Agencies struggling with identity controls

The first real deadline under Homeland Security Presidential Directive-12 falls on Oct. 27'that's this Thursday'and there is widespread uncertainty about how many agencies will comply.While some agencies are ahead of the curve in meeting Part One of the Federal Information Processing Standard-201, there is evidence that many will miss the deadline for a very simple reason: They don't know about it. What's more, the Office of Management and Budget doesn't plan to check up on compliance, at least not right away.In a survey of 101 federal IT managers, 52 percent said their agencies would not comply with FIPS-201, Part One, known as Personal Identity Verification I (PIV I). And the main reason, according to the survey, is that 50 percent of the respondents said they hadn't heard of HSPD-12.'We are less than a week away, and the survey is a good indicator that agencies are not good to go with PIV I implementation,' said Jim Ganthier, worldwide director for defense, intelligence and public safety solutions for Hewlett-Packard Co., who sponsored the survey. 'Agencies that we work with still are asking a lot of questions about how to comply.'Under PIV I, agencies must set up new identity-proofing, registration and issuance processes, or modify existing ones, to meet the standard. Agencies have until Oct. 26 next year to comply with PIV II, which calls for them to begin implementing interoperable smart-card systems.The survey, performed by O'Keeffe and Co. of Alexandria, Va., posed a variety of questions to feds at different levels, ranging from GS-13s to Senior Executive Service members, and in positions such as executive managers to program mangers to contracting officers.But the survey alone is not the only evidence that agencies are struggling with PIV I. Agency officials said the slow rollout of final guidance documents, the lack of requested funding and the short time frame all hampered efforts to comply with PIV I.'There is a lot of concern for agencies on what it means to be PIV I compliant,' said Judith Spencer of the General Services Administration's Office of Governmentwide Policy and chairwoman of the Federal Identity Cre- dentialing Committee. 'Every agency has an identity proofing and enrollment process for new employees. It is a matter of figuring out where the gaps exist and making necessary changes to the policies and procedures.'Spencer's group recently issued the third iteration of the Identity Management Handbook with a PIV I checklist to help agencies meet the requirement.'We went through all the documentation available and asked what agencies needed to become PIV I-compliant,' Spencer said. 'The checklist gives agencies the opportunity to identify gaps in their processes and how they will implement the new processes on Oct. 28.'Karen Evans, the Office of Management and Budget's administrator for IT and E-Government, expects all agencies to meet the deadline.'We have no choice but to meet the dates,' Evans said earlier this month at the Identity Management Conference in Arlington, Va., sponsored by the Information Technology Association of America. 'We are aware they are aggressive dates and there are risks associated with it. But the improvements since Sept. 11 [2001] are marginal, and it is necessary to have ag- gressive dates.'OMB, however, will not know for sure if agencies meet the deadline, because departments are not required to submit compliance information to the White House.'It is the agency's responsibility to determine if they are compliant with part one of the standard,' Evans said. 'The head of the department must approve the process in writing, which OMB could verify.'She added that OMB will conduct follow-ups on an as-needed basis, and the agency's inspector general also will conduct reviews.Still, agency officials recognize the importance of the directive. Many agencies are modifying existing processes to meet PIV I, while a few others are starting from scratch, Evans said. It depends on how closely their current processes map to PIV I, she added.At the Department of Housing and Urban Development, modifying existing processes worked well.Laurence Firth, HUD's director of space management and PIV I project manager, said the agency will meet the Oct. 27 deadline because it just had to add two new steps to comply with PIV I's five-step process.'We had three steps in place already,' he said. 'We had a one-stop shop, but now we have to have one person take the picture and another put the picture on the identification card.'HP's Ganthier said most agencies are following HUD's example and doing 'smart additional design.' He said many agencies the company works with are adding to existing infrastructures, and when the infrastructure doesn't exist, it will be more of a struggle to become compliant.For example, when HUD hires an employee under the new process, officials will perform an FBI fingerprint and background check instead of issuing an ID card immediately. Five days later, the new employee will receive a temporary card, then undergo the National Agency Check, which checks criminal and other databases, before receiving a permanent card. This could take a few days to a few weeks, experts say.Firth said HUD also will publish an agencywide PIV handbook to help bureaus and field offices understand what it means to be compliant.'This seemed very complicated at the beginning, but we worked through a lot of issues to get us where we are now,' he said. 'Because vendors and GSA have no compliant-ready solutions, the whole process has become very challenging.'