HSPD-12: DOD holds pole position
The Defense Department has a big jump on other agencies racing to meet the smart card deadline, but being first comes with a cost
As the government’s most experienced user of smart card identity credentials, the Defense Department finds itself blessed and cursed as the Oct. 27 deadline approaches for all federal agencies to begin issuing uniform, secure identity cards to employees and contractors.
DOD’s experience in issuing 11 million Common Access Card (CAC) credentials in the past several years gives it an advantage no other government agency has for meeting the Homeland Security Presidential Directive 12 (HSPD-12) mandate.
But that experience also puts DOD at a certain disadvantage. It has an established infrastructure and a painstakingly built user mind-set and culture. Those components are similar to HSPD-12’s requirements but different enough to create challenges for those managing the switch.
“We’ve been doing this [with CAC] for six years already, so we have a huge infrastructure in place, and we have to make sure we don’t bring that infrastructure down” while meeting the demands of HSPD-12, said Mary Dixon, deputy director of the Defense Manpower Data Center (DMDC), which manages the CAC and HSPD-12 credential programs for DOD.
It might be several years before DOD can issue the new credentials at more than 1,400 DOD sites worldwide, Dixon said. In the meantime, both credentials have to coexist, which means the new HSPD-12 cards must be compatible with the CAC readers, and DOD employees need to learn about the new cards. “We’ll definitely not be trying to do everything at once,” Dixon said.
President Bush signed HSPD-12 in August 2004 in response to the 2001 terrorist attacks. It requires federal agencies to create standardized, secure and reliable identity credentials and issue them to their employees and contractors.
Federal Information Processing Standard (FIPS) 201 defines technical specifications for the new identity credential. FIPS 201 describes procedures for issuing the credential, identifies the technologies to be used on the cards and establishes procedures for how agencies should manage them.
A major challenge for DOD will be to ensure everyone knows about the new card, said Brian Kitzmiller, client delivery executive at EDS, which has been supporting DMDC’s smart card program since 2001.
DOD cannot simply recall 3.2 million CACs in use now and replace them with HSPD-12 cards, Kitzmiller said, so it must deal with the potentially confusing situation of having the old and new credentials in circulation at the same time.
The new identity credential will look different from CAC, which is another potential cause for confusion. “Experience has taught us that you can never do enough publicity about what you are doing with DOD identification cards,” Kitzmiller said. For example, military facilities have different ways of handling identity cards. If guards at entrance gates don’t know about the new identity credentials, confusion is inevitable.
DOD has about 2,000 workstations worldwide from which it issues CACs, and their operators must receive training on the HSPD-12 requirements. “There needs to be a constant push to educate the DOD population that this new card is real,” Kitzmiller said.
Expanding the HSPD-12 program globally is another potential problem for DOD. The most challenging aspects would be issuing and using the cards in areas where DOD is conducting military operations, Dixon said. DOD spent some time, for example, establishing systems in Iraq to issue and replace CAC identity credentials.
Network connectivity is the primary challenge, Dixon said. With the limited electronic infrastructure available in some battlefield areas, the new identity credential might not be usable. “We are struggling with those issues now,” she said.
HSPD-12 cards’ contactless interface could create other potential problems, Dixon said. The older CAC has only a contact interface, which means someone must insert it into a card reader to view the data stored on a microprocessor chip embedded in the card. With the newer HSPD-12 card, a person can simply wave the card in front of a card reader. The reader captures the data on the card via a wireless signal.
Some people worry that the new card’s contactless interface leaves it vulnerable to anyone who might surreptitiously use a reader to capture data about the card holder and then use the data to create a false identity credential. However, Dixon said that scenario is unlikely.
A card reader must be within five inches of the HSPD-12 card for it to capture data stored on the card’s chip, she said. And similar to the new e-passports that the State Department will issue beginning in 2007, people can store the HSPD-12 cards in secure, protective cases.
“We think the card is pretty secure as it is,” Dixon said. “But we are looking at some way of providing a protective sleeve to go along with the card, so it can’t be used without taking it out of the sleeve.”
HSPD-12 applies to federal employees and contractors. DOD is working with industry on the technical requirements for an infrastructure that would let DOD access external identity management systems to verify that contractors are who they say they are.
For example, a contractor who carries an HSPD-12 card could walk into a DOD visitor center and wave the card in front of an HSPD-12 card reader. Via a secure Internet infrastructure, DOD would verify the contractor’s identity by checking the company’s system.
A cross-credentialing network is not part of the HSPD-12 mandate, but it is necessary to create a successful program, Dixon said.
In January, DMDC signed its first agreement with the Federation for Identity and Cross-Credentialing Systems to establish such an infrastructure. The DOD/industry group was formed to support HSPD-12. Both parties expect to sign a second agreement by the end of August for dealing with the challenges of large-scale deployment and other issues, said Michael Mestrovich, the group’s co-chairman.
“We’ll all have to learn what’s needed to deploy this kind of network,” Mestrovich said. The group is working on those issues now.
Making sure employees and contractors can use the cards effectively is as important as creating and distributing the cards, said Mike Butler, who leads DOD’s smart card programs. The General Services Administration recently hired Butler for a six-month assignment to help civilian agencies comply with HSPD-12.
“Unfortunately, most people have been worried only about making sure everyone has a card,” Butler said. DOD has been in the smart card business a long time, he added. “Being able to use the card effectively is what brings the real value.”
Beyond providing secure access to buildings and information systems, uses for the HSPD-12 card are limited only by people’s imaginations, Dixon said.
Sharing information among agencies is one possible use. Agencies can also use the HSPD-12 card to ensure information is being submitted to those people who should be getting it, she said.
But DOD employees can also use the new smart cards for routine activities, such as paying for meals. The Navy, for example, uses CACs in its dining facilities and links them to back-end finance systems so that it can deduct money for meals directly from sailors’ accounts. DMDC also uses CACs to manage purchase cards by tracing purchases to a specific person, Dixon said.
The requirements that will create more work for DOD initially are also the ones that will make the new credential more trustworthy and useful than CAC, Dixon said. Those requirements include collecting and validating two fingerprints and completing national background checks before hiring new employees and issuing them identity cards.
DOD won’t reach critical mass with HSPD-12 credentials immediately, Dixon said. After all, it took several years to reach a point at which enough people had CACs that DOD could require their use for secure access to DOD networks and buildings.
“We couldn’t have done that when we started because not everyone was on the card,” Dixon said. “It will be the same for the HSPD-12 credential.”