Challenges remain in switch to govermentwide ID security system

Federal agencies still are struggling to implement a governmentwide strategy for securing employee login credentials and smart card IDs, General Services Administration representatives said Wednesday.

Under a February 2011 directive from the Office of Management and Budget, all executive branches were supposed to have aligned themselves with Federal Identity, Credential and Access Management by last October. FICAM standards are based on a President George W. Bush-era Homeland Security Presidential Directive for streamlined and more secure verification procedures within the federal government.

In fact, little progress has been made.

Deborah Gallagher, director of GSA's identity assurance and trusted access division, noted Wednesday at a conference at the International Spy Museum in Washington that federal security has become so fragmented that some agencies are "almost issuing their own cards just for access to the cafeteria."

Gallagher questioned why her boss has to be screened whenever he walks into one of the thousands of Washington-area federal buildings that GSA oversees, and noted the need for an easier verification system for government workers.

A key question concerning blanket identity proofing, according to Gallagher, is how much to automate and at what level to establish trust.

The FICAM roadmap mandates that agencies switching to OpenID systems for easier website logins must "connect authoritative data sources and share data with the shared infrastructure." But defining "authoritative" raises its own challenges, explained Anil John, a GSA expert on digital security and service orientation.

" 'Authoritative' is definitely in the eye of the beholder," John said. "No data is clean, unless you are the agency that has perfected master data management. And I want to talk to you if you have."

Though the federal government is not specifically required to use the OpenID blanket identification method for anything besides allowing citizens to logon to dot-gov websites, he said the system as it applies to mobile devices is a promising avenue for the government to explore. Still, government is reluctant to lead the charge.

"We want someone else to bleed first," John said, explaining why the government will follow the lead of independent app makers rather than blaze a mobile trail on its own.

The U.S. government currently manages IDmanagement.gov, a website that provides free FICAM implementation guidance to federal agencies. John said the site, however, is "content-challenged at this point."

"It's kind of like digging for gold in the Old West," he said. "We know there's gold in them thar hills, but finding it is a whole separate story."

Recently, the Justice Department hit a snag in its own attempts to initiate FICAM, failing to justify its decision to use a more expensive contractor for the initiative's IT operations.