`
`
`
`
`
`
`
`
`
`
`GOVERNMENT SMART CARD HANDBOOK
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Samsung Ex. 1022, Page 1 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
`
`
` GOVERNMENT SMART CARD HANDBOOK
`PREFACE
`
`
`This guidance Handbook is the result of Government experience gained over the past several years with smart
`card programs that include many smart card implementations, pilots, and projects conducted throughout the
`Federal government. The Handbook includes very significant input from industry and academic resources.
`The purpose of this Handbook is to share lessons learned and to provide guidance to Federal agencies
`contemplating the development and deployment of smart card or integrated circuit card-based identity and
`credentialing systems.
`
`At this writing there is a project under way to make this Handbook as web friendly as possible. Any
`suggestions on how to make this Handbook more useful and convenient would be appreciated. Please e-mail
`comments to Jim Hunt (jim.hunt@gsa.gov) and Bill Holcombe (bill.holcombe@gsa.gov).
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Bill Holcombe,
`
`
`Office of Governmentwide Policy
`General Services Administration
`
`February 2004
`
`
`
`
`i
`
`
`
`Samsung Ex. 1022, Page 2 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
`
`
`This ‘Government Smart Card Handbook’ has been developed under the joint sponsorship of the General
`Services Administration Office of Governmentwide Policy and the Smart Card Interoperability Advisory Board
`(IAB). It would not have been possible to produce this Handbook without the contributions of knowledgeable
`people from government, industry, and academia. We acknowledge their contributions and give special thanks
`to the following direct contributors:
`
`
`Tim Baldridge – National Aeronautics and Space Administration
`Ralph Billeri – BearingPoint Inc.
`Dallas Bishoff – Veterans Affairs AAIP Team
`Joseph Broghamer – Department of Homeland Security
`Michael Brooks – General Services Administration
`Michael Butler – DoD Common Access Card Program
`Fred Catoe – Veterans Affairs AAIP Team
`Pamela Corry – Department of Homeland Security
`Patty Davis – Department of Agriculture
`Russ Davis – Federal Department of Insurance Corporation
`Peter Dauderis – General Services Administration
`Portia Dischinger – National Aeronautics and Space Administration
`Mary Dixon – Department of Defense
`Bob Donelson – Department of Interior
`Ron Dorman – Defense Information Systems Agency
`James Dray – National Institute of Standards and Technology
`John de Ferrari – General Accounting Office
`Keith Filzen – Central Intelligence Agency
`Jack Finberg – General Services Administration
`Liz Fong – National Institute of Standards and Technology
`George Fortwengler – Department of Health and Human Services
`Damon Goddard – General Services Administration
`Scott Glaser – General Services Administration
`David Hauge – BearingPoint Inc.
`Peter Han – General Services Administration
`Gordon Hannah – BearingPoint Inc.
`Daryl Hendricks – General Services Administration
`Barbara Hoffman – Department of the Navy
`Bill Holcombe – General Services Administration
`Lee Holcomb – Department of Homeland Security
`Keith Hughes – Department of Homeland Security
`Paul Hunter – Transportation Workers Identification Credential
`Joel Hurford – United States Patent and Trademark Office
`
`
`
`
`
` GOVERNMENT SMART CARD HANDBOOK
`ACKNOWLEDGEMENTS
`
`Kevin Hurst – Office of Science and Technology Policy
`Lisa Kalinowski – BearingPoint Inc.
`Jeff Kindschuh – Veterans Affairs AAIP Team
`July Kresgi – Department of Agriculture
`Lolie Kull – Department of State
`Steven Law – General Accounting Office
`Greta Lehman – Department of Defense – Army
`Graham MacKenzie – Department of Treasury
`Amin Magdi – World Bank Group
`Eugenia McGroarty – DoD – Defense Logistics Agency
`John Mercer – Department of State
`Carey Miller – BearingPoint Inc.
`Mary Mitchell – General Services Administration
`Martin Monahan – World Bank Group
`John Moore – General Services Administration
`William Morrison – National Aeronautics and Space Administration
`Trung Nguyen – Department of Treasury
`Steve Parsons – Transportation Security Administration
`Sonya Pee – General Services Administration
`Arthur Purcell – United States Patent and Trademark Office
`Ronald Pusz – BearingPoint Inc.
`Fred Riggle – United States Geological Survey
`Teresa Schwarzhoff – National Institute of Standards and Technology
`John G. Sindelar – General Services Administration
`Judith Spencer – General Services Administration
`Dario Stipisic – BearingPoint Inc.
`Michael Sulak – Department of State
`David Temoshok – General Services Administration
`Janel Valverde – BearingPoint Inc.
`Martin Wagner – General Services Administration
`Dr. Jim Wayman - National Biometric Testing Center, San Jose State
`William Windsor – General Services Administration
`James Zok – Department of Transportation – Maritime Administration
`
`
`
`
`We also recognize and give thanks to the Smart Card Alliance and their industry members for their assistance
`in providing commentary and editorial advice to this Handbook:
`
`Randy Vanderhoof – Executive Director, Smart Card Alliance
`Cathy Medich – Government Smart Card Handbook Committee Chair, Smart Card Alliance
`
`
`Bob Beer – Datacard Group
`Linda Brown – Infineon Technologies
`Alex Giakoumis – Atmel Corporation
`Kevin Kozlowski – XTec, Incorporated
`Bob Merkert – SCM Microsystems
`Neville Pattinson – Axalto
`
`
`
`
` Joe Pilozzi – Philips Semiconductors
` James Russell – MasterCard International
` Carlos Santos – IBM
` Rick Uhrig – Gemplus
` Bob Wilberger – Northrop Grumman IT
`
`
`ii
`
`
`
`Samsung Ex. 1022, Page 3 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
`
`
` GOVERNMENT SMART CARD HANDBOOK
`TABLE OF CONTENTS
`
`
`
`EXECUTIVE SUMMARY................................................................................................................................ES-1
`1.
`INTRODUCTION ...........................................................................................................................................7
`1.1
`SMART IDENTIFICATION CARD VISION AND GOALS............................................................................................... 7
`1.1.1
`Achieving Interoperability Across Federal agencies ............................................................................... 8
`1.1.2 Open Government System Framework .................................................................................................. 10
`1.1.3
`Flexibility ...................................................................................................................................................... 10
`1.1.4
`Interentity Cooperation .............................................................................................................................. 11
`1.2
`GSA’S ROLE.......................................................................................................................................................... 11
`1.3
`HANDBOOK AND SMART ACCESS COMMON ID CONTRACT PURPOSE AND ORGANIZATION ............................... 12
`1.3.1
`Purpose........................................................................................................................................................ 13
`1.3.2 Organization................................................................................................................................................ 13
`2. SMART CARD TECHNOLOGY ..................................................................................................................15
`2.1
`SMART CARDS AND RELATED TECHNOLOGIES..................................................................................................... 15
`2.1.1 Overview...................................................................................................................................................... 15
`2.1.2
`Types of Chip Cards .................................................................................................................................. 16
`2.1.3
`The Secure Microcontroller Chip ............................................................................................................. 18
`2.1.4
`Smart Card Read/Write Devices.............................................................................................................. 20
`2.1.5
`Smart Card Interfaces: Contact and Contactless Cards ..................................................................... 22
`2.1.6 GSC-IS 2.1: Contact and Contactless Interoperability ........................................................................ 25
`2.1.7 Multiple Technology and Multiple Interface Cards ................................................................................ 26
`2.1.8 Multi-Application Cards.............................................................................................................................. 28
`2.1.9
`Synopsis of Technical Standards............................................................................................................. 30
`2.1.10 Current Legislation and OMB Guidance................................................................................................. 35
`2.1.11 Smart Card Implementation Considerations .......................................................................................... 36
`2.2
`COMPONENTS OF A SMART CARD SYSTEM........................................................................................................... 39
`2.3
`CARD LIFE CYCLE MANAGEMENT ARCHITECTURE.............................................................................................. 40
`2.4
`CAPABILITIES OF THE SMART IDENTIFICATION CARD FOR AGENCIES ................................................................. 46
`2.4.1
`Identification ................................................................................................................................................ 47
`2.4.2
`Smart Cards and Building Security: Physical Access Control............................................................ 47
`2.4.3
`Smart Cards and IT Security: Logical Access Control ........................................................................ 48
`2.4.4
`Digital Signatures ....................................................................................................................................... 48
`2.4.5
`Biometrics and Smart Cards..................................................................................................................... 52
`2.4.6 Other Value-Added Services .................................................................................................................... 63
`2.5
`BENEFITS OF IMPLEMENTING A SMART CARD SYSTEM........................................................................................ 64
`2.5.1 Why Implement a Smart Card System? ................................................................................................. 65
`2.5.2
`Relative Merit of Smart Cards vs. Alternative Technologies ............................................................... 68
`3. AGENCY IMPLEMENTATIONS .................................................................................................................74
`3.1
`AGENCY SMART CARD REQUIREMENTS ............................................................................................................... 74
`3.2
`CURRENT STATUS OF SMART CARD DEVELOPMENT OF MAJOR USERS AND DEPARTMENTS .............................. 75
`3.2.1
`Introduction.................................................................................................................................................. 75
`3.2.2
`Current and Planned Smart Card Implementations.............................................................................. 76
`3.2.3
`Identity Management Solutions................................................................................................................ 80
`3.2.4
`User Support ............................................................................................................................................... 81
`3.2.5
`Summary...................................................................................................................................................... 82
`4. KEY DECISIONS ........................................................................................................................................83
`4.1
`DECIDING ON A SMART CARD............................................................................................................................... 83
`4.2
`DETERMINING THE APPLICATIONS, CAPABILITIES AND OPTIONS OF THE CARD PLATFORM ............................... 85
`iii
`
`
`
`
`
`
`Samsung Ex. 1022, Page 4 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
` GOVERNMENT SMART CARD HANDBOOK
`
`Technology Capability ............................................................................................................................... 85
`4.2.1
`4.2.1.1
`Existing Legacy Environment ........................................................................................................... 85
`4.2.1.2
`PKI Strategy ........................................................................................................................................ 86
`4.2.1.3
`Biometric Strategy .............................................................................................................................. 89
`4.2.2
`Sample Applications .................................................................................................................................. 94
`4.3
`KEY AGENCY PROFILE-DRIVEN DECISIONS ......................................................................................................... 95
`5. PLANNING & IMPLEMENTATION ISSUES...............................................................................................98
`5.1
`TECHNICAL ISSUES................................................................................................................................................ 98
`5.2 MANAGEMENT AND ORGANIZATIONAL ISSUES .................................................................................................. 103
`5.2.1
`Card Management ....................................................................................................................................... 104
`5.2.2
`Shifting Roles and Responsibilities ............................................................................................................ 107
`5.2.3
`Training....................................................................................................................................................... 110
`5.2.4
`Customer Service ........................................................................................................................................ 111
`5.2.5
`Privacy Issues.............................................................................................................................................. 111
`5.2.6
`Operating Rules and Procedures ................................................................................................................. 112
`5.3
`RE-ENGINEERING THE BUSINESS PROCESSES ..................................................................................................... 113
`5.4
`FINANCIAL ISSUES............................................................................................................................................... 114
`5.4.1
`Cost Factors................................................................................................................................................. 114
`5.5
`LINES OF COMMUNICATION AND AGENCY SUPPORT.......................................................................................... 116
`5.6
`QUALITY ASSURANCE AND CONTRACTOR MANAGEMENT................................................................................. 117
`5.7
`CARD SYSTEM INTEROPERABILITY..................................................................................................................... 122
`5.7.1
`Interoperability Specification Development Process .................................................................................. 123
`5.7.2
`Smart Card Interoperability Architecture.................................................................................................... 123
`6. WRITING THE TASK ORDER ..................................................................................................................126
`6.1
`TECHNICAL ISSUES.............................................................................................................................................. 126
`6.2
`FINANCIAL ISSUES............................................................................................................................................... 129
`6.3
`POLICY AND PROGRAMMATIC ISSUES................................................................................................................. 131
`6.4
`ENVIRONMENTAL CONCERNS ............................................................................................................................. 133
`6.5
`PUBLICIZING THE AWARDED TASK ORDER ........................................................................................................ 134
`6.6
`TASK ORDER PROCESS........................................................................................................................................ 134
`6.6.1
`Overview of the Task Order........................................................................................................................ 135
`6.6.2
`The Evaluation Process Summarized.......................................................................................................... 137
`6.6.3
`Notification and Debriefing of Unsuccessful Offerors ............................................................................... 142
`7. SUMMARY RECOMMENDATIONS .........................................................................................................143
`7.1
`TECHNICAL RECOMMENDATIONS ....................................................................................................................... 143
`7.2
`ORGANIZATIONAL AND MANAGEMENT RECOMMENDATIONS............................................................................ 146
`7.3
`LEGAL RECOMMENDATIONS............................................................................................................................... 147
`7.4
`COST RECOMMENDATIONS ................................................................................................................................. 147
`7.5
`STANDARDS AND INTEROPERABILITY RECOMMENDATIONS .............................................................................. 148
`7.6
`LESSONS LEARNED ............................................................................................................................................. 149
`7.7
`LOOKING FORWARD – IMPLICATIONS OF AN EMPLOYEE MULTI-APPLICATION SMART CARD IDENTIFICATION
`PLATFORM....................................................................................................................................................................... 150
`7.8 MAINTAINING ON-GOING PROGRESS.................................................................................................................. 151
`8. APPENDIX A – GLOSSARY OF TERMS.....................................................................................................1
`9. APPENDIX B – SURVEY OF FEDERAL SMART CARD PROJECTS ........................................................1
`10. APPENDIX C – INDEX OF SMART CARD WEB SITES..............................................................................1
`11. APPENDIX D – REFERENCES ....................................................................................................................1
`12. APPENDIX E – INTEROPERABILITY STANDARDS ..................................................................................1
`13. APPENDIX F – AGENCY PROFILE QUESTIONNAIRE ..............................................................................1
`14. APPENDIX G – AGENCY PROFILE ............................................................................................................1
`15. INDEX............................................................................................................................................................1
`iv
`
`
`
`
`
`Samsung Ex. 1022, Page 5 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
`
`
`
`
` GOVERNMENT SMART CARD HANDBOOK
`TABLE OF FIGURES
`
`
`
`FIGURE 1 ...........................................................................................................................................................22
`FIGURE 2 ...........................................................................................................................................................24
`FIGURE 3 ...........................................................................................................................................................27
`FIGURE 4 ...........................................................................................................................................................27
`FIGURE 5 ...........................................................................................................................................................28
`FIGURE 6 ...........................................................................................................................................................45
`FIGURE 7 ...........................................................................................................................................................45
`FIGURE 8 ...........................................................................................................................................................46
`FIGURE 9 ...........................................................................................................................................................69
`FIGURE 10 .........................................................................................................................................................71
`FIGURE 11 .........................................................................................................................................................72
`FIGURE 12 .........................................................................................................................................................73
`FIGURE 13 .........................................................................................................................................................79
`FIGURE 14 .........................................................................................................................................................88
`FIGURE 15 .......................................................................................................................................................101
`FIGURE 16 .......................................................................................................................................................120
`FIGURE 17 .......................................................................................................................................................122
`FIGURE 18 .......................................................................................................................................................124
`
`
`
`
`
`
`
`v
`
`
`
`Samsung Ex. 1022, Page 6 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
`
`
`GOVERNMENT SMART CARD HANDBOOK
`
`Executive Summary
`
`When the first edition of the ‘Smart Card Policy and Administrative Guidelines’ was published in
`2000, it was presented to an audience of smart card managers as a primer on the technology.
`Managers were offered a resource that enabled them to evaluate the technology, reflect on relevant
`policy issues, and develop an implementation strategy.
`
`Since the publication of the original Guidelines, the government’s acceptance of smart cards has
`transformed from an enterprise interested in the technology to one in which the technology is being
`readily implemented. Specifically, over four million smart cards have now been issued to
`government employees. Smart cards are being used across several government agencies and at
`varying levels of functionality. Hence, there is a strong need within government to have access to a
`resource that can provide current, up-to-date information regarding smart cards. One of the most
`significant lessons learned in early smart card programs has been the need to incorporate a team
`that includes all the stakeholders including the program manager, physical access personnel, and
`information technology support staff. Through the development of the team, will come the knowledge
`and understanding necessary to assign roles and responsibilities for a successful program.
`Furthermore, as the underlying technologies such as public key infrastructure and biometrics that
`make smart cards more robust and versatile have continued to converge and mature, the publication
`of this Handbook becomes even timelier.
`
`The goals of this Handbook are to offer a valuable, hands-on resource that will facilitate the reader’s
`understanding of smart cards, cite case studies of smart card engagements in government, and map
`the process for implementing smart cards through the careful consideration of task order criteria and
`key decisions. It is intended that readers return to the Handbook’s pages frequently and be
`presented with an opportunity to reinforce their knowledge of smart cards or discover an entirely new
`facet of the technology.
`
`Several years removed from the first government installation of multi-application smart card
`technology, we can conclude with confidence that the technology is no longer experimental.
`Instead, the application of smart cards within government has developed into a proven asset with a
`quantifiable return on investment that has facilitated and secured the process employees use to
`access government facilities and resources.
`
`Finally, the Handbook presents tremendous value to a reader because its content is an
`amalgamation of the experiences of many of the leading smart card users working in government,
`industry, and academia. The recent efforts of smart card project managers, policy makers, and
`manufacturers to further the adoption of smart cards have been consolidated here in an effort to
`offer an all-encompassing perspective on the current state of smart cards in government.
`
`
`
`
`
`
`6
`
`
`
`
`
`Samsung Ex. 1022, Page 7 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
`
`
`GOVERNMENT SMART CARD HANDBOOK
`
`
`Government Smart Card Handbook
`
`INTRODUCTION
`1.
`The Clinger-Cohen Act (CCA) of 1996 and the Defense Reform Initiative of 1999 committed that
`certain government agencies improve innovation through the reformation of business processes and
`exploitation of technology to achieve efficiencies and improve readiness. The core ideologies for
`this reform were to: focus the enterprise on a unifying vision, commit leadership to change, focus on
`core competencies, streamline organizations, invest in people, exploit information technology, and
`eliminate barriers between organizations.
`Reforms in electronic business, travel re-engineering, and expanded use of government-wide
`commercial purchase cards have presented new opportunities to use smart card technology as an
`enabling tool. Smart card technology offers an additional layer of electronic security and information
`assurance for user authentication, confidentiality, non-repudiation, information integrity, physical
`access control to facilities, and logical access control to an agency’s computer systems. To facilitate
`this effort, the Smart Card Program was established and composed of representatives from the
`Federal civilian, defense, and intelligence communities as a co-operative effort under the leadership
`of the General Services Administration (GSA) and the Smart Card Project Managers Group. The
`President’s Management Agenda (PMA) released in fiscal year 2002, also called for the following:
`Expand and improve the FirstGov web site (www.FirstGov.gov) to offer citizens a convenient
`•
`entry to government services;
`Establish a Federal Public Key Infrastructure (PKI) to be adopted by agencies to promote digital
`signatures for transactions within the Federal government, between government and businesses,
`and between government and citizens; and
`By the end of 2002, use a single e-procurement portal, www.FedBizOpps.gov, by all agencies to
`provide access to notices of solicitations over $25,000.
`
`•
`
`•
`
`
`This Government Smart Card Handbook was developed to assist agencies in the development of a
`smart card program to harness the technologies currently available to:
`Obtain a secure identity management solution.
`•
`Accomplish the objectives of government initiatives.
`•
`Remain consistent with government regulations, directives, and applicable standards.
`•
`
`This Handbook is intended to serve as a reference document providing government agencies with
`guidance for implementing an interoperable smart card program within their organization. This
`Handbook was originally conceived and published in 2000. As a result of significant advances in
`smart card technology, an effort was initiated in 2003 to bring the information in the Handbook
`current. In addition, many government agencies have significantly increased their internal
`knowledge of smart card technologies and related systems. This information is reflected in the
`current version of the guide. The implementation of smart cards can be complex. The intent of this
`guide is to provide the high level reasons for why to implement a program as well as provide
`practical guidance for who should be involved and how to begin.
`
`1.1 Smart Identification Card Vision and Goals
`
`
`
`
`7
`
`
`
`
`
`Samsung Ex. 1022, Page 8 of 262
`Samsung Electronics America, Inc. v. RFCyber Corp.
`IPR2021-00980
`
`
`
`GOVERNMENT SMART CARD HANDBOOK
`
`In order to help achieve the vision of using smart card technology to streamline administrative
`processes, a role of GSA is to provide assistance to Federal agencies in the implementation of
`smart card technologies for a wide range of purposes including personal identification, physical and
`logical access, digital signatures, travel, and small purchases. It is GSA’s intent to assist Federal
`agencies, via the Smart Access Common ID contract, in reengineering their business processes to
`achieve streamlined operations and cost savings through enhanced operational efficiency.
`
`In creating a common identification card for Federal government employees, the three goals of the
`Smart Identification Card program are to:
`
`•
`•
`•
`
`To provide a common, interoperable identification card that can be used similarly across agencies,
`this project has defined the following objectives for this card program:
`
`•
`•
`•
`•
`
`Each of these objectives is described in further detail in the following sections.
`
`Develop smart card interoperability;
`Establish a set of mandatory requirements with optional value-added services; and
`Build in the capability to add new applications and migrate to advanced technologies.
`
`Interoperability across Federal agencies;
`Open government system framework;
`Flexibility; and
`Interentity cooperation.
`
`1.1.1 ACHIEVING INTEROPERABILITY ACROSS FEDERAL AGENCIES
`INTEROPERABILITY – What Is It and Why Do We Need IT?
`Interoperability refers to the cooperative processing of an application by distinct software, hardware,
`firmware, various generations of cards and terminals, operating policies and administrative
`procedures. Thus, this term describes a system or product that can operate with another system or
`product directly without additional development effort by the user. In an interoperable environment,
`there is sufficient flexibility to accommodate cards from multiple issuers and