DOD blazes HSPD-12 trail
By Brian Robinson
Published on June 2, 2008
| Plan local, think global |
|
Civilian agencies should think about access from a cross-government perspective, said Michael Mestrovich, president of the Federation for Identity and Cross Credentialing System (FiXs).
FiXs is a coalition of commercial companies, government contractors and other organizations that want to set up a worldwide network for establishing interoperable identities and cross-credentialing.
FiXs’ proposition: If agencies agree on a common model for authenticating individuals, they can avoid duplicating work when employees move from one building or system to another. Why go through the whole authentication process if another agency has already done the work?
However, for that approach to work, civilian agencies must come to terms with one another and the Defense Department on a common authentication process, Mestrovich said.
“Until they get that trust model set up between themselves and the DOD, nothing else is going to matter,” said Mestrovich, president and chief executive officer of Unlimited New Dimensions. Civilian agencies “are supposed to be working towards one, but we’ve not seen it yet.”
The FiXs approach could save civilian agencies money and provide for interoperability of credentials, said Bob Martin, director of identity management and assurance at American Systems.
“It provides a common platform for authentication, which is where the savings come in,” Martin said. “At the same time, it would allow agencies to apply their own authorization at the local level.”
Agencies also must agree on a governance process for collaborating, Mestrovich said. Ongoing collaboration should enable them to resolve problems that crop up, decide on interoperability standards, establish and manage system architectures, devise testing procedures, and develop security and privacy policies.
Mestrovich said FiXs could go a long way toward helping agencies work together, but agencies will need time to reach that goal. “There are still wide cultural gaps and many personality issues to overcome.”
— Brian Robinson
|
| DOD’s lessons learned |
|
Based on the Defense Department’s early experience using personal identity verification cards to merge physical and information security solutions, DOD officials and other experts suggest civilian agencies keep the following points in mind.
n Start with a plan. The plan should address the deployment strategy, expected benefits and anticipated problems.
n Get top-level support. Grass-roots efforts are good in concept, but high-level officials often need to step in and push things along.
n Pay attention to local differences. Agencies should assess the state of technology at each site to identify potential snags that could hinder deployment.
n Know who’s in and who’s out. Even if agencies have an identity management system in place, managers should re-evaluate the ability of those systems to handle the coming volume of Homeland Security Presidential Directive 12 identification cards.
n Start small. Experts say civilian agencies should follow DOD’s example of conducting, small, focused test projects before broadly deploying converged security solutions.
|
|
When it comes to security convergence, the Defense Department might have a lot to learn, as DOD officials insist, but it knows more than most agencies.
Federal officials expect agencies to develop converged systems for controlling access to buildings and systems by using the personal identity verification (PIV) cards required by Homeland Security Presidential Directive 12 (HSPD-12). However, most civilian agencies are still struggling through the early stages of issuing cards, according to a report by the Government Accountability Office issued in April.
The report cites numbers from the Office of Management and Budget that show, through the end of March, that agencies had issued cards to only 3 percent of the eligible employees and contractors.
DOD, which developed a smart ID card years before HSPD-12, had a head start. At the end of 2007, DOD had issued more than 13 million Common Access Cards to active-duty, reserve and National Guard military employees, in addition to to DOD civilian employees and eligible DOD contractors. The main challenge now is retrofitting CAC to meet HSPD-12 requirements.
More recently, DOD has been working to marry the logical and physical access capabilities of new HSPD-12 compliant CAC cards, running prototype systems at 10 test sites throughout DOD.
Those test projects do not provide a sufficient base from which to derive any comprehensive standard practices, said Frank Jones, director of the Personnel Identity Protection Solutions Division at the Defense Manpower Data Center. However, Jones and other experts have said that the early work produced valuable lessons learned for defense and civilian agencies looking to implement converged solutions.
Plan, discuss and negotiate
GAO and Jones emphasized the importance of having a plan.
GAO’s report faulted OMB for not requiring agencies to develop plans for how they would use the full capabilities of the cards. Until that happens, “HSPD-12’s objectives of increasing the quality and security of ID and credentialing practices across the federal government may not be fully achieved,” the report states.
Jones said agencies need a comprehensive plan that outlines the deployment strategy, the expected benefits and the issues that might arise during deployment.
|
Digg
De.licio.us
Slashdot
Technorati
