Home » Identity & Access » Access Control

HSPD-12: United States of Access Control

A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?

"The degree of difficulty is high, and time frames are short," says Linda Koontz, GAO's director of information management issues, who wrote the February GAO report. "You can't, in some respects, fault the OMB for wanting to move aggressively on this, but at the same time there are questions about whether the agencies will be able to meet these deadlines."

To hear Niedermayer describe it, however, those who say the task is insurmountable are simply misinterpreting the deadline. "We make it a lot more difficult than it is," he says pragmatically. "It seems to be such a very difficult, complicated architectural, technological, cultural change that you can't do it. But it's really not that tough. I think the deadlines are achievable. It depends what your expectation is, though. If your expectation is that 1.9 million people are going to have a badge on Oct. 27, that's not achievable. Will the government start rolling out the process to badge 1.9 million people in October? That is achievable."

"Everything that should be known probably isn't known yet, so there's a little bit of a risk," Niedermayer continues. "But agencies don't need to implement the physical access plan right away, so that's not really a pressing issue for the next 12 months."

That interpretation is either the best or the worst thing about the initiative. By expecting agencies to divert funds into standardized technology instead of existing technology, the government saved itself a huge outlay. "There is not a doubt in my mind that almost every single reader on every single door in the federal government will have to be replaced," Defense's Butler says. According to Neville Pattinson, director of marketing and government affairs for smart card provider Gemalto, a typical upgrade of a physical access system costs from $400 to $4,000 per door for readers and the communications systems behind them.

But the government also left itself without much enforcement ability. "It's always hard to create the penalties if it's not a funded program," says Dennis Nadler, CTO of Merlin Technical Solutions, who spent 14 years in the federal government. "What, the Homeland Security guys didn't meet this deadline, so the OMB is shutting down Homeland Security, and no one can get into work?"

From a project management standpoint, the Bush administration's approachtight deadlines to push agencies and vendors, loose interpretation to ease technical and funding problemsmay indeed be the most reasonable. The rub is that the smart cards alone don't necessarily improve much. In trying to implement HSPD 12 in a way that's reasonable, the federal government may end up spending lots on something that doesn't deliver much security or efficiency. Shotgun weddings have a purposebut that doesn't mean they produce good marriages.