Feds face new HSPD-12 hurdles

Challenges include upgrading building access controls and issuing cards to contractors

Federation for Identity and Cross-Credentialing Systems

Most federal agencies have set up procedures for issuing secure identity credentials to the more than 1.8 million federal employees, the first big hurdle in the mandatory smart-card program known as Homeland Security Presidential Directive 12.

Now Bush administration officials have turned their attention to ensuring that physical access-control systems at federal facilities meet HSPD-12 standards and that contractors can access the buildings without too much hassle. Estimates of the number of federal contractors who work in federal facilities range from 4 million to 10 million.

The Physical Security Working Group has begun developing guidelines that will help agencies upgrade the systems that control entry into federal facilities. A government official who asked not to be named said most agencies will require three to five years to upgrade their access-control systems.

“Agencies need to perform an analysis to determine whether they need to upgrade card readers and other back-end systems such as controllers,” the official said. “Some agencies may want to implement more than one reader to use legacy credentials and systems while they are migrating.”

Meanwhile, another group — the Federal Identity Credentialing Committee (FICC) — is focused on the procedures for issuing HSPD-12 cards to contractors. The committee will recommend ways to ensure that contractors don’t have to wait for new cards or pay for new credentials each time they take on a project at a new agency.

FICC’s objective is to “ensure contractors don’t walk around with a necklace of HSPD-12 cards,” said Judy Spencer, the committee’s chairwoman. In the next few months, an FICC subcommittee will submit its recommendations to the HSPD-12 Executive Steering Committee on how to handle the reciprocity of contractor credentials.

In the next year, Spencer said, FICC will also draft documents and recommendations for the steering committee on other challenges, including defining what trust means for the HSPD-12 program, ensuring interoperability and compatibility with state and local government and nongovernmental entities that adopt the HSPD-12 card standard, and defining rules for agencies to follow when they exchange employee information.

Credentialing contractors add a challenging layer of complexity, which is one of the reasons the committee made it a priority, Spencer said. 

“Contractors are a bit nomadic, moving from project to project and company to company,” she said. “When a badge is revoked or destroyed, we don’t want the contractor to go through the same process to get a new badge again. We still are early in the analysis, but we hope to find ways to be more efficient and save money.”

The Agriculture Department is already working on that challenge, said Chris Niedermayer, USDA’s associate chief information officer. “We will record as a part of their contract the names of contractors into our human resources system,” Niedermayer said at a recent HSPD-12 event in Washington. “We will collect only enough information to ensure they pass a background check.”

USDA’s system could eventually connect to a larger federated, governmentwide system for validating contractors, he added. 
DOD has a fix on the card challengeAgencies must find ways for federal contractors to change projects without having to get a new identity credential from each agency in which they work. It’s one of the challenges for agencies under the secure credentialing program mandated by Homeland Security Presidential Directive 12 but one that the Defense Department may have already solved.

Industry and DOD launched the Federation for Identity and Cross-Credentialing Systems (FiXs) in 2004 and conducted several successful test programs with companies, including Northrop Grumman, SRA International and EDS.

FiXs verifies and authenticates the identity of contractors seeking to enter U.S. military installations, government-controlled areas and commercial sites linked to DOD networks, said Bob Martin, FiXs secretary.

“If industry follows certain standards and protocols, they can pass credentials across the DOD network,” Martin said, and the way it works is simple. “The sponsoring company captures and holds the employees’ data, and the DOD router at a facility validates the information against that database when an employee tries to enter.”
— Jason Miller

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above