The year ahead in policy

Aug. 27, 2004, was an unusual day at the White House. President Bush issued four executive orders and two presidential directives establishing new policies linked to the use of information technology.

The sheer number and scope surprised some federal officials. Lee Holcomb, chief technology officer at the Homeland Security Department, said DHS officials and others are studying how the president's broad new directives for screening people, cargo and transportation vehicles fit with existing terrorist screening programs.

Similar overlaps exist among intelligence-sharing initiatives and the president's Aug. 27 "Executive Order Strengthening the Sharing of Terrorism Information to Protect Americans." But the order acknowledges the potential for overlap. It creates an Information Systems Council to advise the president on consolidating and eliminating redundant terrorist information-sharing programs, systems and processes.

Even before Bush signed a 600-page

intelligence reform and terrorism prevention bill last month, news reports occasionally mentioned an executive order issued Aug. 27 that authorized many of the reforms in the legislation. Nothing in the bill contradicted what the president had already ordered, said Stephen Wayne, professor of government at Georgetown University.

Several significant policy stories to watch in 2005 began as presidential directives and executive orders. Will the new policies produce real progress on intelligence reform this year? How quickly can federal officials issue standardized smart cards to secure access to all federal buildings and federal information systems? How far will federal officials go in

expanding terrorist-related screening activities?

In April 2004, the president issued an executive order authorizing federal incentives to create a national health care IT infrastructure but restricting new funding for it. Will the policy begin producing results in 2005?

Other policy stories to watch include the Bush administration's recent revisions to Office of Management and Budget policies. How will federal executives respond to demands for greater financial accountability? These are some of the questions that will keep policy watchers tuned to the White House.

Making intelligence reforms a reality

The nation's intelligence apparatus could get a major facelift in 2005 because of the Intelligence Reform and Terrorism Prevention Act of 2004, but few policy experts expect quick changes. A new director of national intelligence will be in charge of strengthening intelligence, creating a national center for counterterrorism and expanding intelligence sharing across all levels of government.

"It's going to take some time," said Lee Strickland, a former CIA agent who is now a visiting professor of information studies at the University of Maryland.

The new intelligence director will oversee 15 civilian and military intelligence agencies and about a $40 billion budget. But the director's control of operations and programs, including technology-related ones, will be limited, Strickland said. The director will also have to compete with other intelligence players for the president's attention, he said.

The National Counterterrorism Center will have a significant role in overseeing security operations. "It certainly appears the [center] will have the lead in collecting, analyzing and disseminating terrorism-related information and in the development and monitoring of domestic counterterrorism efforts," said John Cohen, a homeland security adviser to the governor of Massachusetts.

Strickland said the center won't diminish the Homeland Security Department's role in counterterrorism. The center's function is to advise the president, he said. DHS officials advise the nation.

Another significant requirement of the new law is the creation of a framework and details for exchanging terrorist threat information among all players. A presidential executive order issued last August jump-started work on a nationwide information-sharing infrastructure.

The intelligence law also has provisions for improving transportation, border and maritime security. It provides minimum standards for birth certificates, driver's licenses and Social Security cards, and it authorizes the expanded use of biometric technologies in travel documents.

Stronger federal IDs to be required

With Homeland Security Presidential Directive 12, Bush essentially ordered all federal agencies to stop using flash passes. Federal officials are concerned, however, about how quickly and painlessly they can respond to the directive.

The directive compels federal agencies to adopt stronger security standards and procedures for issuing identity credentials to employees and contractors. For instance, all federal agencies must begin using smart cards to verify the identities of employees and contractors who need access to federal buildings and information systems.

The cards must be capable of providing various levels of computer security, depending on the application. They must be resistant to identity fraud, tampering and terrorist exploitation. They must be electronically verifiable and issued by providers whose reliability has been established by an official accreditation process. Most importantly, the cards issued by one federal agency must be compatible with the smart card readers and card management systems at other federal agencies.

Donna Dodson is a senior computer scientist at the National Institute of Standards and Technology, which must issue technical standards before the end of February to comply with the directive.

"It's a big mandate for NIST," she said, "and an even bigger mandate for federal agencies."

Before the directive was issued, federal officials at agencies that had begun using smart cards only had to agree on standard specifications and procedures within their own agencies. Achieving interoperability among all federal agencies "is going to be hard, and hard decisions are going to have to be made," Dodson said.

For those reasons, a presidential directive requiring stronger federal identity credentials is probably necessary, said Rick Simmons, a vice president of Oblix, which specializes in network identity management. "If you don't have that highest level of support, it's hard to get momentum for projects like that," he said.

The directive might also set a precedent. "This may presage other interesting uses of [presidential] directives for things that are important to get done uniformly across the government, whether they are technology or policy," said George Schu, vice president for public-sector business at VeriSign. He said most people recognize that interoperability "makes a whole lot of sense for homeland security."

Expanded screening to stop terrorists

A presidential directive that citizens' rights groups will be watching closely in 2005 authorizes expanded terrorist-

related screening. People, cargo, transportation vehicles and anything else that could pose a threat to homeland security could be screened.

Homeland Security Presidential Directive 11 also requires that officials screen in a manner that safeguards legal rights and avoids disrupting commerce and transportation.

Few people, however, have detailed knowledge of this directive. It basically endorses a strategic, governmentwide approach to terrorist-related screening, said Anna Hinken, spokeswoman for DHS' U.S. Visitor and Immigrant Status Indicator Technology program, under which the new screening efforts will occur.

More than a dozen departments and agencies, including DHS, are working under the expanded screening mandate, Hinken said.

Others include the CIA; the Agriculture, Commerce, Defense, Education, Justice, State, Transportation and Treasury

departments; the Department of Health and Human Services; OMB; and the Office of Personnel Management.

If fully implemented, the directive would create a comprehensive terrorist screening program affecting immigration, law enforcement, intelligence, counterintelligence, border protection, commerce, transportation and critical infrastructure.

Bruce McConnell, president of McConnell International, said much about the edict is unclear. However, he added,

"US-VISIT will be one of the main tools that makes [the directive] work."

The first requirement was a report delivered in November 2004 that outlined plans for implementing the directive. Bush administration officials would not comment on the report.

Lara Flint, staff counsel at the Center for Democracy and Technology, agreed that the directive's aims remain unclear. She also doesn't understand how it meshes with existing screening initiatives and programs such as US-VISIT and the Transportation Security Administration's Secure Flight passenger screening program.

Flint said she has not seen the report, but she said it most likely documents existing programs and describes ways to develop them further.

And as that occurs, people must make sure citizens' rights are safeguarded, she said. "As we move toward more and more screening points in society, the need for appropriate redress mechanisms is going to become more and more acute," she said. "What we need, in my view, is a redress mechanism that goes across government agencies."

Incentives for electronic health records

Lawmakers cut $50 million from the president's budget this year for the Office of the National Health Information Technology Coordinator. But health care IT advocates say they still expect Bush administration officials to aggressively promote electronic health records in 2005.

Despite the budget cuts, the president remains committed to a nationwide plan for converting to electronic health records, said a spokeswoman for Dr. David Brailer, national health IT coordinator at HHS.

A need for greater efficiency and safety in the health care system will overcome any budget blips, said Scott Wallace, president and chief executive officer of the National Alliance for Health IT, an advocacy group.

Because the federal government pays roughly a quarter of the nation's total medical bill through Medicare, Medicaid, and military and veterans' health programs, administration officials cannot afford to ignore the possible savings from using digitized health records, Wallace said.

Janet Marchibroda, CEO of the eHealth Initiative, which advocates the use of electronic records, said important health care IT programs survived intact in the 2005 budget, and they will help in establishing a nationwide infrastructure for e-health records.

One of the surviving programs is the Centers for Medicare and Medicaid Services' Doctors' Office Quality-

Information Technology Program, which offers incentive payments to physicians who use electronic health records in their practices.

Marchibroda also said officials at HHS' Agency for Healthcare Research and Quality have awarded more than $96 million in grants to 100 organizations from the department's fiscal 2005 budget for setting up health IT systems in community clinics and hospitals.

Additionally, the health care research agency has provided a total of $25 million in funding to five states — Colorado, Indiana, Rhode Island, Tennessee and Utah — to develop statewide health care IT networks. They will serve as building blocks for a nationwide infrastructure for e-health records, Marchibroda said.

Greater federal financial accountability

A bevy of stricter internal financial controls, which are being called Sarbanes-Oxley for Feds, will become mandatory for federal executives by October 2005.

The new requirements appear in a revised version of OMB's Circular A-123, the compliance rulebook for the Federal Managers Financial Integrity Act. The revised circular will require federal officials to improve how they document and test internal financial controls. Agencies with patterns of weak controls will be subject to independent audits.

The changes will mean added costs for federal agencies, say people who helped craft the new rules as part of a joint committee of officials from OMB, the Chief Financial Officers Council and the President's Council on Integrity and Efficiency.

The greatest costs will be for documentation, said Jim Taylor, Commerce's assistant CFO. "All the Cabinet departments are going to have significant investments in making sure that they can put this information together," he said.

The fiscal 2006 deadline for agency compliance won't be easy, but officials can find ways to keep expenses down, Taylor added. "You decentralize the approach, you establish a formula, you verify, you have the

bureaus perform it," he said.

The need for stronger policies on internal financial controls became apparent after committee members compared government reporting requirements with private-sector requirements created in the Sarbanes-Oxley Act of 2002.

Committee members decided that if more exacting controls are a good thing for companies, it made sense to match them on the federal side, said Elliot Lewis, assistant inspector general at the Labor Department.

Unlike Sarbanes-Oxley, however, OMB's circular contains no language threatening to send agency chiefs to jail for poor financial oversight.

Federal executives will comply because "no agency head wants to be in the position of not being able to give a positive assurance on this," said Linda Springer, OMB's controller. "It's going to be very highly spotlighted."

Compliance procedures will be explained in an implementation guide set for release early this year.

Bob Brewin, Florence Olsen, David Perera, Dibya Sarkar and Aliya Sternstein contributed to this article.