Agencies taking aim at HSPD-12 management obstacles
- By Jason Miller
- Jun 07, 2006
HILTON HEAD, S.C.'As agencies await approved products and services under Homeland Security Presidential Directive-12, another significant barrier to completing the administration's mandate remains: establishing a trust among agencies to accept each other's cards.
While it may seem obvious that HSPD-12 and its corresponding documents would establish this trust, agency officials in charge of implementing the program point to inconsistencies in evaluating performance under other governmentwide programs such as the Federal Information Security Management Act as examples of why trust is an issue.
'You hope no one is cutting corners, but there is need for oversight,' said Patrick Howard, the Housing and Urban Development Department's chief information security officer. 'When you have a program like FISMA, and there is an agency that gets a B or A, how can they lose data? It leaves you with questions of how well they can issue cards.'
Howard said agencies must trust each other that the card has been issued properly and that the enrollment systems are secured.
'All agencies need assurance through a third party that they are following the rules,' he said yesterday at a panel discussion of the challenges of implementing HSPD-12 during the 26th annual Management of Change conference sponsored by the American Council for Technology and the Industry Advisory Council. 'The problem is all [inspectors general] measure in different ways. The oversight must be consistent.'
Another barrier, Howard said, is whether agencies can agree to accept each other's risk assessments. For instance, if one agency considers an employee a low risk but another agency considers that same employee a medium risk, how does each agency deal with this issue, he asked.
'There is an opportunity for inconsistency, so we need to deal with it,' Howard said.
Joe Bond, the director of the Veterans Affairs Department's HSPD-12 program, said one barrier he sees is different adjudication standards within his own agency and governmentwide. For instance, within VA about 20 percent of all employees have not had background checks. Part of the advantage of this program is putting in checks and balances.
But HSPD-12 will not stifle agencies' ability to use the technology for their benefit as well, other officials said.
'Everyone agrees there has to be certain consistencies to the process, but what they don't want is to be hampered because many agencies have said they have found other values and don't want to be limited to the use of this card to some standardized set,' said Chris Niedermayer, Agriculture Department associate CIO and chairman of the HSPD-12 Executive Steering Committee. 'I don't think there is a concern about the minimum critical [set of standards] as long as we don't hamper people from doing other things they have already imagined as values in their own organization.'
One of the things VA imagines HSPD-12 will help it do is improve their entire identity management capabilities, Bond said.
'We will be able to define what the authoritative data sources are for payroll, human resources, law enforcement and physical access and provision or deprovision of data,' Bond said. 'Right now we don't do that, so if data changes in one of those systems, it has to be changed in all those systems separately. Once we do that, our systems will be more secure.'