Time is running out for federal agencies to comply with a 2004 U.S. presidential directive calling for governmentwide adoption of smart cards to authenticate employees for access to buildings and IT systems starting late next year.

By Monday, all major federal agencies are required to submit detailed implementation plans to the White House Office of Management and Budget that describe how they plan to meet the smart-card requirements outlined in Federal Information Processing Standard (FIPS) 201.

Under the two-step plan, agencies have until Oct. 27 to implement the first phase of FIPS-201, which involves developing new processes for verifying the identities of employees, registering them and issuing ID cards. The deadline for the second phase, when agencies will actually start issuing the new smart cards, is October 2006.

The requirements stem from Homeland Security Presidential Directive 12, which calls for electronic identity cards to be issued to all federal employees and contractors as part of a bid to better secure access to government facilities and information systems. The cards must support two-factor authentication via digital certificates, a password or personal identification number, and biometric identifiers. They also are expected to be interoperable across all federal agencies.

The effort required for most agencies to conform to the mandates makes meeting both October deadlines "very challenging," said John Moore, chairman of the Federal Smart Card Project Managers Group and director of the Office of Governmentwide Policy at the General Services Administration in Washington.

"Both of these are very ambitious targets," Moore said. "It"s a rather unique project in that it affects all federal employees and contractors, so it requires an unusual amount of coordination among agencies."

For instance, the Personal Identity Verification (PIV) smart cards will control access to both physical and IT assets. As a result, the project requires IT departments within agencies to work with their counterparts on the physical security side, as well as with badging and access-control staffers and human resources personnel, Moore said.

There are also some significant technical issues.

The PIV cards will be based on a new specification developed by the National Institute of Standards and Technology (NIST). The specification is designed to make the smart cards more interoperable than existing ones based on older guidelines, said Curt Barker, NIST"s FIPS-201 program manager.

But the change means that several agencies already using smart cards will have to move to new ones, Barker said. For instance, the U.S. Department of Defense has already rolled out more than 4 million of the previous-generation cards.

Although Barker said the transition is intended to be "evolutionary," he said agencies such as the DOD could find things "a bit more complex" than agencies implementing smart-card technology for the first time.

Some of the technical details of the smart cards themselves are still in draft form, said Neville Pattison, director of technology and government affairs at Axalto Inc., a smart-card manufacturer in Austin. One example relates to the use of biometric identifiers. Pattison and Barker both said NIST has yet to decide whether the cards should support full images or smaller ones that use fewer data points for matching fingerprints and other physical characteristics.

As a result of that and other issues, large-scale manufacturing of PIV cards is unlikely to happen before the second half of next year, said Pattison, who was on a team that acted as a liaison between federal agencies and technology vendors on the project.