Evans: No new IT guidelines from current administration
Despite rumors swirling in the federal information technology community to the contrary, the Office of Management and Budget has no plans to issue any further IT-related guidelines for the remainder of the current administration, according to OMB's head of IT policy, Karen Evans. Instead, the office is helping agencies develop transition plans to carry them through the presidential transition until their new leaders get settled.
"What we are doing is teeing up decisions" so that they can made by the next administration, Evans said, speaking at the Smart Cards in Government Conference, being held this week in Washington.
"Everybody has [been asking] 'What is the next milestone? How come you haven't set milestones out into the future?'" Evans said. "I set milestones out to ' where I could control. I'm not going be able to control things beyond Jan. 20. And so what I want to do is have the foundations in place, tee up decisions for the next administration so that they will know exactly what the current state of affairs is within the government."
The news may come as relief to agency IT executives, as many are scrambling to meet the deadline of one of the most challenging mandates from the White House, the Homeland Security Presidential Directive 12 (HSPD-12).
By the end of October, agencies were supposed to have issued identification smart cards to every employee and contractor. They have until the end of day Monday to file their reports on how well they did. And next Tuesday, OMB will issue a report on the level of agency compliance.
As of Sept. 1, 1.2 million credentials have been issued, out of a possible pool of about 4 million. The final number issued by the deadline may be considerably higher, however, because many agencies are now issuing the cards en masse, having just recently completed the process of vetting employees through fingerprinting, background checks and other measures, Evans said.
"Will we have all 4 million credentials issued? Probably not," Evans admitted. "But what the agencies will have in place [are] corrective action plans."
HSPD-12 was one of a number of ambitious IT standardization mandates and guidelines from the current administration, each with a tough deadline. Agencies had to have their network backbones IPv6 compliant by last June. Also this year, they also had to reduce the total number of Internet connections, through the Trusted Internet Connections (TIC) initiative, as well configure their desktop computers to a secure profile, the Federal Desktop Core Configuration (FDCC).
OMB is now reviewing with agencies where they are in these initiatives.
"Clay Johnson and I, and my staff, met with every agency and highlighted the secure posture of where they are [with] FDCC, HSPD-12, TIC, IPv6 ' all these IT initiatives," Evans said. From this "comprehensive picture," they encouraged each agency to "make a firm commitment about having good state-of-affairs and a good transition plan so the next administration will know exactly where [the agency is], and what the next key decisions are related to these IT projects," Evans said.
Such transition plans should keep the agencies moving forward over the next 18 months, she said. "That way all these things will continue on as the leadership is getting stabilized at the top," Evans said.
Evans said that her office is now focused on preparing for the next administration. It is up to the next administration to make use of the gains made by HSPD-12 and other initiatives, she said. Regardless of who wins the election, it will be the new administration, and not the current one, that will set the next milestones for government IT.
When asked what sort of milestones could be put in place by a new administration, Evans said the current initiatives, when combined, have set the stage for securing government IT systems to such a degree that would have not been possible before. Now that agencies have HSPD-12-based authentication, they could start to look "for ways to really use the functionality built into the card," she said. Such security measures could be applied to individual applications, which might have had their own authentication measures in place. Another future challenge could be extending HSPD-12 security into the physical access domain. Agency workers could use their identification cards not only to log on to their computers but to enter the building as well.
"When we take a look at the information that has come in, and we're gearing up for the next administration, we're identifying opportunities where the HSPD-12 card can answer some of the questions about increased security," Evans said. "Agencies will have to have a solution in place that will build off this trust model."