woman wearing PIV badge

HSPD-12 at 10 years: Still a long way to go

In August of 2004, President Bush mandated the creation and adoption of an interoperable smart ID card to be used by all executive branch workers and contractors both for physical and logical access. Homeland Security Presidential Directive 12 now is almost 10 years old, and millions of Personal Identity Verification (PIV) cards have been issued. Few of them are being fully taken advantage of, however.

According to White House figures, six of 23 civilian agencies covered by HSPD-12 had issued PIV cards to 100 percent of their workers as of March 2013. (The Defense Department also had achieved 100 percent, although strictly speaking it does not use the PIV card, but the DOD Common Access Card.) Most of the other agencies had at least 80 percent coverage.

But hanging the cards around the necks of workers is one thing; using them to log onto IT systems is another. According to the latest progress report on Cross Agency Priority Goals, [] only one in five civilian agency workers was required to use PIV cards for authentication when logging on to government IT systems at the end of fiscal year 2013. That is a significant increase from FY 2010, when just 1.24 percent of workers were using PIVs to log on, but the report notes there is “cause for concern.”

Despite the progress, “the outcome that is most likely to be observed” in achieving a passing mark for PIV implementation in 2014 “stands at zero.”


Agency performance towards strong authentication with HSPD-12 cards 

Chart showing PIV card use

The chart above shows the percentage of agency employees with HSPD-12 cards and the percentage that are required to use their cards to authenticate for network access, as of Q3 FY2013.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, May 9, 2014

Please take it to the next level. Check the percentage of workers per Agency using their cards to access their buildings.

Thu, May 8, 2014 Ross Sterling

This is a fine example of wishful thinking. Without appropriations of funds, there is really little reason for agencies to perform. I can't remember another, important security capability that was called for and yet not funded for completion. I applaud those agencies that have made significant progress, they worked through significant hurdles to fund this. I feel for the rest as they try to do the same.

Thu, May 8, 2014

Windows passwords really are good enough. After all, Bill Gates invented computing when he wrote Windows.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above