HSPD-12: United States of Access Control

The nuptials are set for Oct. 27, 2006. That’s the day by which every agency in the U.S. government is supposed to be issuing smart cards that will marry physical access control and logical access control. The plan, mandated by Homeland Security Presidential Directive 12 (HSPD 12), is that all 5 million-plus federal employees and contractors eventually be given a common identification card that can be used anywhere and everywhere. At the front door of the federal building where the employee works. With single sign-on to computer systems. As part of three-factor authentication involving biometrics. On visits to headquarters or neighboring agencies.

“It’s a good idea, and we’ve got to do it,” says Bruce Brody, former CISO for the U.S. Department of Veterans Affairs and before that the Department of Energy, who’s now VP for information security at the consultancy Input. “Getting off of passwords and getting to multifactor authentication, that’s where the government has to go” to improve security in the long run.

The much-anticipated day could be the shiny, happy moment in security convergence history, with the government unveiling a system that improves not only security but also efficiency, thus driving adoption by the private sector. Instead, however, the looming deadline has federal agencies in agony, the physical security community in chaos and the White House on the defensive.

Both vendors and federal agencies are complaining that policy-makers are providing too little, too late in terms of guidance. According to a survey released by Input in June, almost half of federal IT security executives still did not have a complete plan in place or feel that the government was providing enough clarity for them to comply. Another pain point: They can’t find funding for the mandate, which could cost millions.

At Veterans Affairs, which is an early adopter of smart card technology, HSPD 12 Program Manager Joseph Bond is so far from being able to set up standardized physical access control that he still has facilities where employees need multiple cards to enter different parts of one building. “Our legacy system is really unwieldy at this point, and I have no influence over when those legacy systems will be brought up to speed,” he says.

At the U.S. Department of Interior, CIO Hord Tipton is no more encouraging. Despite the fact that HSPD 12 specifically references physical access, Tipton wrote in an e-mail to CSO, “Physical access is not clearly on the scorecard.”

Meanwhile, physical access control vendors are struggling to create products that simply didn’t exist before, while at the same time transforming themselves into businesses governed by standardsthis when the U.S. General Services Administration has left them waiting for technical specs and approval. “The cart is before the horse,” says Mark Visbal, director of research and technology at the Security Industry Association, which represents dozens of access control vendors. As of early June, he says, “We have a good idea what [GSA is] asking for, but it’s not finalized.” To add to the confusion, GSA arcana initially made it unclear even whether these emerging products must be classified as security or IT products, lengthening an already tangled procurement process.

Through a spokeswoman, the Office of Management and Budget’s Karen Evansthe Bush administration’s top administrator for e-government and ITinsists that the deadline is not changing and that missing it is not an option. But observers indicate that many agencies missed an earlier deadline. According to a Government Accountability Office report released in February, agencies studied were still struggling to meet last October’s supposedly easier HSPD 12 deadline, meant to standardize background check processes. The GAO went on to say that product testing may not be completed within the deadlines, further delaying progress. And because agencies are supposed to find funding within their existing budgets, the OMB has little leverage on those that fall behind. (Evans declined multiple requests to be interviewed for this story.)

“It’s a train wreck,” Brody says. “This thing is of enormous complexity, and the deadlines are just too aggressive. These departments are really struggling with this unfunded mandate. With the Oct. 27 deadline, you’re already seeing a little bit of tap dancing in terms of changing what it means to be ‘compliant.'” More and more, it seems, the spirit of the law may give way to the letter.

Chris Niedermayer, associate CIO of the U.S. Department of Agriculture, is confident that his department will be among those that start issuing the ID cards by the deadline. But even Niedermayer, who is a member of the Executive Steering Committee running the project governmentwide, acknowledges that those cards aren’t likely to be read by anything but eyeballs anytime soon.

“What the rules say is that you start by issuing compliant cards; then you start integrating use of those cards into your physical and logical architecture,” Niedermayer says. For the meantime, “we’re still going to use [the smart card] at most of our places as a dumb card.”

So much for the champagne.

Inside the Bowels of HSPD 12

HSPD 12 is a deceptively simple, 724-word document signed by President Bush in August 2004. It doesn’t even contain the word card, let alone smart card. It doesn’t talk about biometrics, or encryption, or multifactor authentication. It doesn’t mention background checks.

What it does instead is mandate something that everyone agrees is a very good idea: that government employees and contractors be given a “secure and reliable form of identification” that can be recognized and trusted between agencies, and that grants the individual “physical access to federally controlled facilities and logical access to federally controlled information systems.” The directive puts OMB in charge of issuing guidance and ensuring compliance, and the U.S. Department of Commerce in charge of creating the standards.

Within six months of being signed, that two-page directive turned into hundreds of pages of instructions, the centerpiece of which was created by the National Institute of Standards and Technology (which is part of Commerce). This standard is called the Federal Information Processing Standard 201, Personal Identity Verification of Federal Employees and Contractors. It’s referred to as FIPS 201.

The standard is split into two parts. The first part is supposedly the easy part. It establishes processes for making sure that identification is issued only to individuals who have met certain requirements, like having a background check done. The idea is that if these processes are standardized, it will be easier for one agency to trust a card issued by another.

The second part of FIPS 201 is more complicated. It is the technical part of the standard and establishes smart cardswhich contain a microprocessor that can both store and process dataas the new form of identification. Part two of FIPS 201 lays out not only the physical format of the credit card-sized cards but also cryptographic, biometric and card reader specifications. It contains what seems like an impossible level of detail about the cards, right down to font size (5 pt., 6 pt. and 10 pt.).

You’d be crazy to know any more about FIPS 201 than you have to, but a few components are key:

1. The cards must be capable of being read in two ways: with a “contactless” reader and a “contact” reader, both of which must meet International Organization for Standardization (ISO) standards. The contactless reader is intended for situations where speed is keyto allow cardholders to pass quickly through, say, the main entrance to a building without creating long lines. The contact reader is intended for higher-security applications where speed is less important and there’s time for the card to be physically inserted.

2. The cards must contain a biometric componentin addition to a photograph, templates of two fingerprints. However, these templates must be available only when the card is physically inserted into a reader and the cardholder punches in a PIN. This setup assuages privacy concerns about, say, the image of a fingerprint being stolen from someone’s card as he walks by. It also means that in any situation where biometrics are used, there is three-factor authentication: something the individual has (the card), something he knows (the PIN) and something that’s part of him (a fingerprint).

3. The cards must contain a unique identifier. Remember, up until now, each agencyand usually, each location of each agencywas on its own for issuing access cards. The new smart cards will eventually be rolled out to millions of federal employees and contractors. For the systems to keep cardholders straight, each card must contain a credential number, a digital signature and an expiration date.

All of this is no cheap affair. The Smart Card Alliance, a trade group, estimates that just issuing the cards alonenot counting the associated background checks and policy changescould cost close to $50 a person. Multiply that by 1.9 million federal employees and contractors outside of the Department of Defense, and 3.5 million within it, and you quickly end up with a price tag of $270 million. And that’s not counting the infrastructure upgrades that will be necessary for agencies to actually use the cards.

If you suspect one more acronym is coming, you’re right. The whole thing is, in short, a BHAGbig, hairy, audacious goal. And the government wants it done. Fast.

The deadline for the first part of FIPS 201 was Oct. 27, 2005. In its February report, the GAO indicated that agencies studied were still working on this requirement, but progress was good enough that the OMB declared everyone had complied. The bigger deadline, for part two, is Oct. 27 of this yearthe day of the aforementioned nuptials. There’s just one problem. The technology is only just being developed.

For the card system to be truly interoperable, more than a dozen pieces of technology have to work in concertfrom smart cards to readers to card management systems to physical and logical access control systems. But legacy physical access control systems, for instance, can’t support the extra data on the smart cards, and their proximity readers usually function on a different wavelength. The biometrics industry has been using a mishmash of methods to store and validate fingerprint templates on smart cards, all of which are proprietary. And it turns out that none of the existing smart card deployments in the federal government are compliant with the new standards.

All of this means that this summer, NIST was still in the process of testing whether new product lines conform with the standards, and the GSA was still testing whether new products work togetherthis when the government procurement process alone typically takes months. On the last day of June, OMB announced that the first nine products, from five vendors, had been approved. Meanwhile, agencies had been sitting on their hands. (GSA did not respond to a request for an interview.)

“You can’t establish a FIPS 201compliant system unless it’s composed of products off [the GSA] product list,” explained Bond, from Veterans Affairs, in early June. “If you don’t know what’s on that approved product list, you can’t build your system. There are a number of agencies and departments who had started [working on smart card systems] before FIPS 201 that are literally waiting because they don’t know what’s going to be on the list.”

Of course, part of this is just how the standard-making process works. The government decides it wants to make a change, codifies it and pushes it forwardcausing pain along the way but eventual improvements. But the vast scope of and short time line for HSPD 12 have made the pain especially acute and even called into question whether the program isn’t bound to fail.

“A project like this has never been done before, particularly on this scale,” says Randy Vanderhoof, executive director of the Smart Card Alliance. “It’s not pointing fingers at the government as much as it is that taking on this projectdefining this HSPD 12 interoperable card platformwas I think much more than the policy writers anticipated. And now that they’re in the midst of it, there’s no turning back.”

A Proprietary Jungle

Michael Butler got his introduction to smart cards almost 10 years ago, when he went to work for a Navy office with a smart card program. “My predecessor had installed about seven smart card systems, and they were the most painful part of my job,” recalls Butler, a former Navy officer with a master’s degree in computer engineering. “Every time [there was an upgrade]like if I bought a new card version from the manufacturermy physical security system quit working. Usually it was when some admiral or general was around. I had to go to every reader, in every building, and update the firmware and the readers.”

This has long been the complaint about physical access control systems: that multiple systems, even from one manufacturer, don’t always work together. Since those days with the Navy, Butler, now the access card office director at the U.S. Department of Defense, has been trying to get the physical security community to move toward a standards-based model. In 1998 he helped form the Government Smart Card Interagency Advisory Board, which persuaded a major smart card chip manufacturer to put a handful of ISO commands on its cards. They were simple commands, like “get data” and “write.” But they cracked open a door, and a couple other manufacturers agreed to throw the commands onto their chips too.

“All of a sudden, we have competition,” says Butler, who now oversees the largest smart card installation in the federal government, with 3.5 million cards in circulation. (Butler has since taken a six-month assignment at GSA, where he will help with the technical aspects of HSPD 12 implementation.) The competition is a very good thing if you’re a government agency trying to make taxpayer dollars go a long way; it’s not such a good thing if you’re a vendor who’s used to a steady stream of revenue off a proprietary system.

In the IT world, of course, standards were what always made things work. The physical vendor community is only now starting to accept this. “If you look at something like Wi-Fi on the IT side, everybody’s Wi-Fi works the same,” says Gary Klinefelter, chairman of the Open Security Exchange, which was created by physical and information security vendors to create interoperable security products. “I can take my computer to anybody’s building or hotel, and it works. But that same kind of standardization doesn’t exist on the physical security side today. One of the big things that the government mandate will do for us is create a set of cards and readers that are interoperable.”

The technical hurdles are not insignificant. People like Visbal, from the Security Industry Association, could wax poetic for hours about the difference between, say, the 125 kilohertz proximity cards in wide use and the 13.56 megahertz smart cards specified in FIPS 201. Or about why one common protocol for proximity cards supports only 64,000 unique ID card numbers, not the millions required by FIPS 201. Or about how fire safety issues in the physical security world slow down the product development process. But the writing is on the wall. Standardizationand along with it access control convergenceis coming.

“They’re making us go to TCP/IP, LAN, WAN deployable systems, not just for access control but also for digital systems,” Visbal says of what the government is doing. “They’re forcing our hand.”

Reality in the Field

Back at federal agencies, though, the changes are no less daunting. Butler says it’s only been within the past year that the Department of Defense has started to overcome the cultural challenges of bringing together the teams responsible for physical access control and logical access control. “When I used to go to my physical security meeting, I used to sit down with my physical security team members who’d say, ‘Oh, the geek has showed up.'”

While the directive refers matter-of-factly to a combined card for physical access and logical access, the reality is that this kind of converged access control project has simply never been done on any broad scale. And one of the particular ironies is that the agencies that are perhaps in the best position to actually issue FIPS 201compliant cards don’t have toat least not right away. That’s because OMB decided that agencies that had already made significant investments in smart card deployments could issue “transitional” cards, rather than FIPS 201 cards. Both the Department of Defense and Veterans Affairs, along with a handful of other agencies, are getting what one vendor calls a “get out of jail free” card from OMB for the October deadline.

At Veterans Affairs, for instance, Bond says the agency had already invested millions of dollars in a system that, among other things, doesn’t support the new biometric requirement. “If we were to become FIPS 201 compliant, we would have to literally throw away millions of dollars of equipment and card stock,” Bond says, “and OMB says that it doesn’t make sense to throw away that stuff.”

What’s more, the new cards at Veterans Affairs will be compatible with maybe 60 percent of the existing physical access control systems throughout the agency. “Anytime we go to upgrade a facility, we will make sure that the system is in compliance,” Bond says. “In the interim, you will have noncompatible systems which will require separate badges to exit and enter different parts of the facility.”

Some other agencies that do have to start issuing FIPS 201compliant cards by October are likely to find a different workaroundincorporating their legacy technology onto the new smart cards. This might involve, say, slapping an old magnetic stripe onto a new card. That makes the new card not so much one card that does everything but two cards in one. “It becomes a migration strategy,” Klinefelter of the Open Security Exchange says. The OMB has not set a deadline for how long either the transitional cards or those that incorporate legacy technology can be used.

As far as actually issuing the cards, an emerging approach involves a shared service model, in which agencies can sign up to outsource card issuance to a common provider. Initially, USDA’s Niedermayer said that the federal government’s Executive Steering Committee was looking for agencies who were able to issue cards for other agencies. Then, the government issued an RFP for contractors who could do the work. Vendors were asked to submit plans to start issuing cards to 30 agencies in multitenant facilities in Atlanta, New York City, Seattle and Washington, D.C., by the October deadline. At press time, Niedermayer said the government was still waiting to see who would submit bids by the deadline, which had been extended.

With this development, it remains to be seen whether the government has created one big headache, instead of dozens of small ones. Observers say there is a risk that the cards will not be interoperable or that deadlines will not be met. Indeed, agencies that sign up for the shared service model but are not part of the 30-agency pilot are not likely to have one card issued by the deadline.

“The degree of difficulty is high, and time frames are short,” says Linda Koontz, GAO’s director of information management issues, who wrote the February GAO report. “You can’t, in some respects, fault the OMB for wanting to move aggressively on this, but at the same time there are questions about whether the agencies will be able to meet these deadlines.”

To hear Niedermayer describe it, however, those who say the task is insurmountable are simply misinterpreting the deadline. “We make it a lot more difficult than it is,” he says pragmatically. “It seems to be such a very difficult, complicated architectural, technological, cultural change that you can’t do it. But it’s really not that tough. I think the deadlines are achievable. It depends what your expectation is, though. If your expectation is that 1.9 million people are going to have a badge on Oct. 27, that’s not achievable. Will the government start rolling out the process to badge 1.9 million people in October? That is achievable.”

“Everything that should be known probably isn’t known yet, so there’s a little bit of a risk,” Niedermayer continues. “But agencies don’t need to implement the physical access plan right away, so that’s not really a pressing issue for the next 12 months.”

That interpretation is either the best or the worst thing about the initiative. By expecting agencies to divert funds into standardized technology instead of existing technology, the government saved itself a huge outlay. “There is not a doubt in my mind that almost every single reader on every single door in the federal government will have to be replaced,” Defense’s Butler says. According to Neville Pattinson, director of marketing and government affairs for smart card provider Gemalto, a typical upgrade of a physical access system costs from $400 to $4,000 per door for readers and the communications systems behind them.

But the government also left itself without much enforcement ability. “It’s always hard to create the penalties if it’s not a funded program,” says Dennis Nadler, CTO of Merlin Technical Solutions, who spent 14 years in the federal government. “What, the Homeland Security guys didn’t meet this deadline, so the OMB is shutting down Homeland Security, and no one can get into work?”

From a project management standpoint, the Bush administration’s approachtight deadlines to push agencies and vendors, loose interpretation to ease technical and funding problemsmay indeed be the most reasonable. The rub is that the smart cards alone don’t necessarily improve much. In trying to implement HSPD 12 in a way that’s reasonable, the federal government may end up spending lots on something that doesn’t deliver much security or efficiency. Shotgun weddings have a purposebut that doesn’t mean they produce good marriages.

“Unless you have an integrated, identity management system in place, and that identity management system is integrated into all your legacy systemswhether they’re IT systems or physical access control systemsyou’re never going to get to your return on investment,” Brody says. “That’s the really sad part of the whole thing.”