HSPD-12: It's not all in the cards

While agencies focus on deadline for cards, access control systems are lacking

What your agency needs to know

With the Oct. 27 deadline a few weeks away, agencies that aren't sure they will be ready are being encouraged to sign up with the General Services Administration's Managed Services Office for help. Here's what those agencies need when meeting with GSA officials:

Bring agency-specific requirements. Know how many new employees and contractors will need a badge.

Bring an OMB-approved implementation plan. Agencies are required to meet with OMB officials about their implementation plans this summer. Those plans will help determine agency requirements.

Nominate a primary point of contact. To expedite negotiations, agencies should appoint a primary official for assessing HSPD-12 needs.

Prepare contracting officers. Agencies must be ready to review initial memorandums of understanding and sign the final funding document once GSA and the customer agency agree on an HSPD-12 solution.

Source: GSA officials


Lead Agency: The General Services Administration's Managed Services Office

Purpose: Homeland Security Presidential Directive-12

Lead Contractor: BearingPoint Inc. of McLean, Va.

Contract Value: $104.6 million ceiling over five years

Scope: As a shared-services provider, the managed services office (MSO) and BearingPoint will offer agencies an end-to-end solution for issuing Personal Identity Verification cards to new employees and contractors beginning Oct. 27
Timeline: BearingPoint will demo the system and, if successful, help the MSO open four enrollment locations across the country. Stations will begin issuing cards before Oct. 27, GSA officials hope, and the number of enrollment stations could grow to more than 400 over time. By January 2009, officials hope cards will be issued to all participating agencies.

CARD DEAL: David Temoshok, director of GSA's ID Management Division, says the contract with BearingPoint 'is providing the technology, the services, and they're bringing in a team to provide those services.'

Rick Steele

BEST PRICE: Chris Niedermayer wants agencies to consider the cost savings of working together.

Rick Steele

With the deadline less than two months away, the heavy lifting on Homeland Security Presidential Directive-12 is only just beginning.

Though the General Services Administration has awarded a highly anticipated contract for turnkey solutions to help agencies meet the Oct. 27 deadline to begin issuing smart identification cards, federal officials are cautioning agencies not to lose sight of HSPD-12's broader mandate of better securing the government.

'The goal of [HSPD-12] is not the card, the goal is to improve the protection of the physical and IT assets of the government,' said Michel Kareis, director of GSA's HSPD-12 program and of its new Managed Services Office. 'The card is an enabler to do that."

Under HSPD-12, issued nearly two years ago, agencies must begin issuing interoperable Personal Identity Verification cards for new employees and contractors by Oct. 27. Last year, the mandate required agencies to ensure their processes for issuing credentials and registering employees met the criteria laid out in Federal Information Processing Standard 201 [GCN.com, GCN.com/672].

Struggling to start up

But the operative word is 'begin,' as all but a few agencies are struggling to set up the infrastructure needed for card production and issuance.
GSA awarded BearingPoint Inc. of McLean, Va., a five-year, $104 million contract to help agencies make the transition. The award was announced Aug. 18.

The Office of Management and Budget has not and will not offer any additional funds to meet the mandate, so several agencies banded together and created an informal working group to share best practices as the deadline neared [GCN.com/671].

OMB has since established an HSPD-12 Executive Steering Committee'a multiagency group formed to oversee agency compliance with the directive'and has worked with GSA to determine how agencies should work together to meet this deadline.

Essentially, agencies participating in GSA's new Managed Services Office are given something like a free pass'GSA and BearingPoint are responsible for establishing the infrastructure for issuing the smart cards by Oct. 27, and participating agencies are responsible for helping foot the bill.

Agencies that are not participating in the GSA offering must have the capability to begin issuing PIV cards in at least one location by Oct. 27, an OMB official who requested anonymity said. 'Agencies must also plan to have the capability in place for all other locations so PIV cards can be issued to all employees and contractors by fiscal year 2008,' the official said.

Under the contract, BearingPoint will enroll employees, issue smart cards that meet the National Institute of Standards and Technology's FIPS-201-1, and maintain identification management accounts.

The company will have a suite of government-approved products to choose from, although to date about 10 of 21 HSPD-12 product categories do not have approved products. Products are approved after they are tested by NIST and GSA.

'BearingPoint is providing the technology, the services, and they're bringing in a team to provide those services,' said David Temoshok, director of GSA's ID Management Division.
After a brief period for testing, GSA and BearingPoint will set up four locations'Atlanta, New York, Seattle and Washington'and aim to begin issuing the cards before Oct. 27, ESC and GSA officials said.

If the first few months are successful, GSA will pick up one of the contract's option years and expand the enrollment stations to approximately 400 locations throughout the country.

That does not mean each agency participating will actually get an ID card issued on Oct. 27; rather, agencies will be scheduled over the next several months to place their orders and receive their cards, with the goal of issuing the cards to all participating agencies within 24 months, said Chris Niedermayer, chairman of the ESC.

'Not everyone in those agencies can get a card on the first day,' he said. 'We're just going to start issuing cards. Some agencies will get one, some will get 10,' and others won't get any right away. But, 'the intention is to get some in every agency.'

Signs of interest

It is unclear how many agencies will sign up under the contract. GSA's Kareis said the final price offerings had not been made public at press time. However, more than 25 agencies participated in the informal working group that promoted the shared-services approach, so those agencies would likely be most interested in participating.

And for Kareis, the more the merrier, because the BearingPoint contract stipulates that having multiple agencies on board will result in lower prices. 'We'd like to engage as many agencies as possible,' she said.

A number of agencies are performing their own solicitations for HSPD-12 products, while the Interior Department's National Business Center is also looking to act as a shared-services provider (see sidebar).

But issuing the cards is only the beginning of the HSPD-12 equation.
Even agencies signed up with GSA or another shared-services provider are on their own to acquire the appropriate card readers and infrastructure to use the cards for their stated purpose, officials said.

'Everyone is focusing on the next date, but it is really a much larger initiative we're trying to achieve,' Kareis said.

Agencies are still required to set up physical and logical access controls so the cards can give access to federal buildings and IT systems, although there is no hard and fast deadline for those services just yet.

'On Oct. 27, I don't think you're going to see people with physical access controls,' Niedermayer said. 'That is still the responsibility of each agency.'

And this responsibility could prove problematic because, although the technology and products exist, many agencies do not have the expertise to implement an end-to-end solution, officials in and out of the government said.

'From the beginning, all the focus as been on the card, not on the system and identity management portion of it,' said one former government official who requested anonymity. 'How are agencies going to purchase these items and put everything into place?'

BearingPoint officials could not be reached at press time.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected