HSPD-12: DOD holds pole position

The Defense Department has a big jump on other agencies racing to meet the smart card deadline, but being first comes with a cost

As the government’s most experienced user of smart card identity credentials, the Defense Department finds itself blessed and cursed as the Oct. 27 deadline approaches for all federal agencies to begin issuing uniform, secure identity cards to employees and contractors.

DOD’s experience in issuing 11 million Common Access Card (CAC) credentials in the past several years gives it an advantage no other government agency has for meeting the Homeland Security Presidential Directive 12 (HSPD-12) mandate.

But that experience also puts DOD at a certain disadvantage. It has an established infrastructure and a painstakingly built user mind-set and culture. Those components are similar to HSPD-12’s requirements but different enough to create challenges for those managing the switch.

“We’ve been doing this [with CAC] for six years already, so we have a huge infrastructure in place, and we have to make sure we don’t bring that infrastructure down” while meeting the demands of HSPD-12, said Mary Dixon, deputy director of the Defense Manpower Data Center (DMDC), which manages the CAC and HSPD-12 credential programs for DOD.

It might be several years before DOD can issue the new credentials at more than 1,400 DOD sites worldwide, Dixon said. In the meantime, both credentials have to coexist, which means the new HSPD-12 cards must be compatible with the CAC readers, and DOD employees need to learn about the new cards. “We’ll definitely not be trying to do everything at once,” Dixon said.

President Bush signed HSPD-12 in August 2004 in response to the 2001 terrorist attacks. It requires federal agencies to create standardized, secure and reliable identity credentials and issue them to their employees and contractors.

Federal Information Processing Standard (FIPS) 201 defines technical specifications for the new identity credential. FIPS 201 describes procedures for issuing the credential, identifies the technologies to be used on the cards and establishes procedures for how agencies should manage them.

A major challenge for DOD will be to ensure everyone knows about the new card, said Brian Kitzmiller, client delivery executive at EDS, which has been supporting DMDC’s smart card program since 2001.

DOD cannot simply recall 3.2 million CACs in use now and replace them with HSPD-12 cards, Kitzmiller said, so it must deal with the potentially confusing situation of having the old and new credentials in circulation at the same time.

The new identity credential will look different from CAC, which is another potential cause for confusion. “Experience has taught us that you can never do enough publicity about what you are doing with DOD identification cards,” Kitzmiller said. For example, military facilities have different ways of handling identity cards. If guards at entrance gates don’t know about the new identity credentials, confusion is inevitable.

DOD has about 2,000 workstations worldwide from which it issues CACs, and their operators must receive training on the HSPD-12 requirements. “There needs to be a constant push to educate the DOD population that this new card is real,” Kitzmiller said.

Expanding the HSPD-12 program globally is another potential problem for DOD. The most challenging aspects would be issuing and using the cards in areas where DOD is conducting military operations, Dixon said. DOD spent some time, for example, establishing systems in Iraq to issue and replace CAC identity credentials.

Network connectivity is the primary challenge, Dixon said. With the limited electronic infrastructure available in some battlefield areas, the new identity credential might not be usable. “We are struggling with those issues now,” she said.

HSPD-12 cards’ contactless interface could create other potential problems, Dixon said. The older CAC has only a contact interface, which means someone must insert it into a card reader to view the data stored on a microprocessor chip embedded in the card. With the newer HSPD-12 card, a person can simply wave the card in front of a card reader. The reader captures the data on the card via a wireless signal.

Some people worry that the new card’s contactless interface leaves it vulnerable to anyone who might surreptitiously use a reader to capture data about the card holder and then use the data to create a false identity credential. However, Dixon said that scenario is unlikely.

A card reader must be within five inches of the HSPD-12 card for it to capture data stored on the card’s chip, she said. And similar to the new e-passports that the State Department will issue beginning in 2007, people can store the HSPD-12 cards in secure, protective cases.

“We think the card is pretty secure as it is,” Dixon said. “But we are looking at some way of providing a protective sleeve to go along with the card, so it can’t be used without taking it out of the sleeve.”

HSPD-12 applies to federal employees and contractors. DOD is working with industry on the technical requirements for an infrastructure that would let DOD access external identity management systems to verify that contractors are who they say they are.

For example, a contractor who carries an HSPD-12 card could walk into a DOD visitor center and wave the card in front of an HSPD-12 card reader. Via a secure Internet infrastructure, DOD would verify the contractor’s identity by checking the company’s system.

A cross-credentialing network is not part of the HSPD-12 mandate, but it is necessary to create a successful program, Dixon said.

In January, DMDC signed its first agreement with the Federation for Identity and Cross-Credentialing Systems to establish such an infrastructure. The DOD/industry group was formed to support HSPD-12. Both parties expect to sign a second agreement by the end of August for dealing with the challenges of large-scale deployment and other issues, said Michael Mestrovich, the group’s co-chairman. “We’ll all have to learn what’s needed to deploy this kind of network,” Mestrovich said. The group is working on those issues now.

Making sure employees and contractors can use the cards effectively is as important as creating and distributing the cards, said Mike Butler, who leads DOD’s smart card programs. The General Services Administration recently hired Butler for a six-month assignment to help civilian agencies comply with HSPD-12.

“Unfortunately, most people have been worried only about making sure everyone has a card,” Butler said. DOD has been in the smart card business a long time, he added. “Being able to use the card effectively is what brings the real value.”

Beyond providing secure access to buildings and information systems, uses for the HSPD-12 card are limited only by people’s imaginations, Dixon said.

Sharing information among agencies is one possible use. Agencies can also use the HSPD-12 card to ensure information is being submitted to those people who should be getting it, she said.

But DOD employees can also use the new smart cards for routine activities, such as paying for meals. The Navy, for example, uses CACs in its dining facilities and links them to back-end finance systems so that it can deduct money for meals directly from sailors’ accounts. DMDC also uses CACs to manage purchase cards by tracing purchases to a specific person, Dixon said. The requirements that will create more work for DOD initially are also the ones that will make the new credential more trustworthy and useful than CAC, Dixon said. Those requirements include collecting and validating two fingerprints and completing national background checks before hiring new employees and issuing them identity cards.

DOD won’t reach critical mass with HSPD-12 credentials immediately, Dixon said. After all, it took several years to reach a point at which enough people had CACs that DOD could require their use for secure access to DOD networks and buildings. “We couldn’t have done that when we started because not everyone was on the card,” Dixon said. “It will be the same for the HSPD-12 credential.”

HSPD-12 and the critical-mass factorThe value of the new identity credentials that Homeland Security Presidential Directive 12 requires will depend on how well agencies respond to the HSPD-12 mandate. Like the Defense Department, other agencies must issue HSPD-12 credentials to their employees and contractors, and many of them are lagging in that effort.

After HSPD-12 compliance reaches critical mass, DOD can accept HSPD-12 identity cards that other agencies issue as trusted credentials for access to DOD facilities and information systems. Such interoperability will be necessary for the increasing collaboration and information sharing that all federal agencies expect to do in the future, HSPD-12 experts say.

One group that is organized to tackle the interoperability challenge is the Federation for Identity and Cross-Credentialing Systems. The DOD/industry group was formed to establish a trusted network for verifying HSPD-12 identity credentials electronically across DOD and industry boundaries.

Michael Mestrovich, the group’s co-chairman, said he believes agencies could use a similar infrastructure to solve interagency verification challenges. “DOD and [the federation] will be in [HSPD-12] compliance from the get-go, and we already have the beginning of an interoperable network that can be used at places around the world,” he said. “So why can’t the DOD just extend this thing to the General Services Administration headquarters?”

GSA is engaged in its own effort to bring federal agencies into compliance with the HSPD-12 mandate. Only about 10 agencies — and that number includes DOD — always intended to comply with HSPD-12, said Mike Butler, chief of DOD’s smart card programs. But 100 other civilian agencies now face expensive requirements to establish an infrastructure.

GSA said it hopes to close that gap with a shared service for which agencies could pay. It would offer a ready-made resource for meeting the HSPD-12 deadline, Butler said.

In June, GSA issued a request for proposals for issuing fully certified and accredited HSPD-12 credentials. “Over the last month or so, we and the Office of Management and Budget have been going to these other agencies to explain to them what the concept of this is and what choices they can make,” Butler said. “Now [that] this RFP has gone out, they see they have something that will provide them with [a means to issue] a credential.”

— Brian Robinson

Educating users to accept a new mind-setMuch of the challenge involved in switching to Homeland Security Presidential Directive 12 credentials is in changing the culture and mind-set of those who work with Defense Department identity cards, said Brian Kitzmiller, client delivery executive at EDS.

When introducing the Common Access Card (CAC), for example, DOD struggled to change the mind-set of military security employees who were accustomed to visually inspecting identity cards.

Verification is a well-accepted practice for gaining access to computer networks, Kitzmiller said. But even with CACs, getting people to use them appropriately for building access is challenging, he said, adding that he expects the same to be true of the HSPD-12 cards.

— Brian Robinson


  • Comment
    customer experience (garagestock/Shutterstock.com)

    Leveraging the TMF to improve customer experience

    Focusing on customer experience as part of the Technology Modernization Fund investment strategy will enable agencies to improve service and build trust in government.

  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

Stay Connected