Time to deal the cards
HSPD-12 deadline looms, but access control systems lacking
- By Rob Thormeyer
- Sep 15, 2006
"On Oct. 27, I don't think you're going to see people with physical access controls. That is still the responsibility of each agency," says Chris Niedermayer
With the deadline for agencies to begin issuing smart identity cards less than two months away, the heavy lifting on Homeland Security Presidential Directive-12 is just beginning.
The General Services Administration has awarded a highly anticipated contract for turnkey solutions to help agencies meet the Oct. 27 deadline. But federal officials are warning agencies not to lose sight of HSPD-12's broader mandate: to better secure the government.
The goal of HSPD-12 is not the card, "the goal is to improve the protection of the physical and IT assets of the government," said Michel Kareis, director of GSA's HSPD-12 program and its new Managed Services Office. "The card is an enabler to that."
Under HSPD-12, issued nearly two years ago, agencies must begin assigning interoperable personal identity verification (PIV) cards for new employees and contractors.
Last year, the mandate required agencies to ensure their processes for issuing credentials and for registering employees who meet the criteria laid out in Federal Information Processing Standard 201.Start-up struggles
The operative word for the program is "begin," as all but a few agencies are still struggling to set up the infrastructure needed for card production and issuance. Several agencies have banded together and created an informal working group to share best practices as the deadline nears.
In an Aug. 18 announcement, GSA said it had awarded BearingPoint Inc. of McLean, Va., a five-year, $104 million contract to help agencies make the transition. But the Office of Management and Budget has not and will not offer any additional funds to meet the mandate.
OMB has since established an HSPD-12 Executive Steering Committee, a multiagency group formed to oversee compliance with the directive, and has met with GSA to determine how agencies should work together to meet this deadline.
Essentially, agencies participating in GSA's new Managed Services Office get something like a free pass. GSA and BearingPoint are responsible for establishing the infrastructure for issuing the smart cards by Oct. 27, and participating agencies are responsible for helping to foot the bill.
Agencies that are not participating in the GSA offering must be able to begin issuing PIV cards in at least one location, said an OMB official who requested anonymity.
"Agencies must also plan to have the capability in place for all other locations, so PIV cards can be issued to all employees and contractors by fiscal 2008," the official said.
Under the contract, BearingPoint will enroll employees, issue smart cards that meet the National Institute of Standards and Technology's FIPS-201-1, and maintain identification management accounts.
BearingPoint is bringing in a team to provide the technology and services, said David Temoshok, director of GSA's ID Management Division.
After a brief period for testing, GSA and BearingPoint will set up sites in Atlanta, New York, Seattle and Washington to begin issuing the cards before the deadline, said officials from GSA and the HSPD-12 steering committee.
If the first few months are successful, GSA will pick up one of the contract's option years and expand the enrollment stations to about 400 sites nationwide.
Each participating agency won't necessarily get an ID card issued Oct. 27. Instead, over the next several months, agencies will be scheduled to place their orders and get their cards. The goal is to issue cards to all participating agencies within 24 months, said Chris Niedermayer, steering committee chairman and associate CIO of the Agriculture Department.
"We're just going to start issuing cards," Niedermayer said. "Some agencies will get one, some will get 10," and others won't get any right away. But, "the intention is to get some in every agency," he said.Signs of interest
It is unclear how many agencies will sign up under the contract. At press time, final price offerings had not been made, said GSA's Kareis. However, the more than 25 agencies that participated in the informal working group promoting the shared-services approach likely will be most interested in participating.
For Kareis, the more the merrier, because the BearingPoint contract stipulates that having multiple agencies on board will result in lower prices.
"We'd like to engage as many agencies as possible," Kareis said.
Several agencies are running their own solicitations for HSPD-12 products, and the Interior Department's National Business Center is considering acting as a shared-services provider.
Issuing the cards is only the beginning of the HSPD-12 equation, however. Even agencies signed up with GSA or another shared-services provider are on their own to acquire the appropriate card readers and infrastructure to use the cards, officials said.
"Everyone is focusing on the next date, but it is really a much larger initiative we're trying to achieve," Kareis said.
Agencies must set up physical and logical access controls for using the cards to give access to federal buildings and IT systems, although no deadline for offering those services has yet been set.
"On Oct. 27, I don't think you're going to see people with physical access controls," the steering committee's Niedermayer said. "That is still the responsibility of each agency."
And this responsibility could prove problematic, because although the technology and products exist, many agencies do not have the expertise to implement an end-to-end solution, government and industry officials said.
"From the beginning, all the focus as been on the card, not on the system and identity management portion of it," said one former government official who requested anonymity. "How are agencies going to purchase these items and put everything into place?"
BearingPoint officials could not be reached for comment at press time.
Rob Thormeyer is a staff writer with Government Computer News. He can be reached at firstname.lastname@example.org.