Government Smart-Cards - an oxymoron?

Government Smart-Card Project Hits Snags on Fingerprints, Costs By Stephen Barr The government's smart-card project appears at risk of falling behind schedule.

Federal agencies are supposed to begin issuing government-wide identification cards that can vouch for the identity of federal employees and most contractors in October, but the Government Accountability Office warns that setting up and testing new ID systems may not be completed within deadlines set by the Bush administration. [Washington Post]

I am going to go out on a limb here and ask a question. Who finds this surprising? If you do not live in the Washington, DC area, or interact with the Federal government more than to file your taxes, I suppose that you probably do not even know there is a move afoot to standardize the credentialing process for federal IDs. In fact, I would be willing to bet that you do not know there is no such thing as a standard federal ID. With the exception of law enforcement officials and perhaps the military, I would be willing to bet that there is no standard ID for most cabinet level departments. I say this having worked in more than a half-a-dozen. What is the ID in Washington, say a green card with a picture and the department logo, might be a red card in New York and a blue card in California, for the same department with a different logo and layout.

Homeland Security Presidential Directive 12 (HSPD-12) was supposed to change all that. The (admirable) goal was to define a standard ID that would stand up to the provisions of the Real ID statute and have some other goodies, like biometric information and be transferable among the various agencies. So if you worked for State and decided to transfer to Interior, you would not have to be reissued an ID card, a process that could sometimes take weeks, depending on who you worked for. It was also meant to make it easier for contractors to move between departments, or a least cut down on the lai of ID cards they had to wear on any given day.

HSPD-12 also requires a background check for all federal employees, contractors and everyone else who might darken the door of a federal building.

Those of us with any experience in these matters simply snorted, shook our heads and went back to work. Why? For exactly the reasons that Mr. Barr highlights in his article. Let me point out a few:

• Six agencies were reviewed by the GAO. This should send up warning bells right away. Different implementation plans were in place at each agency. This comes as no surprise - really. While guidelines have been established (sort of) for implementation, the actual implementation was left up to the agency and as everyone in DC knows, no two agencies implement anything the same way, even when explicitly directed to do so.

• GAO discovered a lack of reliable information about card cost, equipment cost and software modification costs. All this assumes that the agencies have even bothered to try and start the process and did not just hand over the swag budget numbers.

• The move to smart cards was initiated in August 2004. Full deployment was to begin by October 27 of this year. The Department of Defense alone indicates in will issues some 3.7 million cards to its employees, contractors and dependents. It does not take a mathematician, an accountant and a network engineer to tell you that this is impossible.
  
  

• All background checks on employees and contractors are to be complete by 2007. There are not enough investigators in the federal system to do background checks on all the new employees and contractors coming into the system by 2007, let alone the existing federal workforce and support staffs.

• Snags have developed, particularly in the fingerprint area. The cards are to carry two finger prints for employees, and as many as all 10 for contractors. Agencies are balking because of the system requirements to capture, process and store that sort of data. What they are really balking at in many cases is the costs of upgrading their sub-standard computing infrastructures to handle the work load. Most agencies are still two to three operating systems behind the mainstream. So, if the current desktop platform is Windows XP SP2, most agencies are somewhere between Windows NT and Windows 2000. Finger print processing takes a very beefy machine. The GAO reports that it can take up to 30 seconds to read the finger prints causing an unacceptable delay in admitting people to the building. This is also not a surprise. In the post-September 11th world, most federal buildings only have one entrance and two guard stations. If the process of access is automated, you would have a queue out the door and around the corner if it takes more than a second to admit you through the turnstiles at the beginning of the work day. And the Federal government is still one of the last bastions of the nine-to-five work mentality. Finally, we have the issue of proprietary software for storing and reading the finger prints. If the goal was to make the ID usable across agencies, this issue almost dooms the project before it starts.

• Finally, there are the costs associated with converting ID systems. As I mentioned, processing fingerprints takes a beefy machine. Most agencies do not have more than a cursory visual inspection of the ID card today. To have to go through a finger print verification process means, in many cases, that the equipment to do all of that has to be procured. This procurement has to take place in a day when the federal deficit is skyrocketing and the federal departmental budgets are being slashed to the point where keeping the lights on is about all most agencies can manage. And you better have a coat in the winter time, because in some cases, it is either lights or heat and not both.

As much as I applaud the general ideas behind HSPD-12, I find that the problems with it are no surprise. Neither, quite frankly, should the GAO. And that is only one of the problems.