RFI sets stage for future HSPD-12 contract
- By Jason Miller
- Dec 14, 2005
The General Services Administration took an important step toward getting the blanket purchase agreement in place by May 2006 for agencies to buy approved products and services to meet Homeland Security Presidential Directive-12
In a request for information
released earlier this week, GSA wants to know whether vendors can provide one or more core components detailed in Federal Information Processing Standard 201
and National Institute of Standards and Technology Special Publication 800-73
. These include:
- Registration systems and/or services
- Identity management systems and/or services
- Card management system and/or services
- Public-key infrastructure certification authority services and
- Card printing system and/or services.
While GSA said the RFI guarantees no request for proposals, officials have said the blanket purchase agreement will replace the current Access Certificates for Electronic Services governmentwide acquisition contract, which expires in May 2006.
Some experts have said it will take that long for NIST and GSA to make sure products and services conform to technical and interoperability standards. The other problem is the administration still has yet to decide on the biometric standard. Industry sources have said NIST is supposed to issue the final draft of SP 800-76, which will define the biometric standard as minutiae, as early as today. NIST has not released it at press time.
'It seems like the RFI is premature,' said Dallas Bishoff, a senior vice president for Authsec Inc. of Columbia, Md., an authentication and authorization consulting firm. 'There are a number of vendors that have no idea of what they will do to re-engineer their products because they are waiting for NIST to release the updated FIPS-201. GSA is talking about products that have not been approved yet.'
NIST plans to update FIPS-201 by Feb. 25, 2006.
The RFI also asks vendors to identify their capability to deploy, operate and maintain one or more core compliant systems and have them in place by Aug. 27, 2006'two months before the administration's deadline for PIV II.
Vendors will have to give GSA five-year cost estimates for agencies with 100,000 to more than 1 million cardholders, and comment on the practicality of certain performance metrics, such as notification of suspension or revocation to physical or logical access control systems within 20 minutes and whether registration per applicant can be done in 15 minutes.
'The RFI doesn't represent questions that will help the government reach better-informed positions,' Bishoff said.
Responses are due Jan. 9.