GAO says HSPD-12 deadlines may be tough to attain
- By Rob Thormeyer
- Mar 03, 2006
Although agencies are making some progress in meeting personal identification verification standards under Federal Information Processing Standard 201,
the government faces several hurdles in implementing many of the requirements and needs more complete guidance from the Office of Management and Budget, congressional watchdogs said.
In a new report
, the Government Accountability Office recommended that OMB better monitor how agencies are meeting FIPS-201 under Homeland Security Presidential Directive-12
deadlines by requiring them to report on their progress and provide details on using federal security categories to assess agency systems.
'Until these implementation challenges are addressed, the benefits of FIPS-201 may not be fully realized,' auditors said. 'Specifically, agencies may not be able to meet implementation deadlines established by OMB, and more importantly, true interoperability among federal government agencies' smart card programs'one of the major goals of FIPS 201'may not be achieved.'
FIPS-201, issued by the National Institute of Standards and Technology in February 2005, required agencies to have implemented Personal Identification Verification I by last October. PIV I calls for agencies to set up standard identity-proofing, registration and issuance processes. Agencies have until Oct. 26 this year to begin to comply with PIV II, which calls for them to start issuing interoperable smart cards and using common back-end systems.
Karen Evans, OMB's administrator for IT and E-Government, disagreed with the need to provide more explicit guidance in a letter to GAO.
'The federal government operates a wide variety of information systems and facilities,' Evans wrote. 'Any guidance developed by OMB could neither properly or appropriately address every time or situation. It does not make sense to treat a remote location in Wyoming the same as a government office building in Washington.'
GAO said the government will likely struggle to meet this year's deadline. In a survey of six agencies'NASA and the Defense, Interior, Homeland Security, Housing and Urban Development, and Labor departments'GAO found that although the agencies were making some progress, several challenges
exist that could keep the government from meeting the requirements on time.
In particular, the products needed to implement FIPS-201 may not be available in time to meet OMB's deadlines, GAO said, as NIST and the General Services Administration must test and verify the products.
'Because it is difficult to predict how long each of these tests will take, and because they must be done in sequence, fully tested FIPS-201 compliant products may not become available for agencies to acquire in time for them to begin issuing FIPS-201 compliant ID cards by OMB's deadline of Oct. 27,' GAO said.
Also, OMB has only provided 'general' guidance and has not provided enough specifics on the issue.
'Although this guidance provides general direction, it does not provide sufficient specificity regarding when and how to apply the standard,' GAO said. 'For example, OMB's guidance does not explain how NIST's security categories can be used to assess types of individuals accessing government systems.'
Evans, though, said the OMB requirements give agencies necessary leeway.
'We firmly believe departments and agencies should have the flexibility to make these determinations on the basis of the risks they face,' Evans wrote. 'While it may appear to promote uniformity and to attempt to provide guidance on how to implement HSPD-12 in every single situation, the approach will not ensure facilities and information systems are appropriately secured in a manner balancing cost and risk.'