Rush, but verify
- By Jason Miller
- Jan 20, 2006
With an impending deadline, and despite a lack of working products, agencies race to get infrastructures ready for interoperable smart cards
Curt Barker, NIST's PIV program manager, says NIST will begin testing products for PIV II compliance next month.
Few people in the federal government or industry dare question the importance of Homeland Security Presidential Directive-12.
But what federal and industry experts also say is that the aggressive deadline set by the administration for HSPD-12 compliance will be nearly impossible for most agencies to meet.
Agencies and contractor-run government operations know the risks: They face the full spectrum of threats, from terrorist attacks to disruptions by hackers, and they recognize the importance of better securing federal facilities through more accurate identification of employees.
And there is no doubt, experts say, that HSPD-12 will improve employee efficiency, save money in the long run and promote the use of e-authentication services.
But the Office of Management and Budget has given agencies 10 months to get the back-end infrastructure in place and begin issuing smart cards that adhere to the Federal Information Processing Standard 201, Personal Identity Verification II. Experts say the rush to meet this arbitrary deadline could push departments to spend millions of dollars hurriedly and run the risk of error. They recommend the administration give agencies a little more time to make sure they get it right.
'Agencies are trying to fill in the square, to be compliant without being fully mature and fully deep-down aware of what they are trying to accomplish,' said one government official involved in HSPD-12, who requested anonymity.
Agencies must be ready by Oct. 27 to issue smart ID cards that are interoperable across all agencies, and include a two-finger biometric and digital certificate. Not all employees will have to have cards by the deadline, but agencies must issue the credentials to all new employees and contractors, and to all current ones as their ID cards expire. Over the next two years, all employees must transition to the new smart ID cards, according to OMB guidance issued last July.
Additionally, agencies for the first time are required to integrate physical-access control with logical security.
This requires a whole new level of cooperation, understanding and coordination among IT, human resources and physical security personnel, officials said.
'OMB acknowledges the risk but also the benefits of improved security, and agencies are being asked to be aggressive,' said an OMB official who requested anonymity. 'There are several things that need to be accomplished before PIV II is implemented, and we will make sure these things are finished so they can get done what they need to.'
The challenges in meeting PIV II are great, according to federal and industry officials. The administration has put forth an unfunded mandate asking for an entirely new set of technologies that industry has yet to develop even though the deadline is less than a year away, and many agencies are unfamiliar with how to design and implement smart-card systems.
Only the Defense Department has made significant progress in this area'issuing more than 3.4 million Common Access Cards'while NASA, the General Services Administration, and the departments of Homeland Security, Interior and Veterans Affairs are among the agencies that either have piloted smart-card programs or have limited systems set up under the former Govern- ment Smart Card Inter-operability Standard.
'The government has been doing this for five years and still is learning as we go,' said another government official who requested anonymity. 'This is a very esoteric technology, and I don't see a lot of agencies with a real good systems engineering team to make this happen. This is very technical and very challenging.'
Neville Pattinson, director of government affairs for Axalto Inc. of Austin, Texas, a smart-card vendor, said implementing ID management systems usually takes two years in the private sector. But the government's endeavor is even more daunting.
'The card and technology [are] leading-edge stuff,' he said. 'The dual interface really only began to emerge in 2005 and now is just being certified and integrated. It really will take two or three years to soak through all the agencies [and] for systems to be interoperable.'Agency progress
The lack of products and services also has slowed progress, according to agency officials. Unlike other system implementations, where there is at least a similar example either in industry or government, and some product or system meets at least some of the requirements, agencies are starting from scratch.
'Agencies are having trouble piecing it all together,' said the second government official. 'Vendors usually do a good job selling their wares, but since you don't have anyone with a good example to show how it works, including DOD, a lot of people don't have the background to be able to see all the moving pieces.'
The aggressive deadline has created unforeseen obstacles as well. It took almost a year to decide on the biometric standard, which delayed GSA and the National Institute of Standards and Technology in setting up labs to test products and services to make sure they conform to FIPS-201 and interoperability requirements.
Curt Barker, NIST's PIV program manager, said the first approved smart ID card should be ready by early February and at least one issuance system is undergoing conformance testing.
GSA, meanwhile, has yet to set up an interoperability lab and likely will not start testing until late spring, said David Temoshok, GSA's director of identity policy and management.
To be fair, agency officials have praised NIST and OMB for their guidance and willingness to listen to agency concerns. And NIST, especially, has been given the Herculean task of developing in six months a FIPS document, which typically takes more than a year.
All these issues could be overcome if there were products and services available, officials said. But GSA doesn't expect to set up a blanket purchasing agreement until late May. Then officials will have about five months to issue task orders, award contracts and implement systems.
'Most agencies are getting ready to strike,' said the first official. 'It's like a SWAT team: We are getting stuff ready and waiting so when GSA says go, we can go.'
Even once the contract for FIPS-201 products and services is available, agency and industry officials say the demand likely will overwhelm the supply.
'There will be a huge demand for integrator services,' Axalto's Pattinson said. 'It will not be a big deal to serve the card volume, but the sheer volume of work for integrators is going to be interesting.'
Barker said NIST is trying to give the product development effort a push. NIST issued a request for information in December, asking vendors to bring in products to demonstrate conformance to FIPS-201.
Barker said 45 companies expressed interest, and NIST will begin testing the products by February.
Barker added that NIST is working with GSA to have products and services approved in time to be placed on the BPA.
'The availability of products is one factor, but there are more dominant factors in whether or not agencies will meet PIV II,' said Tim Grant, NIST's chief of the systems and network security group. 'Agencies have to adapt their business processes; there are technical challenges and resource issues. They also have to get all interested parties to work together.'
Given all that agencies are facing, there is underlying grumbling among federal officials that the deadline is unattainable and OMB should consider pushing it back.
But federal and industry officials disagree on whether OMB eventually will be convinced that the deadline must be pushed back.
'This is important to the country, and it is good that OMB set a date that is challenging, but not enough people understand how to do this,' the second agency official said.
Other officials said the October results will be mixed, with DOD, VA, DHS, Interior and NASA having the best chances of becoming compliant. DOD, for instance, will add a Java applet.
No matter what happens to the deadline, officials recognize that the pressure for an interoperable smart ID card isn't going to go away.
'A lot of good things have come from this so far,' said the second agency official. 'We aren't far from a huge success, but there still is a lot that has to fall into place.'