HSPD-12: United States of Access Control
A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?
August 01, 2006 — CSO —
The nuptials are set for Oct. 27, 2006. That's the day by which every agency in the U.S. government is supposed to be issuing smart cards that will marry physical access control and logical access control. The plan, mandated by Homeland Security Presidential Directive 12 (HSPD 12), is that all 5 million-plus federal employees and contractors eventually be given a common identification card that can be used anywhere and everywhere. At the front door of the federal building where the employee works. With single sign-on to computer systems. As part of three-factor authentication involving biometrics. On visits to headquarters or neighboring agencies.
"It's a good idea, and we've got to do it," says Bruce Brody, former CISO for the U.S. Department of Veterans Affairs and before that the Department of Energy, who's now VP for information security at the consultancy Input. "Getting off of passwords and getting to multifactor authentication, that's where the government has to go" to improve security in the long run.
The much-anticipated day could be the shiny, happy moment in security convergence history, with the government unveiling a system that improves not only security but also efficiency, thus driving adoption by the private sector. Instead, however, the looming deadline has federal agencies in agony, the physical security community in chaos and the White House on the defensive.
Both vendors and federal agencies are complaining that policy-makers are providing too little, too late in terms of guidance. According to a survey released by Input in June, almost half of federal IT security executives still did not have a complete plan in place or feel that the government was providing enough clarity for them to comply. Another pain point: They can't find funding for the mandate, which could cost millions.
At Veterans Affairs, which is an early adopter of smart card technology, HSPD 12 Program Manager Joseph Bond is so far from being able to set up standardized physical access control that he still has facilities where employees need multiple cards to enter different parts of one building. "Our legacy system is really unwieldy at this point, and I have no influence over when those legacy systems will be brought up to speed," he says.
At the U.S. Department of Interior, CIO Hord Tipton is no more encouraging. Despite the fact that HSPD 12 specifically references physical access, Tipton wrote in an e-mail to CSO, "Physical access is not clearly on the scorecard."
Meanwhile, physical access control vendors are struggling to create products that simply didn't exist before, while at the same time transforming themselves into businesses governed by standardsthis when the U.S. General Services Administration has left them waiting for technical specs and approval. "The cart is before the horse," says Mark Visbal, director of research and technology at the Security Industry Association, which represents dozens of access control vendors. As of early June, he says, "We have a good idea what [GSA is] asking for, but it's not finalized." To add to the confusion, GSA arcana initially made it unclear even whether these emerging products must be classified as security or IT products, lengthening an already tangled procurement process.