HSPD-12 - are you ready?
HSPD-12 - are you ready? "Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees)."That"s what HSPD-12 is all about - and it starts to come into force on October 27, 2006. Effectively, now.The directive goes on to say: "As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems." In other words, we start with secure identification, and then we go onto use that secure identity to provide secure access control.It"s an excellent plan. Never mind the federal agencies (who must), the whole of industry (who should) awaits the outcome. Will it work? Because if it does, it could have major ramifications for the whole security market. We spoke to Tom Greco, Vice President at Cybertrust , for his view on how things are going.ITsecurity: October 27th is only days away, how well did agencies do in meeting the deadline? Would you say that most agencies have reached compliance?TG: It appears many agencies will leverage the GSA (General Services Administration) managed service organization to achieve compliance with HSPD-12. Other agencies are handling their own implementations. I believe that OMB (Office of Management and Budget) will be assessing agency compliance with the mandate. There will be a number of agencies that will have challenges demonstrating that they have met the deadline.ITsecurity: Are you aware of any extensions that have been granted?TG: I am not aware of agencies that have been granted extensions. Several agencies with smart card ID programs prior to the issuance of the presidential mandate were granted "transitional status," which gives them a longer time to meet the technical requirements of PIV-II (FIPS 201 - the Personal Identity Verification standard developed by NIST to support HSPD-12).ITsecurity: Are there any agencies that seem to be leading the pack?TG: There are a number of agencies that are leading the pack. I would include Department of Defense, Department of Veterans Affairs, Social Security Administration, and Executive Office of the President in that group. Of course, the General Services Administration is working to have a service for other agencies in place by October 27th. The Department of Interior is also working to create a similar service model for agencies.ITsecurity: What are the next steps for agencies in HSPD-12 compliance and when is the next deadline?TG: The next step from a compliance perspective is to increase the level of issuance within the agencies" employee and contractor base. The October 27th deadline will demonstrate the agencies" capabilities to issue a compliant credential to new employees and contractors. The ongoing challenge will be for agencies to issue credentials to all employees moving forward.The goal is to have the bulk of employees credentialed by the end of 2008. The other challenge is to start enabling physical and network access controls that take advantage of the card features. It is likely that the agencies will begin demonstrating network log on (logical access control) relatively quickly and physical access control capabilities will follow in a more extended timeframe.So, so far, so good. Yet another "compliance" box we need to tick. But like most of the others, that"s not how we should view it. Being "compliant" is not an onerous task to be met with reluctance - it is a goal that we should aspire to, as well as a target we must meet. In this case, shadowing HSPD-12 will be a way to ensure our own secure access control.