Federal agencies miss smart card ID deadlines by wide margin

2004 presidential directive has resulted in only 29% of federal employees and contractors receiving cards, OMB says

Federal agencies continue to miss by a wide margin the implementation deadlines for an ambitious government-wide smart card identity credential initiative designed to shore up the security of federal networks and facilities.

The most recent deadline passed on Oct. 27. By then, agencies were supposed to have finished issuing new Personal Identity Verification (PIV) smart cards to all their employees and contractors under a 2004 presidential directive, Homeland Security Presidential Directive-12 (HSPD-12).

Of the more than 5.5 million federal employees and contractors who were supposed to have been issued PIV cards by that date, less than 1.6 million -- or 29% -- actually did get them, according to numbers by the Office of Management and Budget (OMB), which is overseeing the effort.

HSPD-12 is an unfunded mandate that calls for a government-wide standard for identifying federal employees and contractors. It mandates comprehensive background checks of all government employees and requires the use of a common identification credential (PIV smart cards) for access to government computer systems and facilities.

The cards are based on a standard developed by the National Institute of Standards and Technology (NIST) and are required to be interoperable across government, meaning a PIV card issued by one agency can be read and verified by another agency's authentication systems.

Under the multiphased rollout, federal agencies were required to have implemented a background check process and started issuing cards by end of October 2006, finished issuing the cards in October 2007 to all employees with less than 15 years service and have completed the roll out this year. However, as with this time, federal agencies have missed previous deadlines by wide margins.

Not all agencies' progress on implementation is equal. Agencies identified by the OMB as making the most progress were the Departments of Defense, Labor and State, the Social Security Administration and NASA. As of Oct. 27 of this year, the State Department had issued cards to about 21,500 of its more than 27,700 employees and contractors. Similarly, about 1.2 million of the DoD's total of nearly 3.8 million employees and contractors had been issued PIV cards by that date, while the SSA had issued it to more than 70,000 of its 86,000 or so individuals.

In contrast, the U.S. Department of Homeland Security had issued the cards to just 1,200 of its over 255,000 employees and contractors while the Veterans Administration had rolled it out to barely 6,000 of over 450,000 individuals who are required to have the cards. Many agencies have yet to finish even their background check process, which in HSPD-12-speak is called the National Agency Check and Inquiries (NACI) process.

While well below the original HSPD-12 implementation target, the government-wide numbers still represents a significant improvement compared with a few months ago. As of March 1, 2008, only 3.3%, or about 143,000, of all federal employees had been issued the required credentials; 2.9% or 36,000 of federal contractors had gotten one just months ago.

The relatively slow progress that agencies are making is not entirely unexpected. From inception, several security analysts and federal IT managers have said that the implementation deadlines spelled out under HSPD-12 were far too aggressive and unrealistic given the enormity of the technology and process changes that were needed.

At the time the mandate was issued, there was not even a single common technology standard that could be readily adopted by federal agencies. It was left to the NIST to quickly develop a standard, which vendors then needed to use to build HSPD-12 compliant products that could be tested and certified before use. HSPD-12 has also required a lot of cooperation between groups within agencies that have traditionally not worked with each other, such as human resources, physical security and IT -- a task that some have warned could prove challenging.

The OMB has been trying to spur things along by offering guidance and getting agencies to submit periodic updates of their progress or lack thereof. In a statement released on Oct. 31, the OMB said it was recommending corrective actions to agencies struggling to meet the deadline and have asked for updated plans by Nov. 17 that spell out how they exactly they plan to meet HSPD-12 requirements.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon