The security badge for the future
It could be years before agencies realize the full capabilities of the new personal identity verification cards that Homeland Security Presidential Directive 12 requires
- By John Pulley
- Jan 18, 2008
A funny thing happened on the road to issuing state-of-the-art personal identity cards to federal employees and contractors: old-fashioned cooperation.
Efforts to comply with Homeland Security Presidential Directive 12, an ambitious agenda for stiffening security and tightening access to the government’s physical assets and computer networks, have had the unintended consequence of forging coalitions within and among historically independent agencies. Although it will be years — at least — before agencies meet all the goals of HSPD-12, the struggle to achieve them is already having an impact.
“The HSPD-12 process forces everyone to talk, which is not the culture in many agencies,” said Michael Butler, program manager at the General Services Administration’s HSPD-12 Managed Services Office. “This is a great unintended consequence.”
Implementation of HSPD-12 requires the cooperation of the human resources, information technology and physical security departments — areas within organizations that often have had only a passing acquaintance with one another.
“From the very beginning at Labor, we treated this as an HR, security and IT project,” said Patrick Pizzella, chief information officer and chief human capital officer at the Labor Department. Labor has issued HSPD-12 credentials to 60 percent of its employees, which is a high-water mark for compliance among the largest departments and agencies.
Comparing notes for the first time can be an eye-opener, said Daniel Chenok, a vice president at technology consulting firm SRA International. A federal client of SRA discovered, for example, that data collection associated with hiring new employees was, by turns, wastefully redundant and woefully inadequate.
Having identified the problem, “they were able to re-engineer the onboarding process” of employees for greater consistency and efficiency, said Chenok, who cited privacy in declining to name the client. CIOs and “HR and physical-security directors have not had to have the same type of interactive work arrangements as they have under HSPD-12. People get in the same room and discover things to streamline that they didn’t know about.”
And some that they do. As a member of the National Guard, Ivan Hurtt sat at a desk with three identical classified computers with the same level of clearance that couldn’t share data because they belonged to separate programs. At times, he toted a collection of security badges that looked like “a janitor’s key ring.”
“HSPD-12 is largely about sharing the right amount of data with the right people at the right time,” said Hurtt, product marketing manager at Novell Identity and Security Management. “This is about breaking down silos.”Interoperability is key
Imagine building an interoperable security system that can control access to every building and validate the identity of every worker and first responder in Manhattan. Now contemplate implementing that system nationally, and you’ll have some idea of the scope and complexity of the challenges involved in meeting the goals of HSPD-12, said Patrick Hearn, who leads the identity market division at Oberthur Card Systems Security.
“Compliance on this is a long and complex process,” Hearn said.
Agencies are taking varied approaches to the challenge. The Defense Department, having issued millions of smart cards in advance of HSPD-12, is well ahead of the pack in meeting the new requirements. Other governmental organizations have barely begun to tackle the issue.
The Veterans Affairs Department is among a small number of departments and agencies that are developing in-house solutions. With 12 identity systems nationwide, VA is working to create a single, unified system that is interopera ble with DOD’s Common Access Card program, a personal identity verification program that predates HSPD-12. By contrast, about 70 agencies have opted to participate in the General Services Administration’s Managed Shared Services program, an option that comes with its own challenges.
“GSA has a particular structure in place, and some agencies can’t electronically transmit information the way GSA wants to see it without making major changes to it,” said Randy Vanderhoof, executive director at the SmartCard Alliance, a nonprofit industry association that promotes smart-card technology.
Technical challenges abound. EDS, the primary integrator for GSA’s managed-services solution, has more than a dozen teams and subcontractors working on the HSPD-12 program. The HSPD-12 card uses 200-bit credential numbers, which are so large that they overwhelm the capacity of some existing hardware. Many building security systems still in use were developed 15 years ago. During a transition period, some agencies plan to introduce hybrid solutions that meet the requirements of advanced smart-card technology while retaining compatibility with existing physical security systems.
Technological advances are changing the way agencies view security systems, which in the past were seen as part of the physical plant. Systems in development to comply with HSPD-12 are more likely to be viewed as part of an organization’s IT systems portfolio, a disruptive shift in the status quo.
“Security directors and physical-plant people are not used to technology marching as rapidly as dictated by Moore’s Law,” said Roger Roehr, manager of the government market at Tyco. Moore’s Law holds that the transistor capacity of integrated circuits doubles every two years, a phenomenon posited by Intel co-founder Gordon Moore.
“You don’t see Moore’s law in air conditioning units,” Roehr said.
The upshot for federal agencies is the necessity for people working on HSPD-12 from different functional areas “to cooperate and understand each other and learn each other’s language. That has been a growth curve,” Roehr said. “The people and processes are always harder than the technology.”
Given the challenges of implementing HSPD-12, delays in implementation are hardly unexpected. Earlier this month, the Office of Management and Budget reported that less than 1 percent of federal employees and contractors have received the required secure identification cards despite a deadline of Oct. 27, 2007, for completing background checks and issuing credentials to federal employees and contractors with less than 15 years of government service.
“That, in some respects, results from a failure to make sure that agencies had the resources to meet the very ambitious timelines that were laid out,” said Lynn McNulty, a consultant who founded McNulty and Associates after retiring from the National Institute of Standards and Technology. NIST developed Federal Personal Identity Verification Standard 201, which specifies personal identity verification requirements for federal employees and contractors.
The next major deadline is Oct. 27 of this year, by which date federal agencies must issue credentials to all employees and contractors who require them in accordance with HSPD-12. Reports issued in the past six months by the offices of inspectors general for GSA and the Homeland Security Department made clear that the only suspense involving the deadline is the degree to which the government will collectively miss it.
DHS, for example, isn’t expected to meet the credentialing deadline until 2010.
The department is experiencing delays in implementing a technical solution and issuing compliant cards to its employees and contractors, the DHS IG’s report s tes.
Moreover, a number of technology vendors predict that HSPD-12’s thorniest challenges lie ahead. Despite various delays and setbacks, issuing cards is relatively easy. The hard part is using them to reliably manage building and computer access within and across agencies. Expensive flash passes
In theory, a cardholder would use his or her HSPD-12 credential to access secure computer networks, cutting by an order of magnitude the vulnerability of networks protected only by user names and passwords. In addition, a smart card would provide access only to those areas of a network for which the cardholder has privileges. In the realm of physical security, a governmentwide interoperable system of identity verification would provide easy access for first responders and authorized personnel who need to move among the facilities of multiple agencies.
“The ultimate dream is [that] when an employee is no longer part of an organization, the HR department can press a button and have his paycheck, building access and network access stop simultaneously,” said Bryan Ichikawa, a solutions architect at Unisys Federal Systems.
Until such capabilities are available, Ichikawa said, smart cards issued by the federal government will amount to “the world’s most expensive flash passes.”
Labor’s Pizzella said Phase 2 of HSPD-12 compliance will be difficult, “but the first thing you have to do is issue the cards. If you can’t issue cards, the rest of it doesn’t matter. You walk before you run.”