Home » Identity & Access » Access Control

HSPD-12: United States of Access Control

A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?

Through a spokeswoman, the Office of Management and Budget's Karen Evansthe Bush administration's top administrator for e-government and ITinsists that the deadline is not changing and that missing it is not an option. But observers indicate that many agencies missed an earlier deadline. According to a Government Accountability Office report released in February, agencies studied were still struggling to meet last October's supposedly easier HSPD 12 deadline, meant to standardize background check processes. The GAO went on to say that product testing may not be completed within the deadlines, further delaying progress. And because agencies are supposed to find funding within their existing budgets, the OMB has little leverage on those that fall behind. (Evans declined multiple requests to be interviewed for this story.)

"It's a train wreck," Brody says. "This thing is of enormous complexity, and the deadlines are just too aggressive. These departments are really struggling with this unfunded mandate. With the Oct. 27 deadline, you're already seeing a little bit of tap dancing in terms of changing what it means to be 'compliant.'" More and more, it seems, the spirit of the law may give way to the letter.

Chris Niedermayer, associate CIO of the U.S. Department of Agriculture, is confident that his department will be among those that start issuing the ID cards by the deadline. But even Niedermayer, who is a member of the Executive Steering Committee running the project governmentwide, acknowledges that those cards aren't likely to be read by anything but eyeballs anytime soon.

"What the rules say is that you start by issuing compliant cards; then you start integrating use of those cards into your physical and logical architecture," Niedermayer says. For the meantime, "we're still going to use [the smart card] at most of our places as a dumb card."

So much for the champagne.

Inside the Bowels of HSPD 12

HSPD 12 is a deceptively simple, 724-word document signed by President Bush in August 2004. It doesn't even contain the word card, let alone smart card. It doesn't talk about biometrics, or encryption, or multifactor authentication. It doesn't mention background checks.

What it does instead is mandate something that everyone agrees is a very good idea: that government employees and contractors be given a "secure and reliable form of identification" that can be recognized and trusted between agencies, and that grants the individual "physical access to federally controlled facilities and logical access to federally controlled information systems." The directive puts OMB in charge of issuing guidance and ensuring compliance, and the U.S. Department of Commerce in charge of creating the standards.