
Identity credential;
Physical access;
Logical access.
Federal agency: State;
Project name: Global Look ID;
Reported status: Operational;
Estimated completion: Sept. 2006;
Applications supported:
Identity credential;
Physical access;
Logical access;
E-mail (signature & encryption).
Federal agency: Treasury;
Project name: Electronic Treasury Enterprise Card;
Reported status: Operational;
Estimated completion: Sept. 2004;
Applications supported:
Identity credential;
Physical access;
Logical access;
Asset management.
Federal agency: Veterans Affairs;
Project name: Authentication and Authorization Infrastructure Project;
Reported status: Pilot;
Estimated completion: Sept. 2007;
Applications supported:
Identity credential;
Physical access;
Logical access.
Source: GAO analysis of data reported by federal agencies.
[End of table]
Summary:
Agencies across the government continue to invest in smart card
projects with plans to issue millions of new cards to employees and
other personnel. These projects are intended to provide a range of
benefits and services, ranging from verifying the identity of people
accessing buildings and computer systems to managing assets and storing
monetary value. Agencies are also moving toward integrated agencywide
credentialing projects, with several agencies planning to consolidate
their smart card purchases through GSA's Smart Card Access Common ID
contract.
Agency Comments and Our Evaluation:
We received oral comments on a draft of this report from GSA's
Associate Administrator, Office of Governmentwide Policy, and from
officials of OMB's Office of Information and Regulatory Affairs and its
Office of General Counsel. Both GSA and OMB generally agreed with the
content in the draft report. In addition, each agency provided
technical comments, which have been addressed where appropriate in the
final report.
We will provide copies of this report to the Director of OMB and the
Administrator of GSA, and the report will be available at no charge on
the GAO Web site at [Hyperlink, http://www.gao.gov].
Should you have any questions on matters contained in this report,
please contact me at (202) 512-6240 or John de Ferrari, Assistant
Director, at (202) 512-6335. We can also be reached by e-mail at
[Hyperlink, koontzl@gao.gov]ntzl@gao.gov] and [Hyperlink,
deferrarij@gao.gov], respectively. Other key contributors to this
report were Tonia Brown, Barbara Collier, Felipe Colón, Pamlutricia
Greenleaf, and Joel Grossman.
Sincerely yours,
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
[End of section]
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to (1) determine the current status of smart card
projects under way at the time of our last review, (2) identify and
determine the status of projects initiated since our last review was
completed, and (3) identify integrated agencywide smart card projects
that are currently under way.
To address these objectives, we developed a questionnaire and surveyed
24 federal agencies. These included agencies that are subject to the
provisions of the Chief Financial Officers Act as well as the
Department of Homeland Security. The survey included the 18 agencies
pursuing smart card projects that were identified in our previous
report.
The practical difficulties of conducting any survey may introduce
errors. For example, differences in how a particular question is
interpreted, the sources of information available to respondents, or
the types of people who do not respond can introduce unwanted
variability into the survey results. We included steps in both the data
collection and data analysis stages for the purpose of minimizing such
errors.
We analyzed information obtained through the survey to develop summary
results and identify trends. To ensure the reliability of the
information reported through the survey, we obtained available
supporting documentation--such as project plans and descriptions--to
verify (1) reported planning and implementation dates and (2) the
numbers of smart cards issued as of December 31, 2003, or planned for
issuance. As needed, we conducted follow-up interviews with agency
officials responding to the survey to further ensure that the
information provided was current and accurate. In addition, we
contacted GSA officials to discuss agencies' use of the Smart Card
Access Common ID contract and other governmentwide implementation
issues.
We performed our work in Washington, D.C., and Atlanta, Georgia,
between November 2003 and July 2004, in accordance with generally
accepted government auditing standards.
(310399):
FOOTNOTES
[1] Smart cards are plastic devices--about the size of a credit card--
that use integrated circuit chips to store and process data, much like
a computer. This processing capability distinguishes these cards from
traditional magnetic stripe cards, which cannot process or exchange
data with automated information systems.
[2] Interoperability is the ability of two or more systems or
components to exchange information and to use the information
exchanged.
[3] GAO, Electronic Government: Progress in Promoting Adoption of Smart
Card Technology, GAO-03-144 (Washington, D.C.: Jan. 3, 2003).
[4] The term "smart card" may also be used to refer to cards with a
computer chip that only stores information without providing any
processing capability. Such cards, known as stored-value cards, are
widely used for services such as prepaid telephone service or satellite
television reception. This report includes information on federal use
of stored-value cards as well as smart ID cards.
[5] For more information about biometrics, see GAO, Technology
Assessment: Using Biometrics for Border Security, GAO-03-174
(Washington, D.C.: Nov. 15, 2002).
[6] A public key infrastructure is a system of computers, software, and
data that relies on certain cryptographic techniques for some aspects
of security. For more information, see GAO, Information Security:
Advances and Remaining Challenges to Adoption of Public Key
Infrastructure Technology, GAO-01-277 (Washington, D.C.: Feb. 26,
2001).
[7] NIST, Government Smart Card Interoperability Specification, Version
2.1, Interagency Report 6887 (July 2003).
[8] "Completed" projects involved applications that were never intended
to be permanent, such as smart cards to be used at the 2001
Presidential transition.
[9] The information in our previous report was based primarily on data
collected by OMB and GSA. In contrast, for the current review, we
conducted an independent survey of 24 major federal departments and
agencies.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
