Broader implementation of HSPD-12 could boost PKI use

The Defense Department has issued more than 4 million Common Access Cards, but most Pentagon employees use the smart cards minimally.

With all the legacy systems DOD uses, integrating digital certificate software is costly and difficult, said Carl Vercio, director of DOD’s Identity Protection and Management Program for Washington Headquarters Services.

“Ninety percent of employees use their CAC to sign and encrypt e-mails or to get on the network,” Vercio said yesterday at the Identity Management Conference in Arlington, Va., sponsored by the Information Technology Association of America. “We are not taking advantage of the technology available to us today. We focus too much on people outside DOD.”

And DOD is not alone in the underutilization of smart-card and public-key infrastructure technology. Most agencies find that smart cards end up being used as flash badges to gain entrance to buildings instead of being used for true physical and logical access. And PKI technologies, which agencies and vendors have been excited about for more than five years, have little penetration across agencies.

“Authentication and identity management are the least-deployed technology to protect systems, networks and infrastructure,” said William Crowell, a security consultant and member of the Markle Foundation Task Force on National Security. “In 2003, PKI became a four-letter word. It is still the least-deployed and most-technical concept of all the technologies out there, including encryption.”

But Vercio and others see the government’s implementation of Homeland Security Presidential Directive 12 as a key to more agencies using digital certificates.

“We are retrofitting and adapting applications to meet the Personal Identity Verification standard [under Federal Information Processing Standard 201],” Vercio said. “We hope industry figures out ways to make the CAC useful.”

Margie Cashwell, director of worldwide systems engineering for RSA Security Inc. of Bedford, Mass., said HSPD-12 will bring PKI and the federal bridge to life. “Agencies can use HSPD-12 to further single-sign-on capabilities across the enterprise or for Web applications or for federated systems,” she said.

David Temoshok, the General Services Administration’s director of identity policy and management, said HSPD-12 also is an important piece of the e-government puzzle.

He said the standard smart card will establish strong identification services for government employees to gain access to systems and services, and that will help promote e-government. “We have to have stronger authentication to support online services,” he said. “We are building a system that will help citizens gain experience using the services and see that the services are reliable.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.