Analysis: Physical/Logical Security Convergence: Page 5 of 30

These requirements include the use of a dual-interface contact and contactless smartcard to store X.509 certificates and other identifying information in specific formats. The card is part of a three-factor authentication process that also includes a user-known PIN and biometric credentials stored on the card. NIST dictates the type and placement of information printed on the card and the ID-verification process (such as background checks) to be performed prior to card issuance.

The FIPS 201 program was given an aggressive deadline ending late last month. To meet that deadline, a federal organization must be capable of issuing FIPS 201-compatible ID cards. Mind you, they don't have to actually use the cards--in fact, the details of how the cards should be used are reserved for a forthcoming NIST standard.

We feel the government is taking a leap of faith, considering that much of the technology required for compliance hasn't been significantly vetted in a large infrastructure. And FIPS 201 won't have direct applicability to nonfederal convergence projects, at least for the immediate future. Don't expect to run out and purchase a FIPS 201-compliant system for your private-sector organization.

So how's it going? We've seen lots of contradictory reports, no hard stats. But there was one common thread with everyone we spoke to: If HSPD-12 wasn't ambitious, it would never have gotten off the ground. It remains to be seen whether the project will fly or crash to earth under the sheer weight of bureaucracy. But we give the government credit for pushing this through in a hard-core way.