GAO: HSPD-12 program needs clear goals
Agencies are foundering in their efforts to use smart identification cards, and they will continue to struggle until the administration establishes realistic, governmentwide milestones for employing all of the features of the cards, according to government auditors.
Agencies are to issue the cards to all federal employees and contractors. However, the Office of Management and Budget found that only 3 percent of federal employees and contractors had received them. All of the agencies surveyed by the Government Accountability Office in February missed an original October 2007 deadline for issuing the cards. On Oct. 23, four days before the deadline, OMB issued a memo offering to work with individual agencies to reach agreement on a new time frame.
Under questioning from lawmakers at a hearing last week, Karen Evans, OMB’s administrator for e-government and information technology, said her agency will work more closely with individual agencies to speed the process.
Rep. Brian Bilbray (R-Calif.) chided Evans for agencies’ lack of progress toward meeting goals associated with Homeland Security Presidential Directive 12, which requires federal employees and contractors to use computer-readable ID cards. The cards are meant to bolster the security of federal buildings and information systems and ensure interoperability governmentwide.
“There has been so little movement that there needs to be some priorities made here, and this is a very simple one that was laid out not just by the president but by the men and women that studied the 9/11 situation and said this is our No. 1 Achilles’ heel in the United States,” said Bilbray, ranking member of the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee, which held the hearing.
Evans agreed with GAO and lawmakers that the slow issuance is disappointing but she added that agencies have made progress. “What’s critical here is getting the foundation and those business processes normalized and harmonized across the government so that you can trust it,” she said.
Once agencies issue cards, they still must decide where to install card readers.
Evans said OMB is working with each agency to analyze its risks and determine where card readers are necessary rather than establishing a single governmentwide requirement.
However, Linda Koontz, GAO’s director of information management issues, told lawmakers that OMB should pay more attention to installing card readers and the ways agencies can get more value from the cards’ electronic features.
Agencies that have the cards are not using their multifactor identification components, which means the $80 each ID costs is largely wasted, Koontz said. The fact that so few cards have been issued presents an opportunity for a “midcourse correction before we go on and issue more cards without being able to fully exploit their capabilities,” she said.
“It may be true that a card reader may not be needed at Yosemite National Park, but in the vast majority of cases, you are going to want to use some kind of electronic authentication,” Koontz said. “We need to put more emphasis on that rather than just emphasizing the issuance of the cards, especially in the cases where we are not bringing to use the electronic
Evans said OMB has made progress in working with agencies to establish the infrastructure necessary to begin using the IDs for secure access to information systems, another goal of the program.
Jeff Stratyner, manager of alliance solutions for Quest Software public sector, said the task of integrating back-end information systems to employ the electronic capabilities is a difficult task and different for each agency.
Stratyner said policy-makers could make the process easier by providing best practices for specific types of systems.
Ben Bain is a reporter for Federal Computer Week.