As de facto federal CIO and administrator of e-government and IT at the White House's Office of Management and Budget (OMB), Karen Evans is one of those responsible for ensuring that federal agencies meet the requirements of Homeland Security Presidential Directive-12 of August 2004. HSPD-12 requires federal agencies to issue new tamper-proof smartcard identity credentials called Personal Identity Verification (PIV) cards to all employees and contractors by October 2008.
That didn't happen. Four years into the effort, many agencies are struggling with implementation deadlines. A majority missed an 27 October milestone that required them to have completed employee background checks and to have issued PIV cards to all employees with less than 15 years' experience. Evans explained what is going on and why.
What is your message to those that say HSPD-12 implementation deadlines are unreasonably aggressive?
Everybody thinks my deadlines are aggressive regardless of the programme. When I hear the question about HSPD deadlines and whether they are realistic or unrealistic, the way I answer it really is to put it in the context of what the goal of the HSPD project is and what we are trying to accomplish.
HSPD-12 was released as one of six [directives] from the president in response to the 9/11 Commission's recommendations. So when you look at that, and you look at how long it has been since 9/11, I don't believe the deadlines are too aggressive.
If you look at how we laid out the programme, if you look at the result it is intended to do and the problem it is fixing, and when you look at what we were responding to you would ask why weren't we doing it sooner, why weren't we getting it done faster. ...
Are you satisfied with the progress being reported by federal agencies on HSPD-12, considering that a lot of agencies appear to have missed the 27 October deadline for completing background checks and issuing smart ID cards to employees with less than 15 years of service?
We did a conference call to give everybody a heads-up about the October deadline and what we were going to make and what we weren't going to make. The piece that we asked agencies to hold back on [during that call] was the actual credentials themselves. [We told them] what we were going to do is the real critical piece, and you have to really step back and take a look at what you are doing and making sure you are running and have all the background checks in place.
Now also remember the other goal [for the new credential] is interoperability of the credential and the certificates and the information on the cards. We want to make sure that once you got a card issued that it would be truly interoperable.
One of the problems we had was there were actual technical challenges with the certificate itself. So agencies could have issued all of the cards and made the goal, but they would have missed the overall piece, which was ensuring the cards were also interoperable. You don't want to have everyone run out and be compliant and then have everyone turnaround and have to reissue all the cards, so they had the interoperability piece.
So we thought it makes sense [for agencies] to continue working on all the other pieces that need to be in place as we were dealing with this last technical piece with the certificates itself. So when you asked me if I am satisfied with the progress of the agencies, the answer is yes because now I expect to see a dramatic increase in the number of cards that have been issued when we issue this [status] report in December.
Did you say you asked agencies to hold back on issuing the credentials?
We worked with them each quarter with the milestones, and so we also worked with the technical teams that were testing everything. So yeah, we specifically said to agencies, "Look, focus your efforts on these other activities because what we don't want you to do is issue credentials that will not be interoperable."
There were a couple of agencies that were going full steam ahead, and if you were to ask me, I would tell you that it was the Department of State and the Department of Labour. They had worked out all the technical difficulties that they had, and those guys were and continue to issue the credentials.
What will be in the December report that you mentioned?
We released a memo [in October] telling the agencies what we were going to do and how we were going to enhance certain things. Prior to this, all agencies were releasing their status reports on their own websites.
What the OMB is going to do is release a cumulative report that is very transparent about where we are and tracks our progress across government as a whole. Everybody can see exactly where we were as it relates to these milestones and how many credentials actually have been issued and those types of things. It is our intention for the first one to come out in December.
How was the General Service Administration's (GSA) shared-service program for HSPD-12 affected by the move to a new private contractor earlier this year?
That was one of the things that we also highlighted to everyone. The shared-services programme is wonderful because of its economies of scale and its ability to roll out the cards and to do the [interoperability] testing. But the GSA and the contracts and how that went forth did not keep us from meeting the milestone.
When we really looked at the number of agencies that are signed up [for shared services] and we went through all the statistical analysis, we found that [the GSA contracting issues] actually affected only a small percentage of the credentials that needed to be issued. So when you look at it, just because GSA may have delayed a bit because they were doing due diligence like they should have, that did not impact the government overall very significantly.
Do agencies have specific deadlines by when they are supposed to completely phase out non-PIV-compliant cards?
Each agency has a mutually agreed-upon plan. It is going to be on an agency-by-agency basis. That's where we've set up these major milestones, where we know everybody would have gone through these background checks and that the agency has the capability to issue [the new] credentials on a regular routine basis as part of their daily practice. Then they go to phase out the legacy investment just like they would anything else. That's what we have worked with them and negotiated with them on a case-by-case basis. They are going to do it through the normal life cycle of the investment.
When we started, this we said OK three to five years for these types of applications and these types of services. We are now four years into the program, so agencies are updating their plans, and they may have to negotiate [for more time] because there could be extenuating circumstances within their own agencies.
What we are really focused on is for this to become the normal business practice and business process for agencies. We want to build a trust environment so that when I see a credential from one federal agency, I know exactly what the business process is behind that, and I can trust that the person has been vetted the same way that my people have.
So what do you expect the situation to be like a year from now?
My expectation is that all agencies will be issuing credentials on a daily basis as part of their regular business process.