Reality of HSPD-12 settles in

The deadline for federal agencies to begin issuing computer-readable identity cards has come and gone, but it was only one step on the road to making federal buildings and information systems more secure. The Oct. 27 deadline for complying with Homeland Security Presidential Directive 12 required agencies — at a minimum — to issue a standards-compliant personal identity verification (PIV) card to one agency employee. Agencies must issue the cards to all their employees and many contractor employees by Oct. 27, 2008.

Agencies must begin using the advanced capabilities of the cards by the 2008 date, too. But agencies face monumental cost and implementation hurdles. The PIV program will remain a management challenge even after the rush to distribute the cards is complete, HSPD-12 experts say. Agencies that track the HSPD-12 program said they could not reliably estimate how many PIV cards agencies have issued so far.

“Card issuance is a small part of the whole deal,” said Deepak Kanwar, director of the Borderless Security business unit of information security firm SafeNet. “It’s the life cycle management that’s big. Cards will be one of the smaller things.”

However, Kanwar said, agencies are doing little more than handing out cards. “I don’t think they’ve done enough foundation work to make [HSPD-12] meaningful,” he said. “Funding is still a problem and, at best, they’re doing the bare minimum. Middle of next year is probably when people will start deploying it in a much more manageable manner.”

HSPD-12 program costs will include establishing card and certificate management processes and providing building and information systems access. The Oct. 27 deadline does not require agencies to install card readers for access to buildings. But that will be a future requirement, and the costs of adding that capability are a concern now because agency officials must think ahead.

For example, when cardholders leave their jobs, agency officials must remove the access privileges from the cards even if no one is using them. Until card readers are widely available, agencies’ security employees will visually inspect the PIV cards as they would with any other photo identification cards.

The two major federal providers of HSPD-12 cards — the Interior Department’s National Business Center and the General Services Administration’s three-month-old HSPD-12 Managed Services Office — offer services related primarily to card distribution. They offer few other services.

Michel Kareis, director of the GSA office, said it delayed offering building access controls and card readers because of the rapidly approaching Oct. 27 deadline and the amount of work those next steps will take.

“The next two years is getting through the rest of the process,” Kareis said, referring to the time between now and the 2008 deadline.

Kareis said the office has begun planning the next step, which will be PIV-compliant building access controls. Each agency has different plans for adding card readers to control access. “If I have a public facility or data that’s open to the public, there wouldn’t be a need to supply that level of security because it’s risk-based,” Kareis said. Likewise, an office in which only two people work probably can’t justify the expense of installing a PIV card reader.

Meanwhile, several vendors have rushed forward to offer their services. The Federation for Identity and Cross-Credential Systems announced Oct. 25 that three of its member companies — EDS, Northrop Grumman and SRA International — have begun issuing PIV-compliant cards to employees working on federal contracts so that they complete that requirement ahead of schedule.

Other providers think the next step should be the easiest one.

“I think the next pragmatic step will be the use of the cards for interagency access,” said Scott Price, vice president of Homeland Security Solutions at General Dynamics Information Technology. “That’ll be the path of least resistance.”

Kareis added that the Oct. 27 deadline is only the beginning of HSPD-12 compliance. Agencies will face big management issues and costs even after the 2008 deadline.

“There is no endgame for issuing credentials,” she said.