Feds face new HSPD-12 hurdles

Challenges include upgrading building access controls and issuing cards to contractors.

Most federal agencies have set up procedures for issuing secure identity credentials to the more than 1.8 million federal employees, the first big hurdle in the mandatory smart-card program known as Homeland Security Presidential Directive 12. Now Bush administration officials have turned their attention to ensuring that physical access-control systems at federal facilities meet HSPD-12 standards and that contractors can access the buildings without too much hassle. Estimates of the number of federal contractors who work in federal facilities range from 4 million to 10 million.The Physical Security Working Group has begun developing guidelines that will help agencies upgrade the systems that control entry into federal facilities. A government official who asked not to be named said most agencies will require three to five years to upgrade their access-control systems.“Agencies need to perform an analysis to determine whether they need to upgrade card readers and other back-end systems such as controllers,” the official said. “Some agencies may want to implement more than one reader to use legacy credentials and systems while they are migrating.”Meanwhile, another group — the Federal Identity Credentialing Committee (FICC) — is focused on the procedures for issuing HSPD-12 cards to contractors. The committee will recommend ways to ensure that contractors don’t have to wait for new cards or pay for new credentials each time they take on a project at a new agency.FICC’s objective is to “ensure contractors don’t walk around with a necklace of HSPD-12 cards,” said Judy Spencer, the committee’s chairwoman. In the next few months, an FICC subcommittee will submit its recommendations to the HSPD-12 Executive Steering Committee on how to handle the reciprocity of contractor credentials.In the next year, Spencer said, FICC will also draft documents and recommendations for the steering committee on other challenges, including defining what trust means for the HSPD-12 program, ensuring interoperability and compatibility with state and local government and nongovernmental entities that adopt the HSPD-12 card standard, and defining rules for agencies to follow when they exchange employee information.Credentialing contractors add a challenging layer of complexity, which is one of the reasons the committee made it a priority, Spencer said.  “Contractors are a bit nomadic, moving from project to project and company to company,” she said. “When a badge is revoked or destroyed, we don’t want the contractor to go through the same process to get a new badge again. We still are early in the analysis, but we hope to find ways to be more efficient and save money.”The Agriculture Department is already working on that challenge, said Chris Niedermayer, USDA’s associate chief information officer. “We will record as a part of their contract the names of contractors into our human resources system,” Niedermayer said at a recent HSPD-12 event in Washington. “We will collect only enough information to ensure they pass a background check.”USDA’s system could eventually connect to a larger federated, governmentwide system for validating contractors, he added. 

Federation for Identity and Cross-Credentialing Systems

DOD has a fix on the card challengeAgencies must find ways for federal contractors to change projects without having to get a new identity credential from each agency in which they work. It’s one of the challenges for agencies under the secure credentialing program mandated by Homeland Security Presidential Directive 12 but one that the Defense Department may have already solved.

Industry and DOD launched the Federation for Identity and Cross-Credentialing Systems (FiXs) in 2004 and conducted several successful test programs with companies, including Northrop Grumman, SRA International and EDS.

FiXs verifies and authenticates the identity of contractors seeking to enter U.S. military installations, government-controlled areas and commercial sites linked to DOD networks, said Bob Martin, FiXs secretary.

“If industry follows certain standards and protocols, they can pass credentials across the DOD network,” Martin said, and the way it works is simple. “The sponsoring company captures and holds the employees’ data, and the DOD router at a facility validates the information against that database when an employee tries to enter.”
— Jason Miller