Rush, but verify

 

Connecting state and local government leaders

With an impending deadline, and despite a lack of working products, agencies race to get infrastructures ready for interoperable smart cards

Few people in the federal government or industry dare question the importance of Homeland Security Presidential Directive-12.But what federal and industry experts also say is that the aggressive deadline set by the administration for HSPD-12 compliance will be nearly impossible for most agencies to meet.Agencies and contractor-run government operations know the risks: They face the full spectrum of threats, from terrorist attacks to disruptions by hackers, and they recognize the importance of better securing federal facilities through more accurate identification of employees.And there is no doubt, experts say, that HSPD-12 will improve employee efficiency, save money in the long run and promote the use of e-authentication services.But the Office of Management and Budget has given agencies 10 months to get the back-end infrastructure in place and begin issuing smart cards that adhere to the Federal Information Processing Standard 201, Personal Identity Verification II. Experts say the rush to meet this arbitrary deadline could push departments to spend millions of dollars hurriedly and run the risk of error. They recommend the administration give agencies a little more time to make sure they get it right.'Agencies are trying to fill in the square, to be compliant without being fully mature and fully deep-down aware of what they are trying to accomplish,' said one government official involved in HSPD-12, who requested anonymity.Agencies must be ready by Oct. 27 to issue smart ID cards that are interoperable across all agencies, and include a two-finger biometric and digital certificate. Not all employees will have to have cards by the deadline, but agencies must issue the credentials to all new employees and contractors, and to all current ones as their ID cards expire. Over the next two years, all employees must transition to the new smart ID cards, according to OMB guidance issued last July.Additionally, agencies for the first time are required to integrate physical-access control with logical security.This requires a whole new level of cooperation, understanding and coordination among IT, human resources and physical security personnel, officials said.'OMB acknowledges the risk but also the benefits of improved security, and agencies are being asked to be aggressive,' said an OMB official who requested anonymity. 'There are several things that need to be accomplished before PIV II is implemented, and we will make sure these things are finished so they can get done what they need to.'The challenges in meeting PIV II are great, according to federal and industry officials. The administration has put forth an unfunded mandate asking for an entirely new set of technologies that industry has yet to develop even though the deadline is less than a year away, and many agencies are unfamiliar with how to design and implement smart-card systems.Only the Defense Department has made significant progress in this area'issuing more than 3.4 million Common Access Cards'while NASA, the General Services Administration, and the departments of Homeland Security, Interior and Veterans Affairs are among the agencies that either have piloted smart-card programs or have limited systems set up under the former Govern- ment Smart Card Inter-operability Standard.'The government has been doing this for five years and still is learning as we go,' said another government official who requested anonymity. 'This is a very esoteric technology, and I don't see a lot of agencies with a real good systems engineering team to make this happen. This is very technical and very challenging.'Neville Pattinson, director of government affairs for Axalto Inc. of Austin, Texas, a smart-card vendor, said implementing ID management systems usually takes two years in the private sector. But the government's endeavor is even more daunting.'The card and technology [are] leading-edge stuff,' he said. 'The dual interface really only began to emerge in 2005 and now is just being certified and integrated. It really will take two or three years to soak through all the agencies [and] for systems to be interoperable.'The lack of products and services also has slowed progress, according to agency officials. Unlike other system implementations, where there is at least a similar example either in industry or government, and some product or system meets at least some of the requirements, agencies are starting from scratch.'Agencies are having trouble piecing it all together,' said the second government official. 'Vendors usually do a good job selling their wares, but since you don't have anyone with a good example to show how it works, including DOD, a lot of people don't have the background to be able to see all the moving pieces.'The aggressive deadline has created unforeseen obstacles as well. It took almost a year to decide on the biometric standard, which delayed GSA and the National Institute of Standards and Technology in setting up labs to test products and services to make sure they conform to FIPS-201 and interoperability requirements.Curt Barker, NIST's PIV program manager, said the first approved smart ID card should be ready by early February and at least one issuance system is undergoing conformance testing.GSA, meanwhile, has yet to set up an interoperability lab and likely will not start testing until late spring, said David Temoshok, GSA's director of identity policy and management.To be fair, agency officials have praised NIST and OMB for their guidance and willingness to listen to agency concerns. And NIST, especially, has been given the Herculean task of developing in six months a FIPS document, which typically takes more than a year.All these issues could be overcome if there were products and services available, officials said. But GSA doesn't expect to set up a blanket purchasing agreement until late May. Then officials will have about five months to issue task orders, award contracts and implement systems.'Most agencies are getting ready to strike,' said the first official. 'It's like a SWAT team: We are getting stuff ready and waiting so when GSA says go, we can go.'Even once the contract for FIPS-201 products and services is available, agency and industry officials say the demand likely will overwhelm the supply.'There will be a huge demand for integrator services,' Axalto's Pattinson said. 'It will not be a big deal to serve the card volume, but the sheer volume of work for integrators is going to be interesting.'Barker said NIST is trying to give the product development effort a push. NIST issued a request for information in December, asking vendors to bring in products to demonstrate conformance to FIPS-201.Barker said 45 companies expressed interest, and NIST will begin testing the products by February.Barker added that NIST is working with GSA to have products and services approved in time to be placed on the BPA.'The availability of products is one factor, but there are more dominant factors in whether or not agencies will meet PIV II,' said Tim Grant, NIST's chief of the systems and network security group. 'Agencies have to adapt their business processes; there are technical challenges and resource issues. They also have to get all interested parties to work together.'Given all that agencies are facing, there is underlying grumbling among federal officials that the deadline is unattainable and OMB should consider pushing it back.But federal and industry officials disagree on whether OMB eventually will be convinced that the deadline must be pushed back.'This is important to the country, and it is good that OMB set a date that is challenging, but not enough people understand how to do this,' the second agency official said.Other officials said the October results will be mixed, with DOD, VA, DHS, Interior and NASA having the best chances of becoming compliant. DOD, for instance, will add a Java applet.No matter what happens to the deadline, officials recognize that the pressure for an interoperable smart ID card isn't going to go away.'A lot of good things have come from this so far,' said the second agency official. 'We aren't far from a huge success, but there still is a lot that has to fall into place.'
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.