US Government-Approved Smart Card Suppliers










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download
.

US Government-Approved
Smart Card Suppliers

by
James G. Barr

Docid: 00011491

Publication Date: 1611

Report Type: MARKET

Preview

Smart card technology took center stage for US Homeland Security initiatives when the US National Institute for Standards and Technology (NIST) unveiled Federal Information Processing Standards Publication (FIPS Pub) 201. FIPS 201 articulates minimum requirements for the Federal personal identification verification system. Smart cards are at the heart of the FIPS 201 implementation strategy for issuing secure, tamper proof Federal employee ID badges.

Report Contents:

Executive Summary

[return to top of this report]

Popular for more than a decade
in Asia and Europe, smart card technology is mature,
reliable, and diverse.

Smart card
technology took center stage for US Homeland Security initiatives when the US
National Institute for Standards and Technology (NIST) unveiled
Federal
Information Processing Standards Publication (FIPS Pub) 201. FIPS 201
articulates minimum requirements for the Federal personal identification
verification (PIV) system. Smart cards are at the heart of the FIPS 201
implementation strategy for issuing secure, tamper proof Federal employee ID
badges.

Smart cards provide
unique advantages, both to government and enterprises. The cards are fraud,
tamper, and counterfeit proof; high-end cards have embedded intelligence and
can host multiple, secure applications; contactless cards can be read from a
distance of 1.5-3
inches, meaning they
can be used without being removed from the owner’s wallet; and, using stored
biometrics and on-board encryption of user keys, passwords, and certificates,
they can be employed to harden physical and logical assets against the most
determined and sophisticated hacks. A variety of proprietary vertical smart
card solutions are in use worldwide, and are proven, enterprise-ready
systems. Custom application development frameworks are also broadly
available, with open source and proprietary developer communities engaged in
delivering line of business smart card systems for identity management,
access control, healthcare automation, finance, transit fare collection, and
other applications.

Perhaps the most
important thing for enterprise decision makers to understand about this
technology is that smart card solutions can be quickly and effectively
implemented as a thin veneer over existing systems, dramatically hardening
potential targets, without disturbing production systems.

Market
Dynamics

[return to top of this report]

On August 27, 2004, President George W. Bush issued Homeland Security
Presidential Directive 12 (HSPD-12): "Policy for a Common Identification
Standard for Federal Employees and Contractors." An outgrowth of 9/11, the
purpose of HSPD-12 was to address the "wide variations in the quality and
security of identification used to gain access to secure facilities where there
is potential for terrorist attacks."

The Department of Commerce and National Institute
of Standards and Technology (NIST) were tasked with producing a standard for
"secure and reliable forms of identification." In response, NIST published
Federal
Information Processing Standard 201 (FIPS 201), Personal Identity
Verification (PIV) of Federal Employees and Contractors, issued on February 25,
2005.

Today, there are three types of
smart cards used for Federal identity management:

  1. The Personal Identity Verification (PIV) card for civilian government
    workers.
  2. The Common Access Card (CAC) for military personnel.
  3. The Personal Identity Verification – Interoperable (PIV-I) card for
    trusted non-government workers.

The Lure of Smart Cards

Unlike many technologies, smart cards offer great benefits at little risk and fairly low cost
– a "disruptive" technology, but without the disruption. Except
for the miniaturization element, there is nothing unique about the
smart card computing
model. Smart cards are simply very small computing platforms that function
both online
or offline. Also, smart card technology is ubiquitous; virtually
every enterprise-scale software, hardware, and tools vendor
worldwide has integrated smart cards into their product strategies.

US Smart Card Applications

Large-scale US Government-mandated smart card solutions include:

  • The US ePassport, issued by the Department of State.
  • The Transportation Worker Identification Credential (TWIC), issued by the
    Transportation Security Administration.

Market Leaders

[return to top of this report]

The FIPS 201 Approved Products List (APL), which is administered by the FIPS
201 Evaluation Program, lists those products and services that are in compliance
with the current version of the FIPS 201 standard and its supporting
publications. While the list is dynamic, at present, there are 30 approved PIV Cards. (Please see Table 1.) Two vendors in particular
are well represented on the list and, therefore, represent the de facto market
leaders among US Government-approved smart card providers. These vendors
are Gemalto and Oberthur Technologies.

Gemalto

Gemalto offers a variety of secure eID cards with a range of professional
solutions, which can be delivered as individual systems or using a managed
service option.

Gemalto is contributing to 40 national eID programs: in Europe (Belgium, Czech
republic
, Finland,
Sweden, Portugal, Lithuania),
in the middle east (Qatar, Oman,
UAE, Bahrain and Saudi
Arabia
) and in other areas.

Oberthur Technologies

Oberthur Technologies is a global leader in the delivery of high-security
solutions and the top provider of Personal Identification & Verification (PIV)
smart cards to the US Federal government.

Table 1. Extract from FIPS 201 Evaluation Program Approved Products List – PIV Cards – November 16, 2016
Product Name Supplier Valid Date

Entrust IdentityGuard PIV Credentia

Entrust, Inc.

10/18/2013

pivCLASS smart card v1.0

HID Global

11/15/2012

IDCore 3020 v1, 128k dual-interface with
ActivIdentity Digital Identity Applet Suite

Gemalto

10/24/2013

(Protiva PIV) IDPrime PIV Card v1.55 (128K v2
tri-interface)

Gemalto

10/24/2013

(Protiva PIV) IDPrime PIV Card v1.55 (128K v2
dual-interface)

Gemalto

10/24/2013

(Protiva PIV) IDPrime PIV Card v1.55 (72K v1
dual-interface)

Gemalto

10/24/2013

(Protiva PIV) IDPrime PIV Card v1.55 (72K v2
tri-interface)

Gemalto

10/24/2013

(Protiva PIV) IDPrime PIV Card v1.55 (72K v1
dual-interface)

Gemalto

10/24/2013

(Protiva PIV) IDPrime PIV Card v2.0 (128K v2
dual-interface)

Gemalto

10/24/2013

(Protiva PIV) IDPrime PIV Card v2.0 (128K v2
tri-interface)

Gemalto

10/24/2013

ID-One PIV v 2.3.5 on Cosmo V8

Oberthur Technologies

06/17/2015

ID-One PIV v 2.3.5 on Cosmo V8 (High Speed)

Oberthur Technologies

06/17/2015

SafesITe PIV TPC DM

Gemalto

10/16/2008

Gemalto TOP DM with ActivIdentity Digital Identity
Applet Suite

Gemalto

03/16/2009

TecSec Eagle Card

TecSec Incorporated

05/19/2009

Gemalto TOP DL with ActivIdentity Digital Identity
Applet Suite

Gemalto

05/25/2011

G&D StarSign(R) Sm@rtCafe(R) Expert 80K with PIV
Applet

Giesecke & Devrient

08/30/2010

G&D StarSign(R) Sm@rtCafe(R) Expert 144K with PIV
Applet

Giesecke & Devrient

10/05/2010

SafesITe FIPS 201 w/ HID Prox Card

Gemalto

05/25/2011

ID-One PIV (Type A) Large D

Oberthur Technologies

12/07/2011

SafesITe FIPS 201 w/ HID Prox Card

Gemalto

07/24/2011

Protiva PIV v1.55 on TOP DL

Gemalto

07/24/2011

Protiva PIV v1.55 on TOP DM

Gemalto

07/24/2011

Protiva PIV v1.55 on TOP WM

Gemalto

07/24/2011

ID-One PIV (Type A) Standard D

Oberthur Technologies

12/07/2011

ID-One PIV (Type A) Large D Hybrid 125

Oberthur Technologies

09/08/2011

ID-One PIV (Type A) Standard D Hybrid 125

Oberthur Technologies

09/08/2011

ID-One PIV (Type A) Large D Hybrid 125 G

Oberthur Technologies

09/08/2011

Protiva PIV v1.55 using TOP DL v2

Gemalto

04/23/2012

Provita PIV v1.55 using TOP WL v2

Gemalto

04/23/2012

[return to top of this report]

PIV Interoperability for Non-Federal Card Issuers

As PIV initiatives progress, they are garnering a great deal of interest from parties
external to the Federal Government. These non-Federal organizations want to
issue identity cards that are:

  • Technically interoperable with Federal Government PIV systems.
  • Issued in a manner that allows Federal Government-relying parties to trust the cards.

Unfortunately, the Federal PIV card standard (FIPS 201) is limited in scope to the
Federal Government and has several requirements
that can be addressed only by the Federal Government community.

To assist non-Federal issuers of identity cards in achieving
interoperability with Federal Government PIV systems, in May 2009, the Federal
CIO Council issued guidance to non-Federal card issuers via a document entitled
"Personal Identity Verification Interoperability For Non-Federal Issuers."

Version 1.1 of the guide was issued in July 2010.

FIPS 201-2

A new version of the FIPS 201 document (FIPS 201-2) was issued in August
2013 by the US National Institute of Standards and Technology (NIST).1 This
new standard mandates the implementation of some PIV Card features that were
optional in FIPS 201-1.

Among other new features, the FIPS 201-2 standard:

  • Makes the facial image data element on the PIV Card mandatory, allowing
    a FIPS 201-2 PIV Card to be used for identification at guard checkpoints, and for automatic
    comparison when reissuing an individual’s credentials.2
  • Adds
    an option to collect and store iris biometric data on the PIV Card
    .
  • Introduces the concept of a
    "chain-of-trust"
    , which is optionally maintained by a PIV Card issuer.
    The chain-of-trust allows the holder of a PIV Card to obtain a replacement for a compromised, lost, stolen, or
    damaged PIV Card through biometric authentication.
  • Changes the maximum life of
    a PIV Card from 5 years to 6 years
    .
  • Adds an optional on-card biometric comparison as a means of performing card activation, and as a PIV authentication mechanism.

Strategic Planning Implications

[return to top of this report]

Smart
cards provide a convenient, affordable, and robust means to protect
public- and private-sector
data and facilities. Smart cards offer:

  • Secure
    Logon
    – Protecting access to computer systems and data within facilities
    typically relies on user passwords, group membership and a complex
    hierarchy of administrator permissions. Passwords are the weak link, and
    in large organizations can never be assumed to be completely
    uncompromised. Two factor or biometric identification at logon defeats
    password hackers.
  • Remote
    Authentication
    – Remote users can compromise the most meticulously structured
    data security by logging on over networks (e.g. the web, public wireless
    hotspots, etc.) that allow their passwords to be transmitted as clear
    text. Remote smart card logon allows users’ ID, password, and
    certificates to be stored in encrypted format on the card, and never
    transmitted.
  • Offline
    Functionality
    – High end cards feature embedded functionality that allows them to
    participate in computing applications without live network connection.
    The cards can store results, data, and logs of their activity for later
    download.
  • Strong
    Encryption
    – High security cards support RSA and PKI encryption standards. This makes
    them very difficult to hack and prevents card holders from
    surreptitiously downloading enterprise data to unauthorized systems.
  • Auditability – Biometric enabled smart
    card access control systems create unimpeachable records of access to
    physical and logical enterprise assets by specific individuals. The certainty
    of detection is the best possible deterrent to unauthorized access.
  • Protection Against Loss, Theft and Fraud – Because smart cards contain embedded intelligence,
    they can be programmed to lock down or wipe themselves of data if used improperly
    or reported missing.

Looking Ahead

Unlike many breakthrough
technologies, initiating small scale, incremental, enterprise
proof-of-concept programs for smart card applications can be both low cost
and low risk. If you are an enterprise IT decision maker, you should at the
very least consider pilot projects involving the following smart card
applications:

  • Biometric
    access control and monitoring for computer rooms, network facilities and
    offline data storage areas.
  • Biometric
    authentication before users are allowed to log in as system
    administrators, network administrators or database administrators.
  • Use of
    encrypted smart cards to store data on all mobile computing devices.
  • Development
    or use of smart card applications which lock down or wipe devices known
    to be lost, stolen or involved in fraudulent transactions.

NSTIC

The National Strategy for Trusted Identities in
Cyberspace (NSTIC) is a White House initiative to work collaboratively with the
private sector, advocacy groups, public sector agencies, and other organizations
to improve the privacy, security, and convenience of sensitive online
transactions. The Strategy calls for the development of interoperable
technology standards and policies – an

"Identity Ecosystem"
– where individuals, organizations, and underlying
infrastructure can be authoritatively authenticated.

Establishment of an Identity Ecosystem would
allow individuals to validate their identities securely when they’re doing
sensitive transactions (like banking or viewing health records) and let them
stay anonymous when they’re not (like blogging or surfing the Web). The
Identity Ecosystem would protect the privacy of individuals by reducing the need
for individuals to share personally identifiable information (PII) in order to
identify themselves at multiple web sites and by establishing consistent
policies about how organizations use and manage PII in the Identity Ecosystem.
Smart cards – and smart card technology – should figure prominently in The
Identity Ecosystem.

References

[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
"Who’s Who in Finance and Industry," Mr. Barr has designed,
developed, and deployed business continuity plans for a number of Fortune 500
firms. He is the author of several books, including How to Succeed in
Business BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices. Mr.
Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this report]