HSPD-12: United States of Access Control

A fast-approaching smart card deadline for federal agencies could be the seminal moment for bringing together physical and logical access control. But is the government trying to do too much too soon?

1 2 Page 2
Page 2 of 2

This has long been the complaint about physical access control systems: that multiple systems, even from one manufacturer, don't always work together. Since those days with the Navy, Butler, now the access card office director at the U.S. Department of Defense, has been trying to get the physical security community to move toward a standards-based model. In 1998 he helped form the Government Smart Card Interagency Advisory Board, which persuaded a major smart card chip manufacturer to put a handful of ISO commands on its cards. They were simple commands, like "get data" and "write." But they cracked open a door, and a couple other manufacturers agreed to throw the commands onto their chips too.

"All of a sudden, we have competition," says Butler, who now oversees the largest smart card installation in the federal government, with 3.5 million cards in circulation. (Butler has since taken a six-month assignment at GSA, where he will help with the technical aspects of HSPD 12 implementation.) The competition is a very good thing if you're a government agency trying to make taxpayer dollars go a long way; it's not such a good thing if you're a vendor who's used to a steady stream of revenue off a proprietary system.

In the IT world, of course, standards were what always made things work. The physical vendor community is only now starting to accept this. "If you look at something like Wi-Fi on the IT side, everybody's Wi-Fi works the same," says Gary Klinefelter, chairman of the Open Security Exchange, which was created by physical and information security vendors to create interoperable security products. "I can take my computer to anybody's building or hotel, and it works. But that same kind of standardization doesn't exist on the physical security side today. One of the big things that the government mandate will do for us is create a set of cards and readers that are interoperable."

The technical hurdles are not insignificant. People like Visbal, from the Security Industry Association, could wax poetic for hours about the difference between, say, the 125 kilohertz proximity cards in wide use and the 13.56 megahertz smart cards specified in FIPS 201. Or about why one common protocol for proximity cards supports only 64,000 unique ID card numbers, not the millions required by FIPS 201. Or about how fire safety issues in the physical security world slow down the product development process. But the writing is on the wall. Standardizationand along with it access control convergenceis coming.

"They're making us go to TCP/IP, LAN, WAN deployable systems, not just for access control but also for digital systems," Visbal says of what the government is doing. "They're forcing our hand."

Reality in the Field

Back at federal agencies, though, the changes are no less daunting. Butler says it's only been within the past year that the Department of Defense has started to overcome the cultural challenges of bringing together the teams responsible for physical access control and logical access control. "When I used to go to my physical security meeting, I used to sit down with my physical security team members who'd say, 'Oh, the geek has showed up.'"

While the directive refers matter-of-factly to a combined card for physical access and logical access, the reality is that this kind of converged access control project has simply never been done on any broad scale. And one of the particular ironies is that the agencies that are perhaps in the best position to actually issue FIPS 201compliant cards don't have toat least not right away. That's because OMB decided that agencies that had already made significant investments in smart card deployments could issue "transitional" cards, rather than FIPS 201 cards. Both the Department of Defense and Veterans Affairs, along with a handful of other agencies, are getting what one vendor calls a "get out of jail free" card from OMB for the October deadline.

At Veterans Affairs, for instance, Bond says the agency had already invested millions of dollars in a system that, among other things, doesn't support the new biometric requirement. "If we were to become FIPS 201 compliant, we would have to literally throw away millions of dollars of equipment and card stock," Bond says, "and OMB says that it doesn't make sense to throw away that stuff."

What's more, the new cards at Veterans Affairs will be compatible with maybe 60 percent of the existing physical access control systems throughout the agency. "Anytime we go to upgrade a facility, we will make sure that the system is in compliance," Bond says. "In the interim, you will have noncompatible systems which will require separate badges to exit and enter different parts of the facility."

Some other agencies that do have to start issuing FIPS 201compliant cards by October are likely to find a different workaroundincorporating their legacy technology onto the new smart cards. This might involve, say, slapping an old magnetic stripe onto a new card. That makes the new card not so much one card that does everything but two cards in one. "It becomes a migration strategy," Klinefelter of the Open Security Exchange says. The OMB has not set a deadline for how long either the transitional cards or those that incorporate legacy technology can be used.

As far as actually issuing the cards, an emerging approach involves a shared service model, in which agencies can sign up to outsource card issuance to a common provider. Initially, USDA's Niedermayer said that the federal government's Executive Steering Committee was looking for agencies who were able to issue cards for other agencies. Then, the government issued an RFP for contractors who could do the work. Vendors were asked to submit plans to start issuing cards to 30 agencies in multitenant facilities in Atlanta, New York City, Seattle and Washington, D.C., by the October deadline. At press time, Niedermayer said the government was still waiting to see who would submit bids by the deadline, which had been extended.

With this development, it remains to be seen whether the government has created one big headache, instead of dozens of small ones. Observers say there is a risk that the cards will not be interoperable or that deadlines will not be met. Indeed, agencies that sign up for the shared service model but are not part of the 30-agency pilot are not likely to have one card issued by the deadline.

"The degree of difficulty is high, and time frames are short," says Linda Koontz, GAO's director of information management issues, who wrote the February GAO report. "You can't, in some respects, fault the OMB for wanting to move aggressively on this, but at the same time there are questions about whether the agencies will be able to meet these deadlines."

To hear Niedermayer describe it, however, those who say the task is insurmountable are simply misinterpreting the deadline. "We make it a lot more difficult than it is," he says pragmatically. "It seems to be such a very difficult, complicated architectural, technological, cultural change that you can't do it. But it's really not that tough. I think the deadlines are achievable. It depends what your expectation is, though. If your expectation is that 1.9 million people are going to have a badge on Oct. 27, that's not achievable. Will the government start rolling out the process to badge 1.9 million people in October? That is achievable."

"Everything that should be known probably isn't known yet, so there's a little bit of a risk," Niedermayer continues. "But agencies don't need to implement the physical access plan right away, so that's not really a pressing issue for the next 12 months."

That interpretation is either the best or the worst thing about the initiative. By expecting agencies to divert funds into standardized technology instead of existing technology, the government saved itself a huge outlay. "There is not a doubt in my mind that almost every single reader on every single door in the federal government will have to be replaced," Defense's Butler says. According to Neville Pattinson, director of marketing and government affairs for smart card provider Gemalto, a typical upgrade of a physical access system costs from $400 to $4,000 per door for readers and the communications systems behind them.

But the government also left itself without much enforcement ability. "It's always hard to create the penalties if it's not a funded program," says Dennis Nadler, CTO of Merlin Technical Solutions, who spent 14 years in the federal government. "What, the Homeland Security guys didn't meet this deadline, so the OMB is shutting down Homeland Security, and no one can get into work?"

From a project management standpoint, the Bush administration's approachtight deadlines to push agencies and vendors, loose interpretation to ease technical and funding problemsmay indeed be the most reasonable. The rub is that the smart cards alone don't necessarily improve much. In trying to implement HSPD 12 in a way that's reasonable, the federal government may end up spending lots on something that doesn't deliver much security or efficiency. Shotgun weddings have a purposebut that doesn't mean they produce good marriages.

"Unless you have an integrated, identity management system in place, and that identity management system is integrated into all your legacy systemswhether they're IT systems or physical access control systemsyou're never going to get to your return on investment," Brody says. "That's the really sad part of the whole thing."

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline