EPA takes a mixed approach
Agency chooses a hybrid method for meeting HSPD-12
- By Jason Miller
- Oct 20, 2006
As at many agencies, the Environmental Protection Agency's decision on how to comply with Homeland Security Presidential Directive-12 was up in the air for a while.
Officials could either join a shared-services provider or implement the interoperable identification card system by themselves.
EPA, like the Housing and Urban Development Department, decided to do it both ways.
For the areas of the country with a large number of employees ' starting with Washington ' EPA will develop its own system, compliant with Federal Information Processing Standard 201-1. For areas that are more remote, the agency will use a shared-services provider's enrollment station to meet the mandate.
'We feel that, based on the way the agency is organized and the way we do business functionally, we were in the best position to do the hybrid approach,' said Wes Carpenter, director of EPA's security management division in the Office of Administration and Resources Management. 'We are going to start issuing cards on or before Oct. 27 and then phase in our offices through September 2008.' Oct. 27 is the Office of Management and Budget's deadline for agencies to begin issuing cards.
Carpenter added that EPA has about 30,000 people who will need cards, including 18,500 employees and 8,000 to 12,000 nonfederal workers.
'The enrollment station concept came out four to six months ago,' he said. 'Before that, we were going to go individually.'
The hybrid approach poses many challenges, including the need to award contracts for an integrator, public-key infrastructure provider and a card management system. EPA did all three over the past year, including the PKI provider and card management system in the past month.
EPA first hired Maximus Inc. of Reston, Va., last November under a five-year, $2.9 million contract to help with planning and eventually to be their system's integrator.
'The intention of the contract was to fully develop their requirements and design documents to implement HSPD-12,' said Mary Whitely, Maximus' federal systems division president. 'EPA evaluated products based on our recommendations and analysis, and made their decision.'
Maximus is writing interfaces and doing testing so the agency can produce cards on Oct. 27, Whitely added.
EPA also hired Operational Research Consultants Inc. of Fairfax, Va., to be its shared-services provider and deliver 26,000 cards with credentials.
Dan Turissini, ORC chief executive officer, said workers are putting the registration practice statement in place. The RPS is the agreement between the SSP and the agency policy authority describing the process for issuing cards with a digital certificate.
ORC will provide EPA with 6,000 cards every six months for two years, with an extra 2,000 floating across all four periods.
Finally, EPA bought the card management system from RSA Security, the security division of EMC Corp. of Hopkinton, Mass. Maximus is installing the system.
So with all these pieces coming into place, EPA's Carpenter said employees at headquarters in Washington will receive their cards first, and then the agency will start moving cards out to regional offices.
'We want to make sure we do things right locally and get the kinks out of the system,' he said.
Carpenter could not comment on the price of the cards, saying they are evolving. He did say, however, that EPA would be competitive with what the General Services Administration proposed under its SSP. GSA has quoted a price per card of about $110.
'Based on our ability to do this individually and also leverage the experience GSA and others have with a shared-services provider, we may end up realizing going down one road is better than the other and migrate that way,' Carpenter said.