Changing Rules, Standards Slow NASA Smart Card Effort

In the midst of the panel discussion, NASA deputy CIO Scott Santiago forgoes the slide show he is supposed to give about the presidential homeland security directive. Instead, he tells us a story, one that starts well before the terrorism-inspired rush to tighten federal information and physical security.

“You see, I had the joy of implementing NASA’s public key infrastructure,” he says. “If I had to do it over again, I’d just shoot myself first.”

PKI, as the technology is known for short, is the cryptographic system that has become mainstream for tasks like protecting credit card transactions on the Web. But more ambitious uses of the technology, such as issuing PKI-based digital certificates to individuals and storing those credentials on smart cards that users can carry around with them, are still cutting edge.

NASA was an early adopter of PKI in the second half of the 1990s, and later, during acting CIO Paul Strassmann’s tenure, made bold commitments to implement smart cards for both building and computer access. The smart-card project has been moving forward in fits and starts ever since, partly frustrated by changing standards.

Ideally, smart cards could help provide more certain identification of computer users than a user name and password alone. So far, however, PKI technology is mostly used within NASA to encrypt and digitally sign e-mail, Santiago says.

Now the presidential security directive, which regulators have translated into a requirement for smart-card security badges for federal employees, is forcing the issue.

Even so, Santiago is wary because so far no smart-card vendor is shipping a product that conforms to the federal identification card standards laid down by the National Institute of Standards and Technology. He doesn’t want to spend money on cards and card readers that will have to be replaced in a year or two.

Still, Santiago sees the opportunity to achieve some goals that were previously out of reach. Buoying his spirits is the discovery that about 60% of the applications within NASA are now Web-based. Those applications should be relatively easy to adapt to support the latest Internet security standards—the ones that NISE is built around.

Meanwhile, NASA is developing a portal infrastructure for both its public and internal Web sites as an adjunct to the NISE project. Since the internal Web site will support smart cards, integrating Web applications with the portal will make them smart-card-ready and integrate them with the NISE architecture.

“It means we will be able to smart-card-enable a large number of accounts very rapidly,” Santiago says. “Numbers like 60% always excite me within NASA.” After all the fits and starts, he adds, things are starting to fall into place for NASA to achieve its longtime goals for PKI security in conjunction with the NISE project.