Ready or not, here come the PIV cards
- By William Jackson
- Oct 26, 2006
This afternoon and evening, federal workers and contractors throughout the Washington area are making the final sprint toward the penultimate deadline for Homeland Security Presidential Directive-12. Each agency must be ready to issue interoperable Personal Identity Verification cards by Friday.
'This week there have been thousands of engineers working around the clock at a lot of agencies,' said Mike Butler, director of the Defense Department's Common Access Card office. DOD has loaned Butler out to the civilian side of government to assist in HSPD-12 implementation.
Butler, speaking Thursday in a forum at the Federal Information Assurance Conference being held at the University of Maryland, said that after tomorrow, what had been a niche technology in this country would go mainstream as the government begins issuing the smart ID cards.
'Oct. 27 was the day, and I think we got there,' said GSA's Judith Spence, chair of the Federal Identity Credentialing Committee. 'For the first time, we do have a trusted credential,' that can be tied back to the identity proofing of the holder.
'That is a huge step forward,' she said.
But that step is not yet complete. Although agencies must be able to issue the new cards by tomorrow, they have two years to actually get them into the hands of all employees. Many agencies still are struggling with the certification and accreditation process for the PIV systems, required under the Federal Information Security Management Act, before they can go operational.
'I don't have any process for starting to certify these systems,' said a Postal Service employee attending the conference.
Barbra Symonds of the IRS said her agency still is struggling with C&A of the systems. She said the agency would meet Friday's deadline by beginning a pilot program rather than a fully operational program.
Despite the remaining challenges, the panel of public and private-sector officials identified some early benefits from HSPD-12 that have come about before the first card was issued. Symonds said the process of revamping the agency's identity proofing process last year brought together officials from physical and IT security operations for the fist time.
'That was an eye-opener for the IRS,' she said. Wasted effort and incompatible processes were identified, and the system was streamlined. 'We found tremendous efficiencies.'
Venkatapathi Puvvada of Unisys Corp. said HSPD-12 has sped the standards-making process and accelerated the development of interoperable products.
'Industry now has one set of standards by which to build and integrate products,' he said.
Once the cards have been issued, agencies will be faced with the challenge and opportunity of figuring out how to use them.
'The card is in many ways just a key,' Spence said. Policies and infrastructure will be needed to make use of that key.
'The technology is probably the easier part, relative to the policy and processes,' said Gordon Hannah of Bearing Point. Trust models for using the cards across agencies and with state and local governments will have to be developed.
Explaining how the cards are to be used and assuaging employee privacy concerns is also a problem, Symonds said.
'I think there will be some negotiation and policy issues,' she said.
The Identity Credentialing Committee is doing its part to help put the cards into use, Spence said. The committee is drafting a set of interoperability standards for six critical interface components of systems that will be using the PIV cards. Three sets of standards have been released for comment, and the committee expects to release the other three late this year or early next year.
William Jackson is a Maryland-based freelance writer.