The HSPD12 Access Control Race

In August 2004, President Bush issued Homeland Security Presidential Directive-12 (HSPD-12), which requires federal agencies to set up one identification system for all staff and contractors who have access to sensitive facilities or information. The move to stiffen access control for several million people who work for the U.S. government and its contractorspart of post-9/11 efforts to beef up security at federal installationshas set off a scramble by 2 dozen agencies seeking to comply by October’s deadline.

The directive means that the agencies need to reassess the way they check worker backgrounds and issue IDs, and then tailor those checks to comply with a new set of criteria that the National Institute of Standards and Technology issued last February.

Those criteria, called the Federal Information Processing Standard, specify that agencies must initiate in-depth background checks for all new and existing employees with access to sensitive information; that new ID cards must include biometric measures such as an iris scan or fingerprint; that such personal information must be encrypted to ensure employees’ privacy; and that new equipment is installed and in place by Oct. 27, 2006.

Alex Conant, White House Office of Management and Budget spokesman, says all 24 agencies met an interim deadline last October to modify the way they checked workers’ backgrounds and issued IDs.

That was the easy part. The real test will be this October. Picture a sea of new badges and myriad doorway checks, and you’ve got an interesting Monday morning on Oct. 30 at federal sites around the nation.

Countdown to New IDs

President Bushs directive for access control systems gave federal agencies two years to implement them. A timeline:

Feb. 25, 2005: The National Institute of Standards and Technology issued identification standard. Approved by Commerce Department.

Oct. 27, 2005: Agencies modified ID proofing processes to comply with new standard.

Oct. 27, 2006: Agencies must implement new systems and issue new ID cards.

Consultant Jim Ganthier, global director of defense, intelligence and public safety solutions at Hewlett-Packard, notes that many agencies are working on assessments of their access control procedures, “so they’re not surprised later or, more important, so they don’t end up with a technological dead end.” Ganthier adds that those agencies that have to rip and replace their systems face big hurdles.

Challenges include rearranging plans when NIST updates its standard, as officials expect.

Barbra Symonds, director of the IRS Privacy Office, serves as HSPD-12 program manager. Symonds says the IRS has organized a program management office dedicated to HSPD-12 compliance, with a staff of 10 as well as a deputy program manager. The staff likely will increase to help meet the October deadline, for which Symonds is optimistic. “We don’t see any roadblocks that would stop us from getting there,” she says. “More than likely we’ll be sweating down to the wire with all the other federal agencies.”