DOD blazes HSPD-12 trail

Civilian agencies can benefit from lessons learned by DOD about merging physical and IT security.

When it comes to security convergence, the Defense Department might have a lot to learn, as DOD officials insist, but it knows more than most agencies.Federal officials expect agencies to develop converged systems for controlling access to buildings and systems by using the personal identity verification (PIV) cards required by Homeland Security Presidential Directive 12 (HSPD-12). However, most civilian agencies are still struggling through the early stages of issuing cards, according to a report by the Government Accountability Office issued in April. The report cites numbers from the Office of Management and Budget that show, through the end of March, that agencies had issued cards to only 3 percent of the eligible employees and contractors.DOD, which developed a smart ID card years before HSPD-12, had a head start. At the end of 2007, DOD had issued more than 13 million Common Access Cards to active-duty, reserve and National Guard military employees, in addition to to DOD civilian employees and eligible DOD contractors. The main challenge now is retrofitting CAC to meet HSPD-12 requirements.More recently, DOD has been working to marry the logical and physical access capabilities of new HSPD-12 compliant CAC cards, running prototype systems at 10 test sites throughout DOD. Those test projects do not provide a sufficient base from which to derive any comprehensive standard practices, said Frank Jones, director of the Personnel Identity Protection Solutions Division at the Defense Manpower Data Center. However, Jones and other experts have said that the early work produced valuable lessons learned for defense and civilian agencies looking to implement converged solutions.GAO and Jones emphasized the importance of having a plan.GAO’s report faulted OMB for not requiring agencies to develop plans for how they would use the full capabilities of the cards. Until that happens, “HSPD-12’s objectives of increasing the quality and security of ID and credentialing practices across the federal government may not be fully achieved,” the report states.Jones said agencies need a comprehensive plan that outlines the deployment strategy, the expected benefits and the issues that might arise during deployment.It’s important that all stakeholders who will be affected by the use of the new card be involved in that planning from the beginning, Jones said.Extensive planning is also needed if an organization wants to take advantage of capabilities the HSPD-12 credential provides beyond straightforward access privileges, said Jerry Byrnes, manager of biometrics technology and strategic planning at Fujitsu Computer Products of America. “It can be used for higher-end goals such as disallowing someone access to the computer network unless they’ve also been registered using the same card to get through the door,” Byrnes said. “But those kinds of things do need to be planned for.”One problem to expect is a culture clash. People who focus on physical security and those who work on information technology typically operate as separate entities, experts say. Converged security solutions require them to work together. The organization “needs to express a firm commitment to a high grade of both physical and logical security,” said Mo Hess, global security segment manager at TAC, an access control security company. “Then you need to force both sides into deciding what is best for the entire entity, and both have to accept that something needs to be done.”Reaching that consensus requires the involvement of executive decision-makers in the planning, not just technical people. At DOD, HSPD-12 activities have been managed by the department’ s chief information officer and the Office of the Undersecretary of Personnel and Readiness.Ideally, the push for converged security should come from both the top and from the grass-roots of an organization, said Brian Kitzmiller, the Defense Manpower Data Center’s account executive at EDS, which has been supporting the CAC program since 2001. “But the problem with the grass-roots is you always have the likelihood of someone saying no,” he said. “You need people from higher up in the hierarchy to say just how important security is.”That senior leadership is important even at DOD, Kitzmiller said. When military agencies were deemed not to be moving as quickly as they could have, a directive was issued last year on the use of HSPD-12 credentials that speeded the process again, he said.A bottom-up approach simply doesn’t work, said Brian Contos, chief security officer at ArcSight. Direction must come from an agency’s top levels because everything associated with these kinds of security decisions must be “put into a risk bucket” and decided from a strategic perspective, he added.“That senior-level support is needed for agencies to define what their strategic goal is going to be beyond what is needed just for HSPD-12 compliance,” Contos said.A deployment plan must account for the requirements and challenges unique to individual sites, Jones said.An agency should assess existing systems for controlling both logical and physical access to see if they are capable of operating with the new card and determine what middleware upgrades might be needed. Security experts also need to make sure that the security applications are capable of using the information obtained from the card.That assessment is especially important for organizations such as DOD, which already has an extensive but not necessarily uniform infrastructure in place to use cards. Some civilian agencies, such as the State Department, might face similar problems.“Before, if you went from base A to B to C, you’d find a range of applications and [card reader] frequencies, and a nonstandard ability of the back-end system to record the information,” Jones said. “This new card takes us to a standard operating process and standard frequencies that the card works with.”Unlike in the past, there’s not a lot of latitude for agencies to go outside of the card specifications for these systems, Jones said.For that reason, he added, it’s also important that geographically dispersed organizations, such as DOD, NASA and the Interior Department, make sure that even the smallest and most remote offices are involved in those planning decisions.Agencies should see what they have in place now that can be modified, said Bill Erwin, program manager for HSPD-12 at the General Services Administration. In some cases, they already have equipment such as card readers that might be able to be used immediately, and in others, a small software upgrade is all that might be needed.“We’ve found that there are relatively few systems that need to be completely torn out and replaced,” Erwin said.The concept of identity management, which has been around for years, is becoming more important, experts say. HSPD-12 can provide the basis for physical and IT security only if agencies keep track of who should have a card and, more importantly, who shouldn’t.“We have found that it’s the person who is no longer affiliated who is the most important to know, because that can lead to unintended access,” Jones said.Even if agencies have a centralized ID management system in place, they should check whether it is robust enough to handle the requirements o a converged security system.Part of the solution is the card. An HSPD-12 card can handle authentication, given its computing and memory capabilities, said Robert Brandewie, senior vice president of identity and security solutions at Telos. The card can authenticate the identity of an individual, but it cannot determine whether that person is still with the organization that issued the card, he said. An agency needs a back-end system that can check affiliations and flag individuals attempting to access a facility or system for which they no longer have access privileges.“You do need a management system that will associate the information on the card as closely as possible with the most up-to-date, authoritative database in the agency to make sure [the cardholder’s] privileges have not been revoked,” Brandewie said. “That’s a crucial step that’s emerging, and I think agencies are starting to learn that.”Smart-card experts encourage agencies not to rush the deployment of their security programs.DOD officials set a good example with the way they systematically investigated the requirements for the new card, industry experts say. Indeed, one of the best things that civilian agencies can learn from DOD’s experience is the need to do small test programs in a number of different areas of an agency, Contos said. “It’s one of the things the DOD has done really well,” he said. “They’ve rolled this thing out slowly and have found many more holes [in the systems] that they might not have done otherwise.”For GSA, piloting is the only way to handle those conversion issues, Erwin said. Policy issues can often be trickier to handle than technical issues, he said, but in some cases, the technical matters can be made worse by policy decisions, and it’s often only through test programs that those can be discovered.Other experts emphasize the importance of educating employees about their credentials. People need to understand what the new card is all about, how it should be used and what they should do if they lose it. Training employees in the use of the new card is a task DOD has been emphasizing in many of its presentations on the card, said Cathy Medich, director of strategic programs at the Smart Card Alliance. This is necessary because of the more laissez-faire approach many had to their previous cards.“They have to learn that it’s now a much more valuable piece of plastic,” Medich said. “Training is definitely something that’s needed.”That training should involve everyone in an organization, from the IT and physical security professionals to the janitors, Byrnes said. They are the people who usually have access to an entire building.

Plan local, think global

Civilian agencies should think about access from a cross-government perspective, said Michael Mestrovich, president of the Federation for Identity and Cross Credentialing System (FiXs).

FiXs is a coalition of commercial companies, government contractors and other organizations that want to set up a worldwide network for establishing interoperable identities and cross-credentialing.

FiXs’ proposition: If agencies agree on a common model for authenticating individuals, they can avoid duplicating work when employees move from one building or system to another. Why go through the whole authentication process if another agency has already done the work?

However, for that approach to work, civilian agencies must come to terms with one another and the Defense Department on a common authentication process, Mestrovich said.

“Until they get that trust model set up between themselves and the DOD, nothing else is going to matter,” said Mestrovich, president and chief executive officer of Unlimited New Dimensions. Civilian agencies “are supposed to be working towards one, but we’ve not seen it yet.”

The FiXs approach could save civilian agencies money and provide for interoperability of credentials, said Bob Martin, director of identity management and assurance at American Systems.

“It provides a common platform for authentication, which is where the savings come in,” Martin said. “At the same time, it would allow agencies to apply their own authorization at the local level.”

Agencies also must agree on a governance process for collaborating, Mestrovich said. Ongoing collaboration should enable them to resolve problems that crop up, decide on interoperability standards, establish and manage system architectures, devise testing procedures, and develop security and privacy policies.

Mestrovich said FiXs could go a long way toward helping agencies work together, but agencies will need time to reach that goal. “There are still wide cultural gaps and many personality issues to overcome.”

— Brian Robinson

DOD’s lessons learned

Based on the Defense Department’s early experience using personal identity verification cards to merge physical and information security solutions, DOD officials and other experts suggest civilian agencies keep the following points in mind.

n Start with a plan. The plan should address the deployment strategy, expected benefits and anticipated problems.

n Get top-level support. Grass-roots efforts are good in concept, but high-level officials often need to step in and push things along.
n Pay attention to local differences. Agencies should assess the state of technology at each site to identify potential snags that could hinder deployment.

n Know who’s in and who’s out. Even if agencies have an identity management system in place, managers should re-evaluate the ability of those systems to handle the coming volume of Homeland Security Presidential Directive 12 identification cards.

n Start small. Experts say civilian agencies should follow DOD’s example of conducting, small, focused test projects before broadly deploying converged security solutions.

Plan, discuss and negotiate

Call in the big guns

Make it work for everyone

Watch the revolving door

Think it through