Many HSPD-12 cards fail their first test

Agencies refining cards to meet standard's 'persnickety' requirements

HOLD ON: GSA's David Temoshok said the agency is holding off on setting up enrollment stations it had planned in Seattle, Atlanta and New York.

Rick Steele

A majority of the identification cards agencies issued to meet Homeland Security Presidential Directive-12 fell short of complying with the federal standard and must be retested.

Industry and government officials confirmed that most cards issued in October had an assortment of problems'some of them major, such as a lack of interoperability, and some minor, such as using the wrong shade of blue on the card.

'There were over 100 tests the General Services Administration performed, but the most important one was for basic interoperability,' said one department official close to the HSPD-12 process, who requested anonymity. 'We knew we wouldn't pass because we have our own testing tool and we were having specific issues [other than interoperability]. But we didn't necessarily fail because, to me, [failing] means they weren't interoperable, and they were.'

The official said many of that agency's problems were due to not meeting the standard's 'persnickety' requirements.

GSA has been testing since January. As cards fell short of the National Institute of Standards and Technology's Federal Information Processing Standard-201, the Office of Management and Budget asked agencies to resubmit cards for further analysis.

GSA is testing the electronic personalization of the cards, which includes the encoding of the Personal Identity Verification data model on the integrated circuit chip. This will ensure an electronic exchange of data occurs between reader and card.

It also will look at the data objects on the cards, such as demographic data, fingerprint templates, facial data and the card holders' unique identifiers, David Temoshok, GSA's director of identity policy and management in the Office of Governmentwide Policy, said at a recent event on Capitol Hill.

GSA was one of the few agencies to have its cards fully certified in October, said Steven Kempf, acting deputy assistant commissioner for IT Services in GSA's Federal Acquisition Service. This means the 40 agencies that GSA supports through its Managed Service Office also are compliant.

Temoshok would not comment on the success of agency cards undergoing testing, except to say it is a complex process and that most cards from most vendors will need several tests to pass.

'This is a new standard and no one has done this before' so the unsuccessful tests are to be expected, said a government official involved in the HSPD-12 effort, who requested anonymity. 'Agencies are fixing their issues and some have stopped issuing cards until they resolve them.'

In the guidance, OMB said GSA will report any problems with the certificates within three weeks. Agencies then have three more weeks to fix the problems and resubmit the credentials to GSA for retesting.

'Agencies should not consider issuing new credentials until all problems identified in testing are resolved,' said Karen Evans, OMB's administrator for e-government and IT, in the memo. 'We want to ensure business processes are being followed in order to foster the trusted environment needed for the credentials to be accepted by departments and agencies when deemed appropriate.'

GSA will pay for initial testing, but agencies will have to reimburse GSA if its support is needed to fix credentials' technical shortcomings.

Another agency official, who requested anonymity, said the reasons for cards not passing the test are a combination of the test's lack of maturity and agency confusion in interpreting the requirements. 'There will be some back and forth until the requirements are refined and the test matures,' the official said.

Temoshok said GSA has decided not to set up the enrollment stations it had planned in Seattle, Atlanta and New York until the Managed Service Office contract is re-awarded. GSA decided to recompete the contract in December after awarding the $104 million deal to BearingPoint Inc. of McLean, Va., in August.

Temoshok said GSA expects to make the award in the spring and then move forward with a broader deployment.

GSA likely will expand the range of testing as well to include physical-access control systems, he said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above