PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.
US Government-Approved
Smart Card Suppliers
Copyright 2016, Faulkner Information Services. All Rights
Reserved.
Docid: 00011491
Publication Date: 1611
Report Type: MARKET
Preview
Smart card technology took center stage for US Homeland Security initiatives when the US National Institute for Standards and Technology (NIST) unveiled Federal Information Processing Standards Publication (FIPS Pub) 201. FIPS 201 articulates minimum requirements for the Federal personal identification verification system. Smart cards are at the heart of the FIPS 201 implementation strategy for issuing secure, tamper proof Federal employee ID badges.
Report Contents:
- Executive Summary
- Market Dynamics
- Market Leaders
- Market Trends
- Strategic Planning Implications
- Web Links
Executive Summary
[return to top of this report]
Popular for more than a decade
in Asia and Europe, smart card technology is mature,
reliable, and diverse.
Smart card
technology took center stage for US Homeland Security initiatives when the US
National Institute for Standards and Technology (NIST) unveiled
Federal
Information Processing Standards Publication (FIPS Pub) 201. FIPS 201
articulates minimum requirements for the Federal personal identification
verification (PIV) system. Smart cards are at the heart of the FIPS 201
implementation strategy for issuing secure, tamper proof Federal employee ID
badges.
Smart cards provide
unique advantages, both to government and enterprises. The cards are fraud,
tamper, and counterfeit proof; high-end cards have embedded intelligence and
can host multiple, secure applications; contactless cards can be read from a
distance of 1.5-3
inches, meaning they
can be used without being removed from the owner’s wallet; and, using stored
biometrics and on-board encryption of user keys, passwords, and certificates,
they can be employed to harden physical and logical assets against the most
determined and sophisticated hacks. A variety of proprietary vertical smart
card solutions are in use worldwide, and are proven, enterprise-ready
systems. Custom application development frameworks are also broadly
available, with open source and proprietary developer communities engaged in
delivering line of business smart card systems for identity management,
access control, healthcare automation, finance, transit fare collection, and
other applications.
Perhaps the most
important thing for enterprise decision makers to understand about this
technology is that smart card solutions can be quickly and effectively
implemented as a thin veneer over existing systems, dramatically hardening
potential targets, without disturbing production systems.
Market
Dynamics
[return to top of this report]
On August 27, 2004, President George W. Bush issued Homeland Security
Presidential Directive 12 (HSPD-12): "Policy for a Common Identification
Standard for Federal Employees and Contractors." An outgrowth of 9/11, the
purpose of HSPD-12 was to address the "wide variations in the quality and
security of identification used to gain access to secure facilities where there
is potential for terrorist attacks."
The Department of Commerce and National Institute
of Standards and Technology (NIST) were tasked with producing a standard for
"secure and reliable forms of identification." In response, NIST published
Federal
Information Processing Standard 201 (FIPS 201), Personal Identity
Verification (PIV) of Federal Employees and Contractors, issued on February 25,
2005.
Today, there are three types of
smart cards used for Federal identity management:
- The Personal Identity Verification (PIV) card for civilian government
workers. - The Common Access Card (CAC) for military personnel.
- The Personal Identity Verification – Interoperable (PIV-I) card for
trusted non-government workers.
The Lure of Smart Cards
Unlike many technologies, smart cards offer great benefits at little risk and fairly low cost
– a "disruptive" technology, but without the disruption. Except
for the miniaturization element, there is nothing unique about the
smart card computing
model. Smart cards are simply very small computing platforms that function
both online
or offline. Also, smart card technology is ubiquitous; virtually
every enterprise-scale software, hardware, and tools vendor
worldwide has integrated smart cards into their product strategies.
US Smart Card Applications
Large-scale US Government-mandated smart card solutions include:
- The US ePassport, issued by the Department of State.
- The Transportation Worker Identification Credential (TWIC), issued by the
Transportation Security Administration.
Market Leaders
[return to top of this report]
The FIPS 201 Approved Products List (APL), which is administered by the FIPS
201 Evaluation Program, lists those products and services that are in compliance
with the current version of the FIPS 201 standard and its supporting
publications. While the list is dynamic, at present, there are 30 approved PIV Cards. (Please see Table 1.) Two vendors in particular
are well represented on the list and, therefore, represent the de facto market
leaders among US Government-approved smart card providers. These vendors
are Gemalto and Oberthur Technologies.
Gemalto
Gemalto offers a variety of secure eID cards with a range of professional
solutions, which can be delivered as individual systems or using a managed
service option.
Gemalto is contributing to 40 national eID programs: in Europe (Belgium, Czech
republic, Finland,
Sweden, Portugal, Lithuania),
in the middle east (Qatar, Oman,
UAE, Bahrain and Saudi
Arabia) and in other areas.
Oberthur Technologies
Oberthur Technologies is a global leader in the delivery of high-security
solutions and the top provider of Personal Identification & Verification (PIV)
smart cards to the US Federal government.
Product Name | Supplier | Valid Date |
---|---|---|
Entrust IdentityGuard PIV Credentia |
Entrust, Inc. |
10/18/2013 |
pivCLASS smart card v1.0 |
HID Global |
11/15/2012 |
IDCore 3020 v1, 128k dual-interface with |
Gemalto |
10/24/2013 |
(Protiva PIV) IDPrime PIV Card v1.55 (128K v2 |
Gemalto |
10/24/2013 |
(Protiva PIV) IDPrime PIV Card v1.55 (128K v2 |
Gemalto |
10/24/2013 |
(Protiva PIV) IDPrime PIV Card v1.55 (72K v1 |
Gemalto |
10/24/2013 |
(Protiva PIV) IDPrime PIV Card v1.55 (72K v2 |
Gemalto |
10/24/2013 |
(Protiva PIV) IDPrime PIV Card v1.55 (72K v1 |
Gemalto |
10/24/2013 |
(Protiva PIV) IDPrime PIV Card v2.0 (128K v2 |
Gemalto |
10/24/2013 |
(Protiva PIV) IDPrime PIV Card v2.0 (128K v2 |
Gemalto |
10/24/2013 |
ID-One PIV v 2.3.5 on Cosmo V8 |
Oberthur Technologies |
06/17/2015 |
ID-One PIV v 2.3.5 on Cosmo V8 (High Speed) |
Oberthur Technologies |
06/17/2015 |
SafesITe PIV TPC DM |
Gemalto |
10/16/2008 |
Gemalto TOP DM with ActivIdentity Digital Identity |
Gemalto |
03/16/2009 |
TecSec Eagle Card |
TecSec Incorporated |
05/19/2009 |
Gemalto TOP DL with ActivIdentity Digital Identity |
Gemalto |
05/25/2011 |
G&D StarSign(R) Sm@rtCafe(R) Expert 80K with PIV |
Giesecke & Devrient |
08/30/2010 |
G&D StarSign(R) Sm@rtCafe(R) Expert 144K with PIV |
Giesecke & Devrient |
10/05/2010 |
SafesITe FIPS 201 w/ HID Prox Card |
Gemalto |
05/25/2011 |
ID-One PIV (Type A) Large D |
Oberthur Technologies |
12/07/2011 |
SafesITe FIPS 201 w/ HID Prox Card |
Gemalto |
07/24/2011 |
Protiva PIV v1.55 on TOP DL |
Gemalto |
07/24/2011 |
Protiva PIV v1.55 on TOP DM |
Gemalto |
07/24/2011 |
Protiva PIV v1.55 on TOP WM |
Gemalto |
07/24/2011 |
ID-One PIV (Type A) Standard D |
Oberthur Technologies |
12/07/2011 |
ID-One PIV (Type A) Large D Hybrid 125 |
Oberthur Technologies |
09/08/2011 |
ID-One PIV (Type A) Standard D Hybrid 125 |
Oberthur Technologies |
09/08/2011 |
ID-One PIV (Type A) Large D Hybrid 125 G |
Oberthur Technologies |
09/08/2011 |
Protiva PIV v1.55 using TOP DL v2 |
Gemalto |
04/23/2012 |
Provita PIV v1.55 using TOP WL v2 |
Gemalto |
04/23/2012 |
Market Trends
[return to top of this report]
PIV Interoperability for Non-Federal Card Issuers
As PIV initiatives progress, they are garnering a great deal of interest from parties
external to the Federal Government. These non-Federal organizations want to
issue identity cards that are:
- Technically interoperable with Federal Government PIV systems.
- Issued in a manner that allows Federal Government-relying parties to trust the cards.
Unfortunately, the Federal PIV card standard (FIPS 201) is limited in scope to the
Federal Government and has several requirements
that can be addressed only by the Federal Government community.
To assist non-Federal issuers of identity cards in achieving
interoperability with Federal Government PIV systems, in May 2009, the Federal
CIO Council issued guidance to non-Federal card issuers via a document entitled
"Personal Identity Verification Interoperability For Non-Federal Issuers."
Version 1.1 of the guide was issued in July 2010.
FIPS 201-2
A new version of the FIPS 201 document (FIPS 201-2) was issued in August
2013 by the US National Institute of Standards and Technology (NIST).1 This
new standard mandates the implementation of some PIV Card features that were
optional in FIPS 201-1.
Among other new features, the FIPS 201-2 standard:
- Makes the facial image data element on the PIV Card mandatory, allowing
a FIPS 201-2 PIV Card to be used for identification at guard checkpoints, and for automatic
comparison when reissuing an individual’s credentials.2 - Adds
an option to collect and store iris biometric data on the PIV Card. - Introduces the concept of a
"chain-of-trust", which is optionally maintained by a PIV Card issuer.
The chain-of-trust allows the holder of a PIV Card to obtain a replacement for a compromised, lost, stolen, or
damaged PIV Card through biometric authentication. - Changes the maximum life of
a PIV Card from 5 years to 6 years. - Adds an optional on-card biometric comparison as a means of performing card activation, and as a PIV authentication mechanism.
Strategic Planning Implications
[return to top of this report]
Smart
cards provide a convenient, affordable, and robust means to protect
public- and private-sector
data and facilities. Smart cards offer:
- Secure
Logon – Protecting access to computer systems and data within facilities
typically relies on user passwords, group membership and a complex
hierarchy of administrator permissions. Passwords are the weak link, and
in large organizations can never be assumed to be completely
uncompromised. Two factor or biometric identification at logon defeats
password hackers. - Remote
Authentication – Remote users can compromise the most meticulously structured
data security by logging on over networks (e.g. the web, public wireless
hotspots, etc.) that allow their passwords to be transmitted as clear
text. Remote smart card logon allows users’ ID, password, and
certificates to be stored in encrypted format on the card, and never
transmitted. - Offline
Functionality – High end cards feature embedded functionality that allows them to
participate in computing applications without live network connection.
The cards can store results, data, and logs of their activity for later
download. - Strong
Encryption – High security cards support RSA and PKI encryption standards. This makes
them very difficult to hack and prevents card holders from
surreptitiously downloading enterprise data to unauthorized systems. - Auditability – Biometric enabled smart
card access control systems create unimpeachable records of access to
physical and logical enterprise assets by specific individuals. The certainty
of detection is the best possible deterrent to unauthorized access. - Protection Against Loss, Theft and Fraud – Because smart cards contain embedded intelligence,
they can be programmed to lock down or wipe themselves of data if used improperly
or reported missing.
Looking Ahead
Unlike many breakthrough
technologies, initiating small scale, incremental, enterprise
proof-of-concept programs for smart card applications can be both low cost
and low risk. If you are an enterprise IT decision maker, you should at the
very least consider pilot projects involving the following smart card
applications:
- Biometric
access control and monitoring for computer rooms, network facilities and
offline data storage areas. - Biometric
authentication before users are allowed to log in as system
administrators, network administrators or database administrators. - Use of
encrypted smart cards to store data on all mobile computing devices. - Development
or use of smart card applications which lock down or wipe devices known
to be lost, stolen or involved in fraudulent transactions.
NSTIC
The National Strategy for Trusted Identities in
Cyberspace (NSTIC) is a White House initiative to work collaboratively with the
private sector, advocacy groups, public sector agencies, and other organizations
to improve the privacy, security, and convenience of sensitive online
transactions. The Strategy calls for the development of interoperable
technology standards and policies – an
"Identity Ecosystem" – where individuals, organizations, and underlying
infrastructure can be authoritatively authenticated.
Establishment of an Identity Ecosystem would
allow individuals to validate their identities securely when they’re doing
sensitive transactions (like banking or viewing health records) and let them
stay anonymous when they’re not (like blogging or surfing the Web). The
Identity Ecosystem would protect the privacy of individuals by reducing the need
for individuals to share personally identifiable information (PII) in order to
identify themselves at multiple web sites and by establishing consistent
policies about how organizations use and manage PII in the Identity Ecosystem.
Smart cards – and smart card technology – should figure prominently in The
Identity Ecosystem.
References
- 1 FIPS PUB 201-2: "Personal Identity Verification (PIV) of
Federal Employees
and Contractors." US National Institute of Standards and Technology. August
2013:75-76. - 2 Zack Martin. "NIST releases FIPS 201-2." AVISIAN Publishing. September
5, 2013.
Web Links
[return to top of this report]
- Gemalto: http://www.gemalto.com/
- Oberthur Technologies: http://www.oberthur.com/
- Smart Card Alliance: http://www.smartcardalliance.com/
- US National Institute of Standards and Technology: http://www.nist.gov/
About the Author
[return to top of this report]
James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
"Who’s Who in Finance and Industry," Mr. Barr has designed,
developed, and deployed business continuity plans for a number of Fortune 500
firms. He is the author of several books, including How to Succeed in
Business BY Really Trying, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices. Mr.
Barr can be reached via e-mail at jgbarr@faulkner.com.
[return to top of this report]