White House gets tough on ID card reader requirements

Beginning Oct. 1, the White House will penalize agencies that fail to outfit facilities and information technology systems with electronic identity card readers by withholding funds for other programs, according to a new White House memo.

Federal employees and contractors are required to carry ID badges embedded with digital fingerprints and photos to access federal buildings and networks, under the 2004 Homeland Security Presidential Directive 12. But agencies have long struggled to employ the electronic features of the badges.

The Feb. 3 Office of Management and Budget guidance directs agency heads to submit implementation policies by March 31 on required uses of the smart cards, and stipulates that funds be frozen at offices that do not follow the rules. The memo stops short of restricting bonuses and awards at agencies that have not fully complied with HSPD-12, a penalty that the nonprofit Center for Strategic and International Studies recommended during the Obama-Biden transition.

The IDs -- mentioned in President Obama's 2009 comprehensive cyber policy review, are to be issued following standard security checks on individuals. Agencies reported they have completed about 5 million background investigations for 5.7 million employees and contractors, and have issued 4.5 million IDs as of December 2010.

"The majority of the federal workforce is now in possession of the credentials, and therefore agencies are in a position to aggressively step up their efforts to use the electronic capabilities of the credentials," OMB Director Jacob Lew wrote in Thursday's memo.

An attachment to the memo from the Homeland Security Department outlines rules for the usage policies, such as a requirement that, effective immediately, all new IT systems must be equipped to read smart cards before the systems go live.

Gregory Schaffer, DHS assistant secretary for cybersecurity and communications, wrote in the attachment, "Effective the beginning of FY2012, existing physical and logical access control systems must be upgraded to use [the] credentials, in accordance with [National Institute of Standards and Technology] guidelines, prior to the agency using development and technology refresh funds to complete other activities."

By Feb. 25, agencies must designate responsible individuals to ensure the policies are issued, the memo added.

Homeland Security, which last year took over governmentwide cybersecurity operations, will work with the General Services Administration to oversee HSPD-12 implementation, according to the memo.

As recently as March 2010, the Government Accountability Office reported "most agencies had not made full use of the electronic authentication capabilities available on the personal identification verification cards that they had issued or had plans to do so."