Access ControlHSPD-12: Slow Out of the GateBy Sarah D. Scalet Product testing, contract process hold up worker smart cards ACCESS CONTROL Its been called the biggest access control project ever. As of last October, most federal agencies were required to start issuing standard identification cards that could be used for both physical and logical access to government facilities. The idea behind the order, known as Homeland Security Presidential Directive 12 (HSPD-12), is to create a highly secure, standard ID card that is recognized and trusted across the government. The Federal Information Processing Standard 201, known as FIPS 201, sets out strict rules for how agencies must meet HSPD-12. (See our coverage at www .csoonline.com\/080106.) Implementing the ambitious standard has not been easy, and most of the agencies that are technically in compliance have only barely begun. (See chart.) One reason for the slow rollout: At the October deadline, the General Services Administration was still working on its test tool for determining whether a given smart card was interoperable with other components, says Michael Butler, chairman of the Federal Smart Card Interagency Advisory Board and the Department of Defenses access card office director. Once the tool was completed, all players could test their implementations. Butler adds that during January and February, both vendors and federal agencies were busy making tweaks to their Personal Identity Verification (PIV) cards. Now, were getting to the point where at least when you talk to [one vendor or agencys card], its going to give the same answers back in the same format as [another vendor or agencys card]. Thats really the basis for future interoperability, Butler says. Another wrinkle: The GSA, which as a shared service provider is issuing PIV cards to other agencies for a fee, is renegotiating its contract with BearingPoint, the consulting and systems integration company it hired to issue the cards. Chris Niedermayer, a member of the Executive Steering Committee running the project governmentwide, says the contract was put out again not because of BearingPoints performance, but because another vendor protested the contract. Niedermayer, who is associate CIO at the U.S. Department of Agriculture, says that his agency, at least, is not getting any additional new PIV cards from the GSA while the contract is being recompeted. He anticipates that card issuance will restart in July and said the delay could have a plus: He expects the new contract to cost less than the current $120 per person. In the meantime, the USDA has successfully tested the cards using an electronic physical access system at a security turnstile. The department also has set up a test environment for using that same card with a single-sign-on system for users to access up to 236 software applications. Considering what a major change all of this is, Niedermayer says, I think the federal government has done very well in terms of stepping up and getting things started.