Gov ID card program enters new phase

It has been five years since former President George W. Bush signed Homeland Security Presidential Directive 12 and nearly one year since federal agencies were supposed to have provided computerized Personal Identity Verification (PIV) cards to all of their employees and contractors.

That didn’t happen, and many agencies are still well short of that goal. Agencies have issued about 60 percent of the nearly 6 million cards as of June 1 of this year, according to the Office of Management and Budget.

However, that is a substantial improvement compared to the status as of early last year, when agencies had issues fewer than 200,000 cards. By the October 2008 deadline, when agencies were supposed to have issued all the cards, only 1.5 million had been processed.

There are still some laggards — the Homeland Security Department has been one of the worst — but the list of those organizations that are far behind their PIV goals is shrinking.

Attention now is turning to what happens next when agencies are required to use those PIV cards, which contain a digital copy of holders' fingerprints and other unique digital identifiers. Initial deadlines under HSPD-12 called for agencies to use the cards to control employees’ access to information technology systems and networks no later than Oct. 27, 2009, and physical access to government facilities by Oct. 27, 2011.

Like the 2008 deadline for issuing the cards, agencies no longer consider the upcoming deadlines to be hard-and-fast targets, given the work ahead. Whereas issuing cards is basically a numbers game, keeping the cards current and building the back-end infrastructure to use them will require a different kind of effort.

“PIV-enabling applications is now the hardest part,” said Bill Erwin, program manager for HSPD-12 at the General Services Administration.

The value of PIV cards is their ability to allow agencies to control access to specific facilities and computer systems. Without that, the cards are nothing more than expensive equivalents of flash cards.

But that means analyzing applications to discover gaps in security systems and devising a holistic approach that marries identity management policies, procedures and access control systems.

“Those agencies that have not done well [with HSPD-12] are the ones that haven’t grabbed ahold of identity as an investment,” said Rick Hill, a principal at consulting firm Booz Allen Hamilton.

NASA has seen the benefits of that approach, and the agency is a leader on the HSPD-12 front.

NASA has issued more than 90 percent of the nearly 80,000 cards it will eventually pass out to users. That performance is impressive considering the complicated makeup of NASA's workforce. Only one-fifth are government employees; the rest are contractors and workers at universities, businesses and government entities around the world.

Helping its cause, NASA had a head-start over other agencies. Even before HSPD-12, NASA was already designing several programs around identity management, issuance of smart cards, implementations of an enterprisewide physical access system and an e-authentication service.

When HSPD-12 came out, NASA's challenge became pulling together those initiatives under one umbrella. Agency officials opted to use the Zachman framework, a management technique used in enterprise architecture to model the relationships among business processes and IT systems.

The idea was to integrate loosely related security projects into an enterprisewide program that could help NASA meet HSPD-12 requirements, said Corinne Irwin, a program manager at the architecture and infrastructure division of the agency’s office of the CIO.

Using the Zachman framework, NASA officials identified integration points among the different projects. It also highlighted areas that weren’t being addressed by those projects, such as an agencywide logical access control system.

NASA's work has evolved into an identity, credential and access management architecture that the agency will use to meet its security needs beyond the scope of HSPD-12, Irwin said.

For example, NASA officials are consolidating into a single agencywide service a number of individual security systems located at different operations centers that use authentication methods other than HSPD-12 IDs.

“Starting with the credential management business architecture we had already developed for issuing PIV smart cards, we were able to very quickly validate the business requirements and processes for" this consolidation, Irwin said.

Closing the circle

Although the HSPD-12 program has specific deadlines, it doesn’t address ow agencies should handle the ongoing maintenance of PIV cards after initial deployment. Agencies will need a process for tracking current cards, replacing lost cards, issuing cards to new employees and retiring the cards of people who leave government.

“HSPD-12 is much more than issuing the cards,” Hill said. “You also need to use them, but to do that, they have to be maintained.”

NASA and other agencies that have developed their own HSPD-12 programs have most of the infrastructure needed to handle maintenance. Other agencies — 64 overall, including large ones such as the Commerce, Justice and Treasury Departments — have chosen to employ GSA’s managed services to handle PIV verification and issuance.

The Labor Department is one of a few agencies that uses a hybrid approach. The department has already issued PIV cards to approximately 90 percent of its workforce of 18,000 employees and contractors using its own homegrown HSPD-12 program. But for the final 10 percent of its employees, mostly located in small towns and with few numbers at each site, the department is finalizing an agreement for them to receive PIV cards from GSA service locations.

“We think picking that hybrid approach has been one of our best decisions,” said Tom Wiesner, the department’s acting chief information officer. “It gives us the best option for the ongoing maintenance of the cards.”

GSA has developed a new solution for agencies that still need to activate employees' cards in far-flung offices. It consists of a device for fingerprint capture and software that can be attached to any existing workstation. Local support personnel can install that software, which provides an easy solution that can be put into all federal buildings and doesn’t involve the expense of a dedicated activation system that specialist technicians must install and maintain.

“It also costs much, much less,” Erwin said, an obvious draw for cash-strapped agencies that must come up with the funds to pay for HSPD-12.

Agencies also can use this system to capture new employees’ fingerprints and transmit them electronically for clearance purposes instead of sending them by regular mail.

In recent pilot programs run by GSA, the turnaround time for clearances has been less than 24 hours. That means new employees can be issued PIV cards on the day they start work rather than waiting for as long as a week.