Federal agencies continue to miss by a wide margin the implementation deadlines for an ambitious government-wide smart card identity credential initiative designed to shore up the security of federal networks and facilities.
The most recent deadline passed on October 27. By then, agencies were supposed to have finished issuing new Personal Identity Verification (PIV) smart cards to all their employees and contractors under a 2004 presidential directive, Homeland Security Presidential Directive-12 (HSPD-12).
Of the more than 5.5 million federal employees and contractors that were supposed to have been issued PIV cards by that date, less than 1.6 million -- or 29% -- actually did get them, according to numbers by the White House Office of Management and Budget (OMB), which is overseeing the effort.
HSPD-12 is an unfunded mandate that calls for a government-wide standard for identifying federal employees and contractors. It mandates comprehensive background checks of all government employees and requires the use of a common identification credential (PIV smart cards) for access to government computer systems and facilities.
The cards are based on a standard developed by the National Institute of Standards and Technology (NIST) and are required to be interoperable across government, meaning a PIV card issued by one agency can be read and verified by another agency's authentication systems.
Under the multi-phased roll-out, federal agencies were required to have implemented a background check process and started issuing cards by end of October 2006, finished issuing the cards in October 2007 to all employees with less than 15 years service, and have completed the roll out this year. However, as with this time, federal agencies have missed previous deadlines by wide margins.
Not all agencies' progress on implementation is equal. Agencies identified by the OMB as making the most progress were the Departments of Defense, Labor and State, the Social Security Administration and NASA. As of October 27 of this year, the State Department had issued cards to about 21,500 of its more than 27,700 employees and contractors. Similarly about 1.2 million of the DoD's total of nearly 3.8 million employees and contractors had been issued PIV cards by that date, while the SSA had issued it to more than 70,000 of its 86,000 or so individuals.
In contrast the US Department of Homeland Security had issued the cards to just 1,200 of its over 255,000 employees and contractors while the Veterans Administration had rolled it out to barely 6000 of over 450,000 individuals who are required to have the cards. Many agencies have yet to finish even their background check process, which in HSPD-12-speak is called the National Agency Check and Inquires (NACI) process.
While well below the original HSPD-12 implementation target, the government-wide numbers still represents a significant improvement compared with a few months ago. As of March 1 of this year only 3.3%, or about 143,000, of all federal employees had been issued the required credentials; 2.9% or 36,000 of federal contractors had gotten one just months ago.
The relatively slow progress that agencies are making is not entirely unexpected. From inception, several security analysts and federal IT managers have said that the implementation deadlines spelled out under HSPD-12 were far too aggressive and unrealistic given the enormity of the technology and process changes that were needed.
At the time the mandate was issued, there was not even a single common technology standard that could be readily adopted by federal agencies. It was left to the NIST to quickly develop a standard, which vendors then needed to use to build HSPD-12 compliant products that could be tested and certified before use. HSPD-12 also has required a lot of cooperation between groups within agencies that have traditionally not worked with each other, such as human resources, physical security and IT -- a task that some have warned could prove challenging.
The OMB has been trying to spur things along by offering guidance and getting agencies to submit periodic updates of their progress or lack thereof. In a statement released on October 31, the OMB said it was recommending corrective actions to agencies struggling to meet the deadline and have asked for updated plans by November 17 that spell out how they exactly they plan to meet HSPD-12 requirements.