HSPD-12: It's not all in the cards
While agencies focus on deadline for cards, access control systems are lacking
- By Rob Thormeyer
- Aug 24, 2006
CARD DEAL: David Temoshok, director of GSA's ID Management Division, says the contract with BearingPoint 'is providing the technology, the services, and they're bringing in a team to provide those services.'
BEST PRICE: Chris Niedermayer wants agencies to consider the cost savings of working together.
With the deadline less than two months away, the heavy lifting on Homeland Security Presidential Directive-12 is only just beginning.
Though the General Services Administration has awarded a highly anticipated contract for turnkey solutions to help agencies meet the Oct. 27 deadline to begin issuing smart identification cards, federal officials are cautioning agencies not to lose sight of HSPD-12's broader mandate of better securing the government.
'The goal of [HSPD-12] is not the card, the goal is to improve the protection of the physical and IT assets of the government,' said Michel Kareis, director of GSA's HSPD-12 program and of its new Managed Services Office. 'The card is an enabler to do that."
Under HSPD-12, issued nearly two years ago, agencies must begin issuing interoperable Personal Identity Verification cards for new employees and contractors by Oct. 27. Last year, the mandate required agencies to ensure their processes for issuing credentials and registering employees met the criteria laid out in Federal Information Processing Standard 201 [GCN.com
, GCN.com/672].Struggling to start up
But the operative word is 'begin,' as all but a few agencies are struggling to set up the infrastructure needed for card production and issuance.
GSA awarded BearingPoint Inc. of McLean, Va., a five-year, $104 million contract to help agencies make the transition. The award was announced Aug. 18.
The Office of Management and Budget has not and will not offer any additional funds to meet the mandate, so several agencies banded together and created an informal working group to share best practices as the deadline neared [GCN.com/671].
OMB has since established an HSPD-12 Executive Steering Committee'a multiagency group formed to oversee agency compliance with the directive'and has worked with GSA to determine how agencies should work together to meet this deadline.
Essentially, agencies participating in GSA's new Managed Services Office are given something like a free pass'GSA and BearingPoint are responsible for establishing the infrastructure for issuing the smart cards by Oct. 27, and participating agencies are responsible for helping foot the bill.
Agencies that are not participating in the GSA offering must have the capability to begin issuing PIV cards in at least one location by Oct. 27, an OMB official who requested anonymity said. 'Agencies must also plan to have the capability in place for all other locations so PIV cards can be issued to all employees and contractors by fiscal year 2008,' the official said.
Under the contract, BearingPoint will enroll employees, issue smart cards that meet the National Institute of Standards and Technology's FIPS-201-1, and maintain identification management accounts.
The company will have a suite of government-approved products to choose from, although to date about 10 of 21 HSPD-12 product categories do not have approved products. Products are approved after they are tested by NIST and GSA.
'BearingPoint is providing the technology, the services, and they're bringing in a team to provide those services,' said David Temoshok, director of GSA's ID Management Division.
After a brief period for testing, GSA and BearingPoint will set up four locations'Atlanta, New York, Seattle and Washington'and aim to begin issuing the cards before Oct. 27, ESC and GSA officials said.
If the first few months are successful, GSA will pick up one of the contract's option years and expand the enrollment stations to approximately 400 locations throughout the country.
That does not mean each agency participating will actually get an ID card issued on Oct. 27; rather, agencies will be scheduled over the next several months to place their orders and receive their cards, with the goal of issuing the cards to all participating agencies within 24 months, said Chris Niedermayer, chairman of the ESC.
'Not everyone in those agencies can get a card on the first day,' he said. 'We're just going to start issuing cards. Some agencies will get one, some will get 10,' and others won't get any right away. But, 'the intention is to get some in every agency.'Signs of interest
It is unclear how many agencies will sign up under the contract. GSA's Kareis said the final price offerings had not been made public at press time. However, more than 25 agencies participated in the informal working group that promoted the shared-services approach, so those agencies would likely be most interested in participating.
And for Kareis, the more the merrier, because the BearingPoint contract stipulates that having multiple agencies on board will result in lower prices. 'We'd like to engage as many agencies as possible,' she said.
A number of agencies are performing their own solicitations for HSPD-12 products, while the Interior Department's National Business Center is also looking to act as a shared-services provider (see sidebar).
But issuing the cards is only the beginning of the HSPD-12 equation.
Even agencies signed up with GSA or another shared-services provider are on their own to acquire the appropriate card readers and infrastructure to use the cards for their stated purpose, officials said.
'Everyone is focusing on the next date, but it is really a much larger initiative we're trying to achieve,' Kareis said.
Agencies are still required to set up physical and logical access controls so the cards can give access to federal buildings and IT systems, although there is no hard and fast deadline for those services just yet.
'On Oct. 27, I don't think you're going to see people with physical access controls,' Niedermayer said. 'That is still the responsibility of each agency.'
And this responsibility could prove problematic because, although the technology and products exist, many agencies do not have the expertise to implement an end-to-end solution, officials in and out of the government said.
'From the beginning, all the focus as been on the card, not on the system and identity management portion of it,' said one former government official who requested anonymity. 'How are agencies going to purchase these items and put everything into place?'
BearingPoint officials could not be reached at press time.