Many federal government agencies are well into their efforts to comply with Homeland Security Presidential Directive 12 (HSPD-12), designed to improve identity management among the government entities and their main suppliers.
But like the regulatory pain private enterprise continues to experience with the likes of HIPAA and Sarbanes-Oxley, efforts to comply with the directive have gone slowly for government agencies, showing just how difficult it can be to implement a broad security initiative across a multitude of organizations.
HSPD-12, issued in 2004 by President George W. Bush, requires agencies to implement a common identity management system for employees and contractors. It's aimed at enhancing security, reducing identity fraud and protecting personal privacy by means of secure and reliable identification.
The U.S. Office of Management and Budget (OMB), in providing instructions and deadlines to federal departments and agencies to comply with HSPD-12, noted that approaches to physical and information security have been inefficient and costly, and increase risks to the federal government. OMB says successful implementation of HDPS-12 will increase the security of federal facilities and information systems.
From NIST to FIPS-PIV
The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) -- working in conjunction with private industry and other federal agencies including OMB, the Office of Science and Technology Policy and the Departments of Defense, State, Justice and Homeland Security -- developed a standard for a common government-wide identification system in 2005.
The standard, Federal Information Processing Standard (FIPS) for a personal identity verification (PIV) system, is based on the use of smart cards, to be issued by all federal departments and agencies to their employees and contractors who require access to federal facilities and information systems.
HSPD-12 requires that identification mechanisms be based on sound criteria for verifying an individual's identity. They must be strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation; rapidly authenticated electronically; and issued only by providers whose reliability has been established by an official accreditation process.
"PIV is intended as the single credential to be used by employees and contractors of the executive branch to electronically verify identity and be trusted prior to gaining authorization for access to logical systems and federal facilities," says a spokesperson for OMB. It's designed to be interoperable across the breadth of the executive branches, so agencies can attain a high level of assurance in a single credential that's electronically verified without the need to issue other credentials when working across agency domains, he says.
Use of PIV credentials isn't required for access to federal applications where identity assurance is not needed (for example, low-risk, public-facing websites, blogs, etc.).
In February 2011, the Department of Homeland Security (DHS) issued a memo directing agencies to ramp up efforts to issue and use PIV smart card credentials. The DHS outlined a plan of action that included a requirement that all new systems under development be enabled to use PIV credentials prior to being made operational.
The memo stated that effective from the beginning of 2012, existing physical and logical access control systems must be upgraded to use PIV credentials in accordance with NIST guidelines, prior to the agency using development and technology refresh funds to complete other activities.
To help agencies comply with HSPD-12, the U.S. General Services Administration (GSA), which administers an Interoperability Test Program and Approved Products and Services List for HSPD-12 and serves as the Public Key Infrastructure Policy Authority, launched the HSPD-12 Managed Services Office (HSPD-12 MSO).
Also see: "HSPD-12: United States of Access Control"
USAccess Simplifies PIV
MSO, which provides turnkey services to produce PIV-compliant credentials and assists agencies in satisfying security requirements, established the USAccess program -- a managed, shared service that simplifies the process of procuring and maintaining PIV-compliant credentials. MSO provides the tools needed to help participating agencies receive the USAccess end-to-end service.
Currently, USAccess has 97 agency customers and some 553,135 individuals have enrolled in the program, says Bill Windsor, USAccess program manager at GSA's Federal Acquisition Service, HSPD-12 Managed Service Office.
According to OMB's latest update, in September 2011 HSPD-12 credentials had been issued to about 4.3 million federal employees (91 percent of those eligible) and some 846,000 contractors (81 percent). OMB reported that 18 federal credential issuance infrastructures were in operation nationwide, and 59 system integrators and 614 products were included on the GSA's Approved Products and Services List.
"The agencies are doing a pretty good job as far as issuing cards," says Stan Kaczmarczyk, director of cloud computing services, GSA Federal Acquisition Service. "Basically the agencies we have handled are well on their way to full issuance status."
"Now that they've made progress on issuing cards, they need to actually use the cards for logical and physical access," adds Kaczmarczyk, which is a whole new challenge because agencies have to install physical and logical access systems. In that area, "agencies are quite behind the curve," he says.
Collaboration a Priority
The key to moving forward rapidly with implementations is getting senior IT and administrative executives at agencies to collaborate on the security efforts and make them a priority, Windsor says.
Agencies such as GSA and the U.S. Department of Agriculture are farther along with adoption of identity management technology largely because the CIOs at the agencies became involved early on, Kaczmarczyk says.
For example, at GSA, employees now use ID cards for access to agency buildings and computer systems. "I can't get into my office if I don't have my card," Kaczmarczyk says. GSA contractors who work on site full time are also required to use government-issued cards to enter any agency facility.
But for many agencies, the process of complying with the security directive has been fraught with challenges. One of the biggest is getting users to remember their PIN for their PIV card, Kaczmarczyk says.
The shift to a standard way to manage identities has also required lots of relearning for agencies. "Prior to HSPD-12, PACS [Physical Access Control Systems] installation base was seldom smart-card oriented," says Hildegard Ferraiolo, computer scientist at the NIST Computer Security Division.
Because of this, the change to smart-card enabled PACS was a challenge for some agencies, Ferraiolo says. Guidance on migration has helped. For example, the PACS Implementation Maturity Model in NIST's SP 800-116 recommendation provides a strategy for migration, which is complemented by the federal CIO Councils' Federal Identity, Credential and Access Management (ICAM) roadmap.
The roadmap addresses unclassified federal identity, credential and access management programs and how the executive branch of the federal government will interact with external organizations and individuals. It provides a new government-wide segment architecture for ICAM.
Accounting for Mobile Devices
Another challenge is dealing with changing technology. One example is the integration of PIV with mobile devices and cloud computing architecture. "The need to accommodate the benefits of mobile devices and cloud computing in the federal enterprise caused a rethinking on how to employ the requirements of PIV for authentication and for encryption and digital signature," the OMB spokesman says.
And although the card issuance effort across agencies is mostly complete, the effort to employ readers and accomplish electronic verification of credentials is still being worked out.
So far, overall progress in complying with the HSPD-12 directive has varied, according to a U.S. Government Accountability Office (GAO) report issued in September 2011. The agencies in GAO's review -- the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the National Aeronautics and Space Administration; and the Nuclear Regulatory Commission -- "have made mixed progress in implementing HSPD-12 requirements," the report says.
Specifically, GAO notes, they've made substantial progress in conducting background investigations on employees and others and in issuing PIV cards, fair progress in using the electronic capabilities of the cards for access to federal facilities, and limited progress in using the electronic capabilities of the cards for access to federal information systems.
"In addition, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies," the report says.
The mixed progress can be attributed to obstacles such as logistical problems in issuing credentials to employees in remote locations, which can require costly and time-consuming travel. Another problem is that agencies haven't always established effective mechanisms for tracking the issuance of credentials to contractor personnel -- or for revoking those credentials and the access they provide when a contract ends.
It's also partly a result of agencies not making it a priority to implement PIV-enabled physical access control systems at all of their major facilities, GAO says. Similarly, a lack of prioritization has kept agencies from being able to require the use of PIV credentials to gain access to federal computer systems.
In addition, the report says, a lack of funding has slowed the use of PIV credentials for both physical and logical access. There has also been minimal progress in achieving interoperability among agencies due in part to insufficient assurance that agencies can trust the credentials issued by other agencies.
"Without greater agency management commitment to achieving the objectives of HSPD-12, agencies are likely to continue to make mixed progress in using the full capabilities of the credentials," the report says.
In the final analysis, government agencies are learning the same lessons private companies have for years as they've struggled to comply with everything from PCI DSS to HIPAA and Sarbanes-Oxley: Compliance does not necessarily equal security, and finding the balance requires a lot of trial and error.
And while many in the private and public sectors have experienced data breaches despite their compliance efforts, many others have figured out how to get it right.