EPA takes a mixed approach

Agency chooses a hybrid method for meeting HSPD-12

Agency ensures its hybrid model gets mileage

The Enivornmental Protection Agency is taking on Homeland Security Presidential Directive-12 is one of the most challenging ways to meet the mandate, said Wes Carpenter, EPA's director of security management. Carpenter offered these tips on how to ensure the approach goes smoothly:

Collaboration is key. Work with senior management and key stakeholders, as well as the Office of Management and Budget and the General Services Administration, to extract key information and move in that direction.

Plan before you go. A hybrid approach takes more planning than do others. EPA had to coordinate internally and externally to ensure all facilities' needs will be met.

Patience is a virtue. Developing project plans, hiring contractors, and waiting for approved products and services all took a lot of time. Now that they're in place, Carpenter said, there still is a lot of work that needs to be done, and it will go slowly. 'If you are not patient, you will be exposed to a lot of pain,' he said.

Be flexible and adaptable. Since HSPD-12 is new to the government, the environment is ever changing, and officials making the decisions need to be cognizant of that.

Don't forget to communicate. Carpenter said keeping your CIO, chief financial officer, chief human capital officer and physical security people in the loop is important for HSPD-12. He said getting their buy-in made it easier to sign off on the implementation plan.

As at many agencies, the Environmental Protection Agency's decision on how to comply with Homeland Security Presidential Directive-12 was up in the air for a while.

Officials could either join a shared-services provider or implement the interoperable identification card system by themselves.

EPA, like the Housing and Urban Development Department, decided to do it both ways.
For the areas of the country with a large number of employees ' starting with Washington ' EPA will develop its own system, compliant with Federal Information Processing Standard 201-1. For areas that are more remote, the agency will use a shared-services provider's enrollment station to meet the mandate.

'We feel that, based on the way the agency is organized and the way we do business functionally, we were in the best position to do the hybrid approach,' said Wes Carpenter, director of EPA's security management division in the Office of Administration and Resources Management. 'We are going to start issuing cards on or before Oct. 27 and then phase in our offices through September 2008.' Oct. 27 is the Office of Management and Budget's deadline for agencies to begin issuing cards.

Carpenter added that EPA has about 30,000 people who will need cards, including 18,500 employees and 8,000 to 12,000 nonfederal workers.

'The enrollment station concept came out four to six months ago,' he said. 'Before that, we were going to go individually.'

The hybrid approach poses many challenges, including the need to award contracts for an integrator, public-key infrastructure provider and a card management system. EPA did all three over the past year, including the PKI provider and card management system in the past month.

EPA first hired Maximus Inc. of Reston, Va., last November under a five-year, $2.9 million contract to help with planning and eventually to be their system's integrator.

'The intention of the contract was to fully develop their requirements and design documents to implement HSPD-12,' said Mary Whitely, Maximus' federal systems division president. 'EPA evaluated products based on our recommendations and analysis, and made their decision.'

Maximus is writing interfaces and doing testing so the agency can produce cards on Oct. 27, Whitely added.

EPA also hired Operational Research Consultants Inc. of Fairfax, Va., to be its shared-services provider and deliver 26,000 cards with credentials.

Dan Turissini, ORC chief executive officer, said workers are putting the registration practice statement in place. The RPS is the agreement between the SSP and the agency policy authority describing the process for issuing cards with a digital certificate.

ORC will provide EPA with 6,000 cards every six months for two years, with an extra 2,000 floating across all four periods.

Finally, EPA bought the card management system from RSA Security, the security division of EMC Corp. of Hopkinton, Mass. Maximus is installing the system.

So with all these pieces coming into place, EPA's Carpenter said employees at headquarters in Washington will receive their cards first, and then the agency will start moving cards out to regional offices.

'We want to make sure we do things right locally and get the kinks out of the system,' he said.

Carpenter could not comment on the price of the cards, saying they are evolving. He did say, however, that EPA would be competitive with what the General Services Administration proposed under its SSP. GSA has quoted a price per card of about $110.

'Based on our ability to do this individually and also leverage the experience GSA and others have with a shared-services provider, we may end up realizing going down one road is better than the other and migrate that way,' Carpenter said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above