HSPD-12 card may promote information sharing

Once agencies meet the deadline later this month to issue personal identity verification cards to all federal employees, agencies could start to find other uses for the smart card, said Dave Wennergren, deputy chief information officer at the Defense Department and vice chairman of the federal CIO Council. The smart card provides for a common process to assure identity authentication under Homeland Security Presidential Directive 12. Agencies are supposed to have distributed the cards by Oct. 27 to federal employees and contractors with access to agency facilities, according to directions from the Office of Management and Budget. The governmentwide card is a first step toward promoting trust and information sharing among agencies, Wennergren said. The next step is finding more ways to use the HSPD-12 card. “One of the ways you can use it is about trust across organizations. I think it’s more about policy and process than having to change the nature of the card,” Wennergren said Oct. 8 at an identity management conference sponsored by the Information Technology Association of America. Agencies can let employees use the smart card for physical access when they move between agencies. Among its goals, HSPD-12 aims to raise the bar on physical and eventually logical security across the government. Individually that happens because people move away from flash passes to use of public-key infrastructure credentials in their agencies, but it has to happen across agencies, too. “That’s something we need to make a priority this year,” he said. Agencies are only now distributing the cards in large enough quantities that interoperability could happen, he said. The CIO Council’s recently created Security and Identity Management Committee will determine what it will take for agencies to accept and trust a card issued by another agency when their employees come to their facility to visit and conduct business, he said. The power of the card is that it has the information embedded in the technology on it that, once agencies install card readers, tells the facility guard that it is not a fraudulent card and that the person is a member of that community, he said. DOD also is considering how it can advance the information-sharing component of physical access security to make it a service based on the data used for identity management, Wennergren said. He cited the example of DOD’s Maritime Domain Awareness program, a multiagency effort which describes the data it receives, makes the data discoverable and shares it within its community. DOD recently established the Enterprise Guidance Board under the CIO Executive Board to determine the services that need to be deployed enterprisewide, make sure that the potential services have a business case and are funded and put in place, Wennergren said. “We’ve already done collaboration, content staging and content discovery," he said. "The one we’re putting a lot of energy into this month is putting an identity service together."The Air Force is leading the team that is developing the architecture for it, and which the Enterprise Guidance Board expects at its meeting later this month, he said.