The security badge for the future

It could be years before agencies realize the full capabilities of the new personal identity verification cards that Homeland Security Presidential Directive 12 requires

HSPD-12: The ABCs

Many management questions about the government’s ambitious smart-card program are still unanswered. Who better to ask than Michael Butler, program manager at the General Services Administration’s HSPD-12 Managed Services Office.

FCW: How are agencies handling personnel challenges of Homeland Security Presidential Directive 12?

Butler: The Agriculture Department recently instituted a Web service that automatically loads updated personnel records to GSA’s Managed Service Credentialing System. GSA has introduced a system that receives information from GSA databases, highlights areas that require human attention, verifies the records and collates them for uploading to the MSO every evening.

FCW: How should agencies handle these records challenges?

Butler: They have to clean and verify data — e-mail directories, physical-security databases, some human resources data — and reset it back into the system. When cards are issued, systems like the MSO promote data integrity by generating a database of personal identity verification cardholders and cross-checking identity-based information.

FCW: Many agency employees and contractors who have been in the government less than 15 years did not get HSPD-12 cards by the Oct. 27, 2007, deadline. Is their access being restricted?

Butler: All agencies are different. Right now, I just want clean data and the person to be near an enrollment station.

FCW: How has the directive added to the work of chief human capital offers?

Butler: Many have brought in help to work the records submission.

FCW: How has the directive added to the work of chief information officers?

Butler: For those who have responsibility for the program, obviously a lot. Our MSO office has taken orders for more than 50,000 [computer-access card] readers in the past three months.

FCW: How have information technology employees been affected by the HSPD-12 directive?

Butler: There is heightened awareness of token-based security and interest in [public-key infrastructure technology].

FCW: Are agencies creating a huge backlog of requests to the Office of Personnel Management for fingerprint and background checks?

Butler: I see programs like the GSA MSO enabling many agencies to reduce the paper fingerprint submissions through better efficiency and accuracy.

FCW: How are agencies tracking down all their contractors?

Butler: Rules differ by agency. The ones that I have dealt with have better control over contractors than most people would think. Their need for computer access keeps the bar high.

FCW: Are they compiling databases of all their contractors?

Butler: Though discussed, it requires more study before launching into an expensive new program.

FCW: Have most agencies created an HSPD-12 program management office?

Butler: There is an HSPD-12 presence in every agency that works with the MSO, from a single person coordinating across an agency to large PMO staffs. Others have placed HSPD-12 as a duty of the CIO’s office or the human resources officer or the physical-security officer.

FCW: What new job functions have agencies created to comply with HSPD-12 requirements?

Butler: HSPD-12 formalizes efforts of privacy officers, sponsors and the staff who run enrollment stations. The directive creates a constantly audited system as well as legal implications for falsifying data.

FCW: Must these people be certified? Who certifies them?

Butler: Federal Information Processing Standard 201 [the mandatory federal standard for personal identity verification] requires certification. Agencies set their own rules. In the case of the GSA MSO, each role holder must take an exam [online] and pass a test.

FCW: How are senior agency officials handling their new role in signing off on the risk associated with implementing the directive?

Butler: If you look at the agency officials doing the risk assessment, many of them are in a position that makes them experts in this area.

— John Pulley

HSPD-12: The critics

Federal officials charged with implementing Homeland Security Presidential Directive 12 aren’t rocket scientists, but some of the directive’s most ferocious critics are.

Twenty-eight employees of the California Institute of Technology who work as scientists and engineers at NASA’s Jet Propulsion Laboratory are engaged in a running legal battle since filing a lawsuit in August against the research university and the agency. The lawsuit claims that mandatory background investigations required as part of NASA’s plan for complying with HSPD-12 are intrusive and violate plaintiffs’ privacy. The lawsuit includes complaints about inquiries into sexual orientation and provisions that would allow investigations of former employees for as long as two years after they have left the lab.

The government’s justification for gathering such information relies on “a series of McCarthy-era statutes and cases,” said Dan Stormer, a lawyer who represents the Caltech employees.

In the latest round of legal wrangling, the Ninth Circuit Court of Appeals granted a victory Jan. 11 to the employees, none of whom work on sensitive projects requiring security clearances. Overruling a lower court that had dismissed the workers’ claims, the appellate judge justified the reversal on the grounds of “serious legal and constitutional questions and because the balance of hardships tips sharply…toward appellants, who face a stark choice — either violation of their constitutional rights or loss of their jobs.”

Susan Foster, a senior technical writer employed by the lab for 39 years, said she became concerned about the implementation of HSPD-12 after learning that the agency had disregarded problems with equipment used to record, store and match employees’ fingerprints.

“They were willing to turn in substandard prints,” Foster said, noting that such an oversight is anathema in a culture obsessed with exactitude. “You don’t get to Mars with things being done imprecisely and inaccurately.”

— John Pulley

A funny thing happened on the road to issuing state-of-the-art personal identity cards to federal employees and contractors: old-fashioned cooperation.

Efforts to comply with Homeland Security Presidential Directive 12, an ambitious agenda for stiffening security and tightening access to the government’s physical assets and computer networks,  have had the unintended consequence of forging coalitions within and among historically independent agencies. Although it will be years — at least — before agencies meet all the goals of HSPD-12, the struggle to achieve them is already having an impact.

“The HSPD-12 process forces everyone to talk, which is not the culture in many agencies,” said Michael Butler, program manager at the General Services Administration’s HSPD-12 Managed Services Office. “This is a great unintended consequence.”  

Implementation of HSPD-12 requires the cooperation of the human resources, information technology and physical security departments  — areas within organizations that often have had only a passing acquaintance with one another.

“From the very beginning at Labor, we treated this as an HR, security and IT project,” said Patrick Pizzella, chief information officer and chief human capital officer at the Labor Department. Labor has issued HSPD-12 credentials to 60 percent of its employees, which is a high-water mark for compliance among the largest departments and agencies.

Comparing notes for the first time can be an eye-opener, said Daniel Chenok, a vice president at technology consulting firm SRA International. A federal client of SRA discovered, for example, that data collection associated with hiring new employees was, by turns, wastefully redundant and woefully inadequate.

Having identified the problem, “they were able to re-engineer the onboarding process” of employees for greater consistency and efficiency, said Chenok, who cited privacy in declining to name the client. CIOs and “HR and physical-security directors have not had to have the same type of interactive work arrangements as they have under HSPD-12. People get in the same room and discover things to streamline that they didn’t know about.”

And some that they do. As a member of the National Guard, Ivan Hurtt sat at a desk with three identical classified computers with the same level of clearance that couldn’t  share data because they belonged to separate programs. At times, he toted a collection of security badges that looked like “a janitor’s key ring.”

“HSPD-12 is largely about sharing the right amount of data with the right people at the right time,” said Hurtt, product marketing manager at Novell Identity and Security Management. “This is about breaking down silos.”

Interoperability is key
Imagine building an interoperable security system that can control access to every building and validate the identity of every worker and first responder in Manhattan. Now contemplate implementing that system nationally, and you’ll have some idea of the scope and complexity of the challenges involved in meeting the goals of HSPD-12, said Patrick Hearn, who leads the identity market division at Oberthur Card Systems Security.

“Compliance on this is a long and complex process,” Hearn said.

Agencies are taking varied approaches to the challenge. The Defense Department, having issued millions of smart cards in advance of HSPD-12, is well ahead of the pack in meeting the new requirements. Other governmental organizations have barely begun to tackle the issue.

The Veterans Affairs Department is among a small number of departments and agencies that are developing in-house solutions. With 12 identity systems nationwide, VA is working to create a single, unified system that is interopera ble with DOD’s Common Access Card program, a personal identity verification program that predates HSPD-12. By contrast, about 70 agencies have opted to participate in the General Services Administration’s Managed Shared Services program, an option that comes with its own challenges.

“GSA has a particular structure in place, and some agencies can’t electronically transmit information the way GSA wants to see it without making major changes to it,” said  Randy Vanderhoof, executive director at the SmartCard Alliance, a nonprofit industry association that promotes smart-card technology.

Technical challenges abound. EDS, the primary integrator for GSA’s managed-services solution, has more than a dozen teams and subcontractors working on the HSPD-12 program. The HSPD-12 card uses 200-bit credential numbers, which are so large that they overwhelm the capacity of some existing hardware. Many building security systems still in use were developed 15 years ago. During a transition period, some agencies plan to introduce hybrid solutions that meet the requirements of advanced smart-card technology while retaining compatibility with existing physical security systems. 

Technological advances are changing the way agencies view security systems, which in the past were seen as part of the physical plant. Systems in development to comply with HSPD-12 are more likely to be viewed as part of an organization’s IT systems portfolio, a disruptive shift in the status quo.

“Security directors and physical-plant people are not used to technology marching as rapidly as dictated by Moore’s Law,” said Roger Roehr, manager of the government market at Tyco. Moore’s Law holds that the transistor capacity of integrated circuits doubles every two years, a phenomenon posited by Intel co-founder Gordon Moore.

“You don’t see Moore’s law in air conditioning units,” Roehr said.

The upshot for federal agencies is the necessity for people working on HSPD-12 from different functional areas “to cooperate and understand each other and learn each other’s language. That has been a growth curve,” Roehr said. “The people and processes are always harder than the technology.”

Given the challenges of implementing HSPD-12, delays in implementation are hardly unexpected. Earlier this month, the Office of Management and Budget reported that less than 1 percent of federal employees and contractors have received the required secure identification cards despite a deadline of Oct. 27, 2007, for completing background checks and issuing credentials to federal employees and contractors with less than 15 years of government service.

“That, in some respects, results from a failure to make sure that agencies had the resources to meet the very ambitious timelines that were laid out,” said Lynn McNulty, a consultant who founded McNulty and Associates after retiring from the National Institute of Standards and Technology. NIST developed Federal Personal Identity Verification Standard 201, which specifies personal identity verification requirements for federal employees and contractors.

The next major deadline is Oct. 27 of this year, by which date federal agencies must issue credentials to all employees and contractors who require them in accordance with HSPD-12. Reports issued in the past six months by the offices of inspectors general for GSA and the Homeland Security Department made clear that the only suspense involving the deadline is the degree to which the government will collectively miss it.

DHS, for example, isn’t expected to meet the credentialing deadline until 2010.

The department is experiencing delays in implementing a technical solution and issuing compliant cards to its employees and contractors, the DHS IG’s report s tes. 

Moreover, a number of technology vendors predict that HSPD-12’s thorniest challenges lie ahead. Despite various delays and setbacks, issuing cards is relatively easy. The hard part is using them to reliably manage building and computer access within and across agencies.

Expensive flash passes
In theory, a cardholder would use his or her HSPD-12 credential to access secure computer networks, cutting by an order of magnitude the vulnerability of networks protected only by user names and passwords. In addition, a smart card would provide  access only to those areas of a network for which the cardholder has privileges. In the realm of physical security, a governmentwide interoperable system of identity verification would provide easy access for first responders and authorized personnel who need to move among the facilities of multiple agencies.

“The ultimate dream is [that] when an employee is no longer part of an organization,  the HR department can press a button and have his paycheck, building access and network access stop simultaneously,” said Bryan Ichikawa, a solutions architect at Unisys Federal Systems.

Until such capabilities are available, Ichikawa said, smart cards issued by the federal government will amount to “the world’s most expensive flash passes.”

Labor’s Pizzella said Phase 2 of HSPD-12 compliance will be difficult, “but the first thing you have to do is issue the cards. If you can’t issue cards, the rest of it doesn’t matter. You walk before you run.” 

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above