The sheer size of the IT deployment requires an outsourcing strategy, said Prabhat Agarwal, an information security consultant at Input Inc., a Reston, Va.-based firm that focuses on government procurement issues.

"You are talking about a massive approach that touches all agencies," Agarwal said. "Because of the scale of this venture, it is almost automatic that [the government] would go to the private sector."

The GSA didn't respond to a request for comment on its plans last week. But according to the documents posted on its portal, the agency is looking at a shared-services model under which multiple agencies would use a common infrastructure to issue and manage smart cards to their employees.

Each agency would be responsible for conducting background checks and determining the eligibility of employees to receive one of the Personal Identity Verification (PIV) smart cards. Outsourcers would manage the IT infrastructure and the process of issuing and managing cards.

Outsourcing the smart-card systems is a good idea, but the work should be divided among multiple vendors, said Alan Paller, director of research at the SANS Institute, a security research and training firm in Bethesda, Md. He added that encouraging competition among vendors should provide service delivery benefits.