Deadline looms for personal identity card plans

The clock is ticking as agencies rush to complete their plans for fully implementing the use of Personal Identity Verification Cards by the deadline, coming in less than three weeks.

The process started seven years ago with Homeland Security Presidential Directive 12.

The Office of Management and Budget on Feb. 3 directed agencies to “develop and issue an implementation policy, by March 31, 2011, through which the agency will require the use of the PIV credentials as the common means of authentication for access to that agency’s facilities, networks, and information systems.”

The timeline in OMB Memo 11-11 is tight, but it should come as no surprise, said Judith Spencer, former co-chair of the Federal CIO Council’s Identity, Credential and Access Management Subcommittee.

“It’s not really new,” said Spencer, who this year left government to become policy management authority chair at CertiPath LLC. “OMB has been telling agencies they need to use these cards. All the memo says is, ‘do it.’”

The tools are available for using the smart PIV Cards, which contain cryptographic signing keys, digital certificates and biometric information for electronically verifying the identity of the holder, Spencer said.

“The technology is absolutely at a place where we can do this,” she said. “This is not rocket science.”

But NASA’s Tim Baldridge -- who is a rocket scientist -- said implementing the technology is not necessarily easy.

The challenge comes because identity management for controlling access to physical facilities has traditionally been separate from controlling access to IT resources. said Baldridge, who is also NASA’s Identity, Credential and Access Management architect.. Merging the two under a single interoperable card is not necessarily simple, but the establishment of a standardized set of electronic credentials under HSPD-12 is making it possible.

“We’ve made a lot of progress,” Baldridge said. “Today we have a consistently deployed card that is interoperable across all enterprises.” At NASA, “we have a very mature access control methodology around IT systems, and we are using that same methodology on physical access.”

NASA began working on smart cards for identification in 2002, two years before HSPD-12, said Baldridge, who was project manager for the Common Badging and Access Control System. But CBACS was a program for physical access control, separate from the NASA Account Management System being developed for computer access control. The two efforts were merged after the release of HSPD-12 as ICAM.

“We have been extremely fortunate,” in that NASA’s work done on smart ID card development prior to the presidential directive was not wasted, and was able to be incorporated into the standardized PIV Card system, Baldridge said.

NASA is not alone in fielding effective physical access control systems for PIV. The General Services Administration is using the electronic card for physical access without problems, as iss the State Department. The Federal Emergency Management Agency and other agencie are successfully implementing it.

Still, “physical access is where the federal government will face the challenge,” Spencer said. “The integrator community has to be educated.”

Electronically enabled access control is more mature for IT systems than for physical facilities, said Jeff Nigriny, CEO of CertiPath, which operates a certificate authentication bridge for the defense and aerospace industry that is cross-certified with the Federal Bridge Certification Authority, and also evaluates physical access systems for agencies.

“On the logical side, there are a lot of standards for PKI access,” he said. “PKI for physical access doesn’t have nearly the same body of work available.”

Physical facilities, which can include individual offices, old and new buildings, campuses and bases, have access control systems that range from rudimentary and outdated to state-of-the-art. These are updated less frequently that computer systems are refreshed, and replacing them can require more physical labor than upgrading software or IT hardware.

Upgrades will not necessarily solve all problems. Many of the systems do not work as advertised, and the people installing them did not understand the Public Key Infrastructure that underlies certificate authentication, Nigriny said. It is not that the hardware and software of physical access control systems do not work, but they often are not configured properly to accept the proper certificates, Nigriny said. “There is a basic lack of understanding about how PKI works,” he said. “That is what we are finding again and again.”

For this reason, Nigriny expects that a good number of agencies will fail to make the deadline for completing acceptable plans for PIV implementation. “Clearly, not every agency is going to be able to do this,” he said.

But he does not believe that the OMB mandate is premature.

“You need to start somewhere,” he said. “It’s not too early, but it’s the early days. Now is not a bad time to require it. You have to lead the technology when you’re a policy maker at the OMB level.” Companies will have time for their solutions to mature, he said. “Installation won’t begin for about a year, and industry moves very quickly.”

Baldridge agreed. “The technology is ready,” he said. “The timing of the OMB memo is based on that realization. It’s ready to use, so you need to use it.”