There have been many changes since enterprises first looked at implementing smart card-based common access card programs in the 1990s. Although some large corporations successfully deployed such programs, smart card-based identity solutions never fully penetrated the enterprise or consumer markets. Looking back, it is clear that a lack of standards as well as the ensuing incompatibility between different proprietary products led to one-off projects, rather than solutions that would consistently drive prices down and make implementation straightforward.

Post September 11th, the U.S. government issued the Homeland Security Presidential Directive (HSPD)-12, a “policy for a common identification standard for federal employees and contractors.” Under the HSPD-12 mandate, all federal employees and contractors would be issued a Personal Identity Verification (PIV) card, a smart card with contact and contactless interfaces to be used as their identity credential for both logical access to information systems and physical access to facilities. In response to HSPD-12, the National Institute of Standards and Technology, published the Federal Information Processing Standard (FIPS) 201, specifying the architecture and technical requirements for this common identification standard, finally providing the standards missing for so long.

Due to the need to define and set up processes, such as the ones for vetting card recipients and for card issuance, the initial roll-out of PIV cards has been slower than expected. However, by early 2009, critical mass was finally reached with more than 1.5 million cards issued. This increased deployment was in part driven by the October 27, 2008 deadline for agencies to issue cards to all employees and contractors with 15 years or less of service.


With FIPS 201 in place, common access cards are now also spreading outside the Federal government environment, and a first foray is in the market for state and local emergency management solutions. Here DHS FEMA efforts have led to the First Responder Authentication Credential (FRAC) as well as the availability of critical infrastructures to accurately identify emergency responders and their credentials.

Additionally, the Transportation Worker Identification Credential (TWIC) is being implemented in the transportation and maritime industries primarily to identify truck drivers and port workers and to mitigate the effects of a transportation security incident. Moreover, major contractors to the Federal government such as Lockheed Martin, Northrop Grumman and SAIC, are being required to provide PIV cards to a number of their employees, and are now looking to implement such programs company-wide.

In parallel to the above developments, the last several years has seen many discussions about security convergence, and, in fact, nowadays no industry conference is complete without at least some sessions addressing the issue.