On Aug. 27, 2004 the Bush administration issued the Homeland Security Presidential Directive 12, which outlined a series of objectives to ensure a common identification system across all government agencies. The goal of the mandate is to enhance security and increase government efficiency by reducing identity fraud.
Ambitious and difficult, compliance is no easy feat. It spells out big money for the companies that supply the services and products that organizations will be forced to implement, but the final (expected) deadline of Oct. 27, 2006 may be unrealistic. Is it possible? Is the technology there? What is expected and needed to make it a reality? Sokoloff & Company interviewed top industry experts to get their opinions on the impact HSPD 12 is having on the industry and how they're responding.
The first issue facing the successful implementation of HSPD 12 is the determination of the criteria necessary to authenticate an employee's identity. The Federal Information Processing Standards Publication (FIP 201-1) lays out a thorough process for applicant verification. Traditional methods of identity validation include a driver's license, a passport, Social Security card and a birth certificate.
However, with the HSPD-12 directive, the process becomes much more difficult. The Smart Card (an ID card implanted with computer chips or radio frequency identification "RFID") must carry two fingerprints, a photo, personal data and a public key infrastructure (PKI) certificate.
Larry Midland, president and CEO of Hirsch Electronics, explained the hurdle that organizations are now faced with: "The concept of "verifying identity" now means that a government employee or contractor must go through a formal process of collecting personal identifying data followed by a background check, prior to being issued a credential."
FIPS 201-1 is broken down into two processes: PIV 1 (personal identity verification) and PIV II. Keith Wilson, vice president of operations at Smartnet, points out that PIV II requires fingerprints and facial biometrics to be captured during the identity proofing and registration and re-verified during the issue of the card.
Midland said that once the approach becomes accepted by the federal, state and local governments, it will become more of a standard and said, "Corporate IT departments are already using PKI to enable a single card to gain access to the computer network as well as doors in buildings throughout the enterprise."
The standards outlined by FIPS 201-1 are only useful if the cards themselves are designed to prevent fraud and tampering.
Erik Larsen, product manager for identity solutions for Lenel Systems International, listed visual safeguards, such as micro printing, guilloche printing (spirograph-like curves) and holograms as some of the techniques currently used to protect the integrity of the card.
Kirk Brafford, vice president for federal enterprise systems at MAXIMUS, feels that the best fraud and tampering safeguard is the verification of the PIV through reading the contact integrated circuit chip on the card. This requires a computer based program, middleware, a card reader and the card holder's PIN entered by the person using the card. In addition to incorporating these security features, PIV II further requires that all smart cards work in conjunction with biometrics.
Smart cards have the ability to electronically store biometric information such as fingerprints or iris scans, and that record can be retrieved and compared with someone's individual live biometric scan.
Wilson calls it a "three-factor" identity management system that will require users to present a smart card, enter a password and verify a biometric scan. The three factors being "something you possess (the smart card), something you know (the password) and something you are (the biometric)." The ability to supply these smart cards and the technology required to make them work presents a large opportunity for companies.
Accreditation is just beginning. All suppliers have to go through an accreditation process before awarding of contracts.
Larsen said it doesn't matter who does it whether it's the NIST (National Institute of Standards and Technology) or the General Services Administration (GSA), but that the process is firmly defined and that manufacturers and suppliers must submit for accreditation.
Brafford went further to say that a FIPS 201-1 certified evaluation laboratory run by an accredited government testing organization that would test and certify suppliers hardware should be mandatory.
Compliance with the standards set up by FIPS 201 is step one in being accredited. The GSA has established an approved product list and testing procedures to confirm compliance with the significant aspects of the NIST standards. A consumer will be able to check the GSA website to see if products and services are listed as having passed compliance requirements.
Wilson added that awarding of contracts is governed by the Federal Acquisitions (FAR) and Defense Federal Acquisition Regulations (DFAR) clauses and once the product is certified then normal competition for contracts will occur.
Additional difficulties exist in the implementation of HSPD 12. According to Midland, one of the main challenges is that there have been so many specifications published that the target is always moving.
"Not knowing what actually is required makes it difficult to develop products," he said.
He also stated that government customers previously put projects on hold until they were assured of compliance, which adversely affected a number of companies.
Wilson said it comes down to budget. "Most agencies mandated by OMB (Office of Management and Budget) don't have the budgets to implement these systems and no money is planned." Furthermore, many government agencies are waiting for an OMB decision on the centralized PIV Card issuance plan and the related costs for using this shared issuance provider (SIP). Brafford explained, "This delay of a SIP plan or the approval for federal agencies to go forward on their own has slowed the process for many hardware vendors to commit resources for an unknown business case model."
Though the road to HSPD 12 compliance is rocky, everyone interviewed agreed that the technology exists today to execute the directive. However, interfaces between components still needs development as well as finalization of specifications.
Wilson cited the example of PIV II finger print requirements - which wasn't confirmed until recently. That leaves little time for manufacturers to finalize design and integrate the solution prior to the HSPD-12 mandate of Oct. 27, 2006.
Midland said, "We can build whatever is required, but there is a lot of administration that needs to be put in place." Agencies will need practical procedures to bring people to the card issuance station (or vice versa) and they will have to staff and train personnel to operate the new equipment. Partnerships will have to be formed by various suppliers of all the pieces of the puzzle, and funding and procurement processes for government agencies will have to be laid out.
Larsen said. "It's one thing to create and test some cards in a lab, but it's another thing to meet the demands for the millions of government employees needing a new PIV credential."
Having the technology and knowing what's expected will smooth the inevitable transition into this new world of security.
Said Wilson: "I think the embedded culture and resistance to change which is encountered in many agencies is the most significant hurdle which needs to be overcome for successful implementation. This is becoming more apparent as we get closer to Oct. 27 and so many loose ends still remain to be finalized."
Clarissa Jacobson, is director of research and administration for Peter A. Sokoloff & Co., an investment banking firm that specializes in mergers and acquisitions of companies in the Security Industry.