In Depth

HSPD-12: United States of Access Control

A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?

By Sarah D. Scalet

August 01, 2006CSO

The nuptials are set for Oct. 27, 2006. That's the day by which every agency in the U.S. government is supposed to be issuing smart cards that will marry physical access control and logical access control. The plan, mandated by Homeland Security Presidential Directive 12 (HSPD 12), is that all 5 million-plus federal employees and contractors eventually be given a common identification card that can be used anywhere and everywhere. At the front door of the federal building where the employee works. With single sign-on to computer systems. As part of three-factor authentication involving biometrics. On visits to headquarters or neighboring agencies.

"It's a good idea, and we've got to do it," says Bruce Brody, former CISO for the U.S. Department of Veterans Affairs and before that the Department of Energy, who's now VP for information security at the consultancy Input. "Getting off of passwords and getting to multifactor authentication, that's where the government has to go" to improve security in the long run.

The much-anticipated day could be the shiny, happy moment in security convergence history, with the government unveiling a system that improves not only security but also efficiency, thus driving adoption by the private sector. Instead, however, the looming deadline has federal agencies in agony, the physical security community in chaos and the White House on the defensive.

Both vendors and federal agencies are complaining that policy-makers are providing too little, too late in terms of guidance. According to a survey released by Input in June, almost half of federal IT security executives still did not have a complete plan in place or feel that the government was providing enough clarity for them to comply. Another pain point: They can't find funding for the mandate, which could cost millions.

At Veterans Affairs, which is an early adopter of smart card technology, HSPD 12 Program Manager Joseph Bond is so far from being able to set up standardized physical access control that he still has facilities where employees need multiple cards to enter different parts of one building. "Our legacy system is really unwieldy at this point, and I have no influence over when those legacy systems will be brought up to speed," he says.

At the U.S. Department of Interior, CIO Hord Tipton is no more encouraging. Despite the fact that HSPD 12 specifically references physical access, Tipton wrote in an e-mail to CSO, "Physical access is not clearly on the scorecard."

Meanwhile, physical access control vendors are struggling to create products that simply didn't exist before, while at the same time transforming themselves into businesses governed by standardsthis when the U.S. General Services Administration has left them waiting for technical specs and approval. "The cart is before the horse," says Mark Visbal, director of research and technology at the Security Industry Association, which represents dozens of access control vendors. As of early June, he says, "We have a good idea what [GSA is] asking for, but it's not finalized." To add to the confusion, GSA arcana initially made it unclear even whether these emerging products must be classified as security or IT products, lengthening an already tangled procurement process.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

Welcome to the age of Service-Oriented Security (SOS)

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development

Efficient - Flexible - Compliant

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Solving Online Credit Fraud Using Device Reputation

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously