On Aug. 27, 2004, President George W. Bush issued Homeland Security Presidential Directive/HSPD-12 as a new policy for a common identification standard for federal employees and contractors. 

In part, this memorandum read: “Wide variations in the quality and security of forms of identification used to gain access to secure federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors (including contractor employees).” 

Like most directives from organizational leaders, HSPD-12 stated (and mandated) “what” was to be implemented, not “how” it would be accomplished. However, the National Institute of Standards and Technology (NIST) has clearly detailed the “how” by creating and defining a Personal Identity Verification (PIV) system as described in Federal Information Processing Standards Publication 201-1 (FIPS PUB 201-1).

In order for the typical systems integrator to further pursue the business opportunities available with the many departments, agencies and government contractors that must comply with HSPD-12, it is necessary to gain a firm grasp of these new requirements. Integrators should also realize the potential for using the framework of these standards to assist other private and public sector organizations in pursuing a similar path of interoperability. 

Security Sales & Integration bounced some critical questions off two of the leading authorities on this subject: Karen Evans, administrator of E-Government and Information Technology for the Office of Management and Budget (OMB) in Washington, D.C.; and Security Industry Association (SIA) Research Director Mark Visbal. 

What are the basic requirements necessary to meet this standard, and who must comply with it?
Karen Evans: HSPD-12 requires agencies to implement a mandatory, government-wide standard for secure and reliable forms of identification for federal employees and contractors. Oct. 27, 2005, was the first major HSPD-12 requirement. The standard and subsequent OMB guidance asked agencies to first focus on revising their identification policies and then ensure background investigations are being completed for employees and contractors. 

To meet the Oct. 27, 2006, requirement, all agencies were asked to have a capability in place to begin issuing Personal Identity Verification (PIV) cards in at least one location by this date. Agencies must also plan to have the capability in place for all other locations so PIV cards can be issued to all employees and contractors by Oct. 27, 2008. ID card issuance can be phased in through fiscal year 2006-2008 and physical and logical access control systems will be phased in over several years as indicated in agencies’ OMB-agreed upon implementation plans. 

Mark Visbal: FIPS 201-1 is, essentially, an interoperability standard for smart cards and readers used in support of the common (PIV) credential mandated by HSPD-12. The cards, algorithms and biometrics templates are tested by NIST, the reader specifications were developed and tested to by the GSA. Anyone wanting to sell products to the U.S. government must meet these requirements and have their products placed on the GSA ‘Approved Products List’ [APL]. 

How will this standard improve security in government facilities, compared to what was previously done?
Evans: The intent of HSPD-12 is to increase the level of protection at our federal facilities and for our federal employees and contractors. A key benefit of the HSPD-12 standard is that it will ensure standardized processes and systems so agencies can trust each other’s identification. 

Visbal: By the virtue of strong authentication of the user to the credential, security is increased. The ability to leverage physical and logical access synergies also gives a higher level of security. The use of digital signatures and PKI certificates assures the integrity of the information on the credential and authentication of individuals in e-commerce environments. 

What are the most difficult aspects of implementing this standard, and how are they being dealt with?
Evans: A GAO report issued in February 2006 outlined specific challenges agencies faced with respect to their HSPD-12 implementations and funding was raised as one of the challenges. OMB asked the agencies to analyze their current expenditures in the areas of identity management, physical access control and human resources to identity funding opportunities.

To help ensure agencies are able to overcome challenges, OMB has also taken steps to closely monitor agency implementation progress and the completion of key activities. In September 2006, OMB asked agencies to submit updated HSPD-12 plans and, in 2007, OMB established an agency reporting process to monitor agency progress in meeting the goals of HSPD-12. 

Visbal: The facts that HSPD-12 is an unfunded mandate and that for full compliance manufacturers will need to come up with a new generation of equipment makes this a challenge. Because security systems are now considered IT systems by government, there are a slew of new requirements manufacturers and integrators will need to comply with. We, as an industry, should be looking at the requirements of NIST SP 800-37 and SP 800-47, and internalizing them. This is also new to the GS-0080s as well. Somebody needs to take the lead and be prepared for the hard questions when they come. 

Who polices and makes sure the standard is being adhered to?
Evans: Agencies are responsible for ensuring they are following the requirements of law and policy and OMB provides oversight as necessary. Additionally, the Inspector Generals conduct reviews to ensure the requirements of the standard are being followed and the appropriate business processes are being followed to ensure the chain of trust. 

What can be done to reduce the cost of HSPD-12 implementation?
Evans: Prior to the president’s direction, there were no trusted government-wide standards and millions of dollars were being spent annually on incompatible systems. With the implementation of HSPD-12, the executive branch is applying a consistent, risk-based approach to physical and information systems security that will improve our security and keep costs at the same, or reduced, level.

To help reduce the costs of HSPD-12 implementation, GSA and Department of Interior’s [DOI] National Business Center are offering government-wide shared services to assist agencies in meeting the objectives of the directive. Services are offered at a lower cost through GSA and DOI due to economies of scale. The shared infrastructure provides government-wide identity proofing, registration, printing, issuance, and lifecycle management services as defined in FIPS 201. 

What impact will this standard have on access control in the private sector?

Visbal: It is reasonable to assume the private sector will embrace the HSPD- 12 model. Organizations such as the Open Security Exchange [OSE] have been pursuing the integration of logical and physical security for years. The government is both a gu
inea pig and the tip of the iceberg.

How can interested parties learn more?

Evans: Refer to www.idmanagement.gov.

Visbal: Join SIA’s PIV Working Group or the Smart Card Alliance Physical Access Council.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content