Desperate hours in the race to meet HSPD-12's card deadline.
- By Rob Thormeyer
- Nov 03, 2006
Interior deputy assistant secretary Paul Hoffman displays his new personal identity verification card.
All-nighters, a kidnapping, dilated pupils and road trips. For federal officials responsible for bringing their agencies into compliance with Homeland Security Presidential Directive-12, the month of October resembled their college days, when cramming for final exams and other deadlines meant staying up all night and forcing the last bit of data into their heads.
But instead of trying to boost that grade-point-average, officials charged with implementing HSPD-12 had a higher calling'bolstering the security of federal physical and logical assets by starting to issue new smart identification cards to all government workers and contractors.
'This is our little miracle,' said Doug Bourgeios, director of the Interior Department's National Business Center, one of two HSPD-12 shared-services pro- viders. 'We've been clear all along that to us, this is not just about issuing a card. This is a bigger part of HSPD-12 and we're just pleased' to have gotten this far.
And while issuing that first card may not necessarily make the country safer today, officials involved said it is perhaps the most critical step in reaching that goal.
'HSPD-12 is a journey,' said Mary Dixon, director of the Defense Department's Defense Manpower Data Center. 'One card isn't going to help us [become more secure], but I'm not going to issue that four millionth card until I issue the first one.'
Under HSPD-12, agencies were required to begin issuing the new ID cards Oct. 27, and the Office of Management and Budget is checking compliance by collecting copies of cards produced by each agency.
The cards, eventually, will replace existing government IDs and let employees use one card for physical and logical access. All government workers must have a new ID by October 2008.
While the General Services Administration did issue a handful of cards by the end of Oct. 27 to their 38 SSP customers, no one involved could deny that it was an extremely close call.
"We made it,' said one official involved, who requested anonymity. But Oct. 27 'was just a flurry.'
It started mid-week, after agency officials had already logged more than enough hours working weekends since August to take the rest of the year off.
Several people involved, all speaking on the condition of anonymity, said they expected things to go relatively smoothly until Wednesday evening (Oct. 27 was Friday), when they noticed the cards being produced were not meeting all the requirements developed by the National Institute of Standards and Technology.
GSA officials could not reach NIST's Ramaswamy Chandramouli, who helps run NIST's testing tool, at his office, setting off a frantic search that ended with federal employees driving to his house Wednesday night. Chandramouli was under doctor's orders not to drive because his pupils had been dilated, officials said.
'We picked him up Wednesday night and we wouldn't let him leave until Thursday,' one official said. 'We told him we kidnapped him.'
After working out the problem, the situation got even hairier because the lab that was printing the first batch of cards, located near Philadelphia, notified GSA that although the cards would be ready Thursday evening, they could not be sent back to Washington on time to meet Friday's deadline.
This was problematic because GSA had scheduled a private event to issue the cards to the first recipients Friday afternoon.
So, Mike Butler, chairman of the Government Smart Card Interagency Advisory Board and on loan from DOD to GSA, drove to Philadelphia Thursday afternoon to bring the cards back to Washington.
When he got there, the cards were not finished and because he did not give the manufacturing plant enough notice that he was coming up'the plant's security rules required 24 hours notice'he was not allowed inside.
So instead of bringing the cards home Thursday night, Butler spent the night in his car in the parking lot, waiting for the finished product.
At about 6:30 a.m., Butler received a box of about 30 cards and hit the road, arriving back in Washington in time for GSA's ceremony.
OMB had not released an official scorecard detailing if agencies met the mandate, but sources said every agency met the deadline, if barely, to issue at least one card'in fact, many agencies issued no more than three cards.
NBC said it started issuing cards to their customers Oct. 26, and Bourgeios said he received his card that evening.
The Social Security Administration'one of a handful of agencies that decided to meet the mandate alone'said it started issuing cards Oct. 18.
The Defense Department, which was granted transitional authority by OMB because it has been issuing its Common Access Cards over the past five years, started issuing a new version of its card that Dixon said is HSPD-12-compliant.
DOD has already issued 4 million CACs, which expire every three years. To help transition to the new cards, DOD will roll out software and hardware upgrades to 1,400 issuance locations over the next year, Dixon said, and as the older cards expire, DOD personnel will receive updates to ensure they are in compliance with HSPD-12.
Although DOD had a bit of a head start, Dixon said transitioning from the CACs to the new ID cards is not simple. Until all DOD personnel have the new card, DOD buildings and card readers will have to read both sets of IDs, Dixon said. It also means that employees who have just received CACs will have to go through another process to get a new ID card.
DOD is no doubt the envy of the rest of the government, especially GSA's Managed Services Office, the division overseeing the agency's HSPD-12 implementation.
While the deadline was met, now those involved must begin focusing on ensuring that the goal of HSPD-12'using the cards to provide secure access to federal assets'is achieved.
'There is a lot more to do,' said NBC's Bourgeios. 'We have plans to scale the solution and issue more and more cards."