No, GPO doesn't have to print your secure IDs
Companies say agencies are losing access to innovation by giving secure credential work to GPO, in an apparent misreading of the law.
Is it a tale of government helping government or one of private innovation getting crowded out by bureaucratic confusion?
On Oct. 21, the House Oversight and Government Reform Committee heard from Davita Vance-Cooks, director of the Government Publishing Office; GPO's inspector general; and representatives from the private sector who said GPO's work threatens to kill their business and weaken the security of feds' identification cards.
Kathleen Carroll, HID Global's vice president of corporate affairs, and James Albers, MorphoTrust USA's senior vice president of government operations, told lawmakers that agencies have been citing Title 44 of the U.S. Code as the reason they not only can but must skip competitive sourcing and give secure credential projects to GPO.
Agencies are misreading the law, perhaps willfully, witnesses said.
Vance-Cooks said, "We are a choice, and agencies are not required to use us" for secure credential work.
In response to a State Department letter alleging that Title 44 forced it to direct work to GPO, she said, "I think that if you look at the evidence, the State Department doesn't even believe what it wrote."
On the other hand, Vance-Cooks noted that "by law, the GPO can only cover its costs," which means it can potentially save agencies money.
In the course of the hearing, specific numbers were thrown out, and at each turn, private-sector representatives quoted lower costs and better electronic read rates than GPO (though the quotes were for a variety of card types).
Carroll made the case that secure cards are part of a bigger technological ecosystem that includes readers and connected infrastructure -- an ecosystem the private sector might be better equipped to handle.
Several lawmakers berated Vance-Cooks for delays in releasing GPO-dependent equipment, including card readers for the Transportation Worker Identification Credential, to the appropriate locations.
"I've never seen a more screwed-up program in my entire life," said Rep. John Mica (R-Fla.), who also criticized a GPO-printed ID for lacking certain components and looking "like it came out of a Cracker Jack box."
Vance-Cooks said GPO takes advantage of "the best of the best innovation" but admitted to employing fewer than five people for research and development into secure credentials.
Committee Chairman Jason Chaffetz (R-Utah) praised the private sector's ability to innovate on the basis of competition, though by the end of the hearing, he also praised Vance-Cooks for restoring his confidence in GPO with her testimony.
GPO IG Michael Raponi noted that audits had turned up a few compliance issues, but most of those issues were being rapidly addressed.
Chaffetz said he might be interested in amending Title 44 to clarify that agencies are not obligated to use GPO for secure credentials but can and perhaps should look to the private sector for solutions.
NEXT STORY: CIOs Talk: Cybersecurity Isn't Just About Tech