Joined: 26 Jun 2004
Location: Indiana, USA
|Posted: Fri Sep 24, 2010 8:55 am Post subject: HSPD-12 compliance
By Jill R. Aitoro, firstname.lastname@example.org
Universal identification standards streamline access to buildings and computer networks, but not without some glitches.
In the wake of Sept. 11, 2001, the Bush administration staked out a defensive line against terrorist attacks, espionage and cyber threats with its Homeland Security Presidential Directive 12, or HSPD-12. It’s smart in concept, but difficult in execution.
The theory behind the directive is to develop a common identification standard that ensures that people are who they say they are, so government facilities and sensitive information stored in networks remain protected. HSPD-12 requires agencies to issue smart cards to federal employees and contractors.
The plastic credentials, about the size of a credit card, are outfitted with a microchip that can be loaded with personal data. They replace existing flash-card badges, so named because the holder simply flashes the badge at a security guard. Typically a guard glances at the badge without verifying that it is valid or that the picture matches the badge holder.
The microchip stores personal information, including biometric data. When the smart card is inserted into a reader it will match the cardholder’s fingerprint to a database of fingerprints collected when cards are issued. If the match is verified, the system gives the holder access to federal buildings or a network, if logging on to a computer.
A federal employee or contractor waves the card in front of a reader, which is linked to a system that accesses the stored fingerprints and other information about the cardholder. The system checks the data on the microchip against the database to determine who the person is and whether or not he or she has the proper clearance to enter the building. A computer scans the same card to determine whether the person is allowed on a government network, and, ideally, what files and applications the holder can access.
In 1999, the Defense Department led agencies in the adoption of smart cards with its Common Access Card initiative. By 2007, Defense had issued more than 13 million common access cards to active military personnel, civilian employees and eligible contractors, and reported that 3 million CACs were in circulation. Now the department is upgrading the access systems and transitioning employees to the next generation of cards, which comply with Federal Information Processing Standards, known as FIPS 201, for personal identity verification.
The Office of Management and Budget set milestones for implementation, leading up to a final Oct. 27, 2008, deadline for agencies to complete all background checks and to issue cards to all employees and contractors.
How smart card badges will affect day-to-day operations remains to be seen. Employees and contractors shouldn’t see too much of a difference in gaining physical access. In fact, the process of entering a federal building could become easier if the technology works as planned. The interface means the cardholder no longer has to swipe a badge through a reader, and advances in smart-card technology eventually will allow employees to walk right in without as much as a pause.
The computer access part of the process could be a bit more cumbersome, although advantageous, if agencies decide to incorporate additional identity management capabilities into the cards. According to the HSPD-12 mandate, employees and contractors must use the cards to log on to a government network. Agencies, however, have not completely deployed applications that regulate access to network drives, files and databases.
But agencies might take the opportunity to link more standards to the credentials. The identity number associated with the card could be stored in the active directory, for example, and system administrators could link that data to an approval process for accessing specific applications and files. Such parameters would help lock down systems, though employees could get a rude awakening when trying to access files that are no longer available to them.
Agencies have struggled to keep up with HSPD-12 deadlines. For example, they were required to complete background checks for employees and contractors who had worked for the federal government for 15 years or less by Oct. 27, 2007, and to begin issuing new identity cards that included fingerprint data. Not one agency met the deadline.
Technical difficulties caused them to miss the goal. Cards didn’t meet guidelines when tested by the General Services Administration, requiring agencies to fix them. In addition, identity access systems didn’t integrate easily with existing access control systems. Delays in certification and accreditation standards for required technical components, such as the computer systems that store the data and changes to guidelines for card topography, set back planned rollouts even more.
To push agencies to meet the mandate’s goals, OMB began to require quarterly progress reports. The first was due in March 2008. OMB released a report in April indicating that 97 percent of employees and contractors have yet to receive their new identification badges. In total, agencies must conduct background checks and issue new IDs to 4.3 million employees and 1.2 million contractors. According to the report, checks have been completed for 59 percent of employees and 42 percent of contractors, and 143,260 employees and 36,102 contractors have been issued cards. Previously, agencies were supposed to detail their progress by posting the reports on their Web sites, but few complied. Now reports are submitted to OMB.
HSPD-12 has generated debates about privacy and workplace rules. For example, a group of scientists and engineers at NASA objected to the background checks required for card issuance, saying they were intrusive.
Employees at other agencies protested the background checks because they said complying with HSPD-12 was costly. In addition, because HSPD-12 is based on wireless technology, employees have expressed concern that their personal data could be captured by someone who is unauthorized to obtain the information. OMB responded by requiring employees to keep their cards in protective sleeves when not in use, but some believe the solution is impractical and unreliable.
Rolling Out IDs
Before they can mass produce smart cards, agencies must take steps to make sure the application process is not disruptive for employees and day-to-day operations, according to industry and government security professionals. Typically, that means a gradual rollout. Agencies can prioritize who gets a card first by considering job functions, starting with individuals who have higher security clearances, for example. Agencies should consider other factors as well, such as the location of employees and where they have to apply for their cards. The Labor Department, for example, focused first on employees and contractors at regional centers because they were difficult to mobilize, followed by headquarters staff. By contrast, the Education Department issued cards first to headquarters workers who are involved with mission-critical operations, and then to those in field offices.
Once a schedule is in place, agencies should delegate implementation and management of the HSPD-12 program to various offices, rather than putting responsibility for the entire project on the chief information officer. For example, the human resources office could perform background checks and maintain a central database of employees’ personal information, while the procurement group manages logistical support and purchases the cards. The information technology staff, with help from industry, could oversee integration and upkeep of systems.
Agencies should give employees and contractors updated information to make sure they understand expectations and to foster cooperation. The process for card issuance, updates and replacements should be clear and efficient, and involve little time on the part of an agency or employee. The process will improve as it becomes more ingrained.
For agencies that prefer not to oversee the process themselves, GSA offers a managed services contract to assist them with HSPD-12 planning, system integration and card issuance. Numerous IT industry partners provide varying degrees of support as well. The Veterans Affairs Department, for example, tapped EDS, an IT consulting firm based in Plano, Texas, to support the distribution of HSPD-12 cards to more than 200 medical and benefit sites nationwide, provide training for VA officials issuing the cards, and establish warehouse, staging and shipping facilities.