The nuptials are set for Oct. 27, 2006. That's the day by which every agency in the U.S. government is supposed to be issuing smart cards that will marry physical access control and logical access control. The plan, mandated by Homeland Security Presidential Directive 12 (HSPD 12), is that all 5 million-plus federal employees and contractors eventually be given a common identification card that can be used anywhere and everywhere. At the front door of the federal building where the employee works. With single sign-on to computer systems. As part of three-factor authentication involving biometrics. On visits to headquarters or neighboring agencies.
"It's a good idea, and we've got to do it," says Bruce Brody, former CISO for the U.S. Department of Veterans Affairs and before that the Department of Energy, who's now VP for information security at the consultancy Input. "Getting off of passwords and getting to multifactor authentication, that's where the government has to go" to improve security in the long run.
The much-anticipated day could be the shiny, happy moment in security convergence history, with the government unveiling a system that improves not only security but also efficiency, thus driving adoption by the private sector. Instead, however, the looming deadline has federal agencies in agony, the physical security community in chaos and the White House on the defensive.
Both vendors and federal agencies are complaining that policy-makers are providing too little, too late in terms of guidance. According to a survey released by Input in June, almost half of federal IT security executives still did not have a complete plan in place or feel that the government was providing enough clarity for them to comply. Another pain point: They can't find funding for the mandate, which could cost millions.
At Veterans Affairs, which is an early adopter of smart card technology, HSPD 12 Program Manager Joseph Bond is so far from being able to set up standardized physical access control that he still has facilities where employees need multiple cards to enter different parts of one building. "Our legacy system is really unwieldy at this point, and I have no influence over when those legacy systems will be brought up to speed," he says.
At the U.S. Department of Interior, CIO Hord Tipton is no more encouraging. Despite the fact that HSPD 12 specifically references physical access, Tipton wrote in an e-mail to CSO, "Physical access is not clearly on the scorecard."
Meanwhile, physical access control vendors are struggling to create products that simply didn't exist before, while at the same time transforming themselves into businesses governed by standardsthis when the U.S. General Services Administration has left them waiting for technical specs and approval. "The cart is before the horse," says Mark Visbal, director of research and technology at the Security Industry Association, which represents dozens of access control vendors. As of early June, he says, "We have a good idea what [GSA is] asking for, but it's not finalized." To add to the confusion, GSA arcana initially made it unclear even whether these emerging products must be classified as security or IT products, lengthening an already tangled procurement process.
Through a spokeswoman, the Office of Management and Budget's Karen Evansthe Bush administration's top administrator for e-government and ITinsists that the deadline is not changing and that missing it is not an option. But observers indicate that many agencies missed an earlier deadline. According to a Government Accountability Office report released in February, agencies studied were still struggling to meet last October's supposedly easier HSPD 12 deadline, meant to standardize background check processes. The GAO went on to say that product testing may not be completed within the deadlines, further delaying progress. And because agencies are supposed to find funding within their existing budgets, the OMB has little leverage on those that fall behind. (Evans declined multiple requests to be interviewed for this story.)
"It's a train wreck," Brody says. "This thing is of enormous complexity, and the deadlines are just too aggressive. These departments are really struggling with this unfunded mandate. With the Oct. 27 deadline, you're already seeing a little bit of tap dancing in terms of changing what it means to be 'compliant.'" More and more, it seems, the spirit of the law may give way to the letter.
Chris Niedermayer, associate CIO of the U.S. Department of Agriculture, is confident that his department will be among those that start issuing the ID cards by the deadline. But even Niedermayer, who is a member of the Executive Steering Committee running the project governmentwide, acknowledges that those cards aren't likely to be read by anything but eyeballs anytime soon.
"What the rules say is that you start by issuing compliant cards; then you start integrating use of those cards into your physical and logical architecture," Niedermayer says. For the meantime, "we're still going to use [the smart card] at most of our places as a dumb card."
So much for the champagne.
Inside the Bowels of HSPD 12
HSPD 12 is a deceptively simple, 724-word document signed by President Bush in August 2004. It doesn't even contain the word card, let alone smart card. It doesn't talk about biometrics, or encryption, or multifactor authentication. It doesn't mention background checks.
What it does instead is mandate something that everyone agrees is a very good idea: that government employees and contractors be given a "secure and reliable form of identification" that can be recognized and trusted between agencies, and that grants the individual "physical access to federally controlled facilities and logical access to federally controlled information systems." The directive puts OMB in charge of issuing guidance and ensuring compliance, and the U.S. Department of Commerce in charge of creating the standards.
Within six months of being signed, that two-page directive turned into hundreds of pages of instructions, the centerpiece of which was created by the National Institute of Standards and Technology (which is part of Commerce). This standard is called the Federal Information Processing Standard 201, Personal Identity Verification of Federal Employees and Contractors. It's referred to as FIPS 201.
The standard is split into two parts. The first part is supposedly the easy part. It establishes processes for making sure that identification is issued only to individuals who have met certain requirements, like having a background check done. The idea is that if these processes are standardized, it will be easier for one agency to trust a card issued by another.
The second part of FIPS 201 is more complicated. It is the technical part of the standard and establishes smart cardswhich contain a microprocessor that can both store and process dataas the new form of identification. Part two of FIPS 201 lays out not only the physical format of the credit card-sized cards but also cryptographic, biometric and card reader specifications. It contains what seems like an impossible level of detail about the cards, right down to font size (5 pt., 6 pt. and 10 pt.).
You'd be crazy to know any more about FIPS 201 than you have to, but a few components are key:
1. The cards must be capable of being read in two ways: with a "contactless" reader and a "contact" reader, both of which must meet International Organization for Standardization (ISO) standards. The contactless reader is intended for situations where speed is keyto allow cardholders to pass quickly through, say, the main entrance to a building without creating long lines. The contact reader is intended for higher-security applications where speed is less important and there's time for the card to be physically inserted.
2. The cards must contain a biometric componentin addition to a photograph, templates of two fingerprints. However, these templates must be available only when the card is physically inserted into a reader and the cardholder punches in a PIN. This setup assuages privacy concerns about, say, the image of a fingerprint being stolen from someone's card as he walks by. It also means that in any situation where biometrics are used, there is three-factor authentication: something the individual has (the card), something he knows (the PIN) and something that's part of him (a fingerprint).
3. The cards must contain a unique identifier. Remember, up until now, each agencyand usually, each location of each agencywas on its own for issuing access cards. The new smart cards will eventually be rolled out to millions of federal employees and contractors. For the systems to keep cardholders straight, each card must contain a credential number, a digital signature and an expiration date.
All of this is no cheap affair. The Smart Card Alliance, a trade group, estimates that just issuing the cards alonenot counting the associated background checks and policy changescould cost close to $50 a person. Multiply that by 1.9 million federal employees and contractors outside of the Department of Defense, and 3.5 million within it, and you quickly end up with a price tag of $270 million. And that's not counting the infrastructure upgrades that will be necessary for agencies to actually use the cards.
If you suspect one more acronym is coming, you're right. The whole thing is, in short, a BHAGbig, hairy, audacious goal. And the government wants it done. Fast.
The deadline for the first part of FIPS 201 was Oct. 27, 2005. In its February report, the GAO indicated that agencies studied were still working on this requirement, but progress was good enough that the OMB declared everyone had complied. The bigger deadline, for part two, is Oct. 27 of this yearthe day of the aforementioned nuptials. There's just one problem. The technology is only just being developed.
For the card system to be truly interoperable, more than a dozen pieces of technology have to work in concertfrom smart cards to readers to card management systems to physical and logical access control systems. But legacy physical access control systems, for instance, can't support the extra data on the smart cards, and their proximity readers usually function on a different wavelength. The biometrics industry has been using a mishmash of methods to store and validate fingerprint templates on smart cards, all of which are proprietary. And it turns out that none of the existing smart card deployments in the federal government are compliant with the new standards.
All of this means that this summer, NIST was still in the process of testing whether new product lines conform with the standards, and the GSA was still testing whether new products work togetherthis when the government procurement process alone typically takes months. On the last day of June, OMB announced that the first nine products, from five vendors, had been approved. Meanwhile, agencies had been sitting on their hands. (GSA did not respond to a request for an interview.)
"You can't establish a FIPS 201compliant system unless it's composed of products off [the GSA] product list," explained Bond, from Veterans Affairs, in early June. "If you don't know what's on that approved product list, you can't build your system. There are a number of agencies and departments who had started [working on smart card systems] before FIPS 201 that are literally waiting because they don't know what's going to be on the list."
Of course, part of this is just how the standard-making process works. The government decides it wants to make a change, codifies it and pushes it forwardcausing pain along the way but eventual improvements. But the vast scope of and short time line for HSPD 12 have made the pain especially acute and even called into question whether the program isn't bound to fail.
"A project like this has never been done before, particularly on this scale," says Randy Vanderhoof, executive director of the Smart Card Alliance. "It's not pointing fingers at the government as much as it is that taking on this projectdefining this HSPD 12 interoperable card platformwas I think much more than the policy writers anticipated. And now that they're in the midst of it, there's no turning back."
A Proprietary Jungle
Michael Butler got his introduction to smart cards almost 10 years ago, when he went to work for a Navy office with a smart card program. "My predecessor had installed about seven smart card systems, and they were the most painful part of my job," recalls Butler, a former Navy officer with a master's degree in computer engineering. "Every time [there was an upgrade]like if I bought a new card version from the manufacturermy physical security system quit working. Usually it was when some admiral or general was around. I had to go to every reader, in every building, and update the firmware and the readers."