Happy birthday HSPD-12; there’s still a long way to go
This month marks the 10th anniversary of Homeland Security Presidential Directive 12 mandating the development and use of an interoperable smart ID card for civilian government employees and contractors. The results of the program so far range from the impressive to the disappointing.
“I would call the programmatic platform a huge success,” said Ken Ammon, chief strategy officer for Xceedium, an ID management software vendor.
As of the first quarter of this year, 5.4 million Personal Identity Verification (PIV) cards have been issued to civilian employees and contractors, accounting for 96 percent of those who need the cards. Given employee turnover and the need to periodically reissue the cards, the coverage is quite good.
The challenge now is having them used as they were intended, as strong, two-factor authentication for both logical and physical access across agencies. This is a multifaceted challenge that is proving to be a much tougher nut to crack than designing and issuing the cards.
HSPD-12 was issued Aug. 27, 2004, by then-President George W. Bush. The heart of the mandate was simple. Inconsistencies in government IDs left the government vulnerable to terrorist attack. “Therefore, it is the policy of the United States to enhance security, increase government efficiency, reduce identity fraud and protect personal privacy by establishing a mandatory, governmentwide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors (including contractor employees).”
The National Institute of Standards and Technology was given six months to produce the standards, which included identity vetting and secure, interoperable digital technology. Eight months after that, agencies would have to require use of the cards, “to the maximum extent practicable,” for access both to physical facilities and IT systems.
The first part of this effort, developing the standard and technical specifications and designing, producing and issuing the PIV cards, is the programmatic success Ammon cited. But the second part, the qualification “to the maximum extent practicable,” has proved to be a speed bump.
Seven years after the directive, the Government Accountability Office concluded in 2011 that although substantial progress had been made in issuing PIV cards and fair progress in using them for physical access to government facilities, only limited progress had been made in using them for access to government networks and minimal progress in cross-agency acceptance.
A year later, increasing the use of PIV and the military’s Common Access Card credentials was identified by the White House as a priority area for improvement. Agencies were given until March 31, 2012, to develop policies for the use of these credentials.
Reasons for the lack of widespread use cited by GAO were not technical, but administrative: Logistics, agency priorities and of course budgets. “According to agency officials, a lack of funding has . . . slowed the use of PIV credentials,” the report stated.
But technology also is an issue, as the card is only one element in any authentication system. Use of the electronic credentials in the cards has to be incorporated into systems already in place, or those systems must be replaced. Under a 2011 White House directive, all new systems under development at agencies must be enabled for PIV credentials and existing systems were to be upgraded by fiscal 2012.
Like many unfunded mandates, this has been a tough one to meet. And in the meantime, technology keeps changing. Mobile computing, for instance, means that many government workers are using tablets and cell phones for work. Technically these should require PIV authentication for government work, but many are not equipped to accommodate that.
HSPD-12 is not a failure, but it could be doing a lot better if strong, two-factor authentication was a higher priority within agencies. However, the the rapid pace of technological change makes it unlikely that any government-mandated technology will ever be completely successful. Even so, much more could be done.
Posted by William Jackson on Aug 22, 2014 at 10:16 AM