GAO: HSPD-12 program needs clear goals

By the numbers

The Office of Management and Budget initially set a deadline of Oct. 27, 2007, for agencies to issue electronic identification cards to employees and contractors who had been with the agency for 15 years or less. Agencies are to issue cards to more senior employees and contractors by Oct. 27.

OMB’s governmentwide figures, as of March, showed these percentages.

3 percent, or 143,000, employees had received cards.

3 percent, or 36,000, contractors had received cards.

59 percent, or more than 2.5 million, federal employees had completed necessary background investigations.

42 percent, or more than 500,000, contractors had completed necessary background investigations.

— Ben Bain

Agencies are foundering in their efforts to use smart identification cards, and they will continue to struggle until the administration establishes realistic, governmentwide milestones for employing all of the features of the cards, according to government auditors.

Agencies are to issue the cards to all federal employees and contractors. However, the Office of Management and Budget found that only 3 percent of federal employees and contractors had received them. All of the agencies surveyed by the Government Accountability Office in February missed an original October 2007 deadline for issuing the cards. On Oct. 23, four days before the deadline, OMB issued a memo  offering to work with individual agencies to reach agreement on a new time frame.

Under questioning from lawmakers at a hearing last week, Karen Evans, OMB’s administrator for e-government and information technology, said her agency will work more closely with individual agencies to speed the process.

Rep. Brian Bilbray (R-Calif.) chided Evans for agencies’ lack of progress toward meeting goals associated with Homeland Security Presidential Directive 12, which requires federal employees and contractors to use computer-readable ID cards. The cards are meant to bolster the security of federal buildings and information systems and ensure interoperability governmentwide.

“There has been so little movement that there needs to be some priorities made here, and this is a very simple one that was laid out not just by the president but by the men and women that studied the 9/11 situation and said this is our No. 1 Achilles’ heel in the United States,” said Bilbray, ranking member of the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee, which held the hearing.

Evans agreed with GAO and lawmakers that the slow issuance is disappointing but she added that agencies have made progress. “What’s critical here is getting the foundation and those business processes normalized and harmonized across the government so that you can trust it,” she said.
Once agencies issue cards, they still must decide where to install card readers.

Evans said OMB is working with each agency to analyze its risks and determine where card readers are necessary rather than establishing a single governmentwide requirement.

However, Linda Koontz, GAO’s director of information management issues, told lawmakers that OMB should pay more attention to installing card readers and  the ways agencies can get more value from the cards’  electronic features.

Agencies that have the cards are not using their  multifactor identification components, which means the $80 each ID costs is largely wasted, Koontz said. The fact that so few cards have been issued presents an opportunity for a “midcourse correction before we go on and issue more cards without being able to fully exploit their capabilities,” she said.

“It may be true that a card reader may not be needed at Yosemite National Park, but in the vast majority of cases, you are going to want to use some kind of electronic authentication,” Koontz said. “We need to put more emphasis on that rather than just emphasizing the issuance of the cards, especially in the cases where we are not bringing to use the electronic
capabilities.”

Evans said OMB has made progress in working with agencies to establish the infrastructure necessary to begin using the IDs  for secure access to information systems, another goal of the program.

Jeff Stratyner, manager of alliance solutions for Quest Software public sector, said  the task of integrating back-end information systems to employ the electronic capabilities is a difficult task and different for each agency.

Stratyner said policy-makers could make the process easier by providing best practices for specific types of systems. 

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected