Time is running out for U.S. federal agencies to comply with a 2004 presidential directive calling for governmentwide adoption of smart cards to authenticate employees for access to buildings and IT systems.

As of Monday, all major agencies are required to submit implementation plans to the White House Office of Management and Budget that describe how they intend to meet the smart-card requirements outlined in Federal Information Processing Standard 201.

Under the two-step plan, agencies have until Oct. 27 to implement the first phase of FIPS-201, which involves developing new processes for verifying the identities of employees, registering them and issuing ID cards. The deadline for the second phase, when agencies will actually start issuing the smart cards, is October 2006.

The requirements stem from a directive that calls for electronic identity cards to be issued to all federal employees and contractors as part of a bid to better secure access to government facilities and IT systems. The cards must support two-factor authentication via digital certificates, a password or personal identification number, and biometric identifiers. They also are expected to be interoperable across all federal agencies.

The effort required for most agencies to conform to the mandates makes meeting the two October deadlines "very challenging," said John Moore, chairman of the Federal Smart Card Project Managers Group and director of the Office of Governmentwide Policy at the General Services Administration in Washington.

"Both of these are very ambitious targets," Moore said. "It"s a rather unique project in that it affects all federal employees and contractors, so it requires an unusual amount of coordination among agencies."

Because the Personal Identity Verification (PIV) cards will control access to both physical and IT assets, IT departments within agencies have to work with their counterparts on the physical security side, as well as with badging and access-control staffers and human resources personnel, Moore said.

There are some significant technical issues as well.

The PIV cards will be based on a new specification developed by the National Institute of Standards and Technology. The specification is designed to make the smart cards more interoperable than existing ones, said Curt Barker, NIST"s FIPS-201 program manager.

But the change means that several agencies already using smart cards based on an older standard will have to move to the new one, Barker said. For instance, the U.S. Department of Defense has rolled out more than 4 million of the previous-generation cards.

Although Barker said the transition is intended to be "evolutionary," he noted that agencies such as the DOD could find things "a bit more complex" than agencies that are implementing smart-card technology for the first time.

Some of the technical details of the smart cards themselves are still in draft form, said Neville Pattison, director of technology and government affairs at Axalto Inc., a smart-card manufacturer in Austin.

For example, Pattison and Barker both said NIST has yet to decide whether the cards should support full biometric images or smaller ones that use fewer data points for matching fingerprints and other physical characteristics.

Large-scale manufacturing of PIV cards is unlikely to happen before the second half of next year, said Pattison, who was on a team that acted as a liaison between agencies and technology vendors.