Federal Security Mandates: An Update on HSPD-12 and FIPS-201

From August 2004 to May 2007: What has happened with the government unified identity card?


In 2004, President Bush signed Homeland Security Presidential Directive 12 into law. HSPD-12 is a high-level policy statement that mandates all federal employees will have "a secure and reliable form of identification" and this credential will allow both "physical access to federally controlled facilities and logical access to federally controlled information systems.” The Office of Management and Budget (OMB) is in charge of issuing guidance and ensuring compliance, and the U.S. Department of Commerce is in charge of creating the standards.


Join SecurityInfoWatch.com for a webinar on HSPD-12, to be held live on May 24, 2007. Registration is free; sign up today

Soon thereafter, the National Institute for Standards and Technology (NIST) introduced a document establishing the minimum requirements of all federal identification and verification systems. HSPD-12 provides the mandate, and FIPS-201 provides the implementation standards for a more secure credential process, which is designed to substantially improve homeland security by providing better access control, reducing identity theft and ultimately establishing a three-factor, biometric authentication system as the standard for the federal government.

Roadblocks to Implementation

As you might imagine, this is a very complex project. Simply issuing a common credential to two million federal civilian employees is a daunting task. But issuing the credential is the easy part -- many other critical responsibilities must be completed in order for federal agencies to achieve compliance by this October.

For example:

  • All federal employees must receive a favorable background investigation, including a FBI fingerprint check. The background investigations are to be completed no later than Oct. 27. Even if you allow for batch meta-database screening, with nearly two million federal civilian employees to screen, the timelines for implementation are in jeopardy.
  • Select the appropriate biometric. Due to its small digital signature and the ease of capture, the fingerprint is the initial biometric of choice. Two or more fingerprints will be electronically imprinted in the credential.
  • Standardized identity assurance and registration procedures must be developed.
  • Each agency must complete a Privacy Act certification for the storage of personally identifiable information. The new credential will include the employee's name, photo, agency, a biometric authentication function, expiration date and employment status (i.e., employee or contractor) . Other parameters may be added.
  • The new credentials are to be used for both physical access to buildings and logical access to computer systems. The cards must function in two ways: with a non-contact reader and a contact reader, both of which must meet International Organization for Standardization (ISO) standards. In a recent interview, Kevin Wine, vice president of marketing for Lenel Systems, set some priorities. “First, we need a vetted and trusted credential, and then we can move to single sign-on.”
  • Oct. 27, 2006, was established as the deadline for all federal agencies to begin issuing the new credential. By Oct. 27 of this year, only the new credential will be authorized. It should be noted that there are no clearly defined penalties for non-compliance and no enforcement program. Many federal agencies still don't have adequate funding for their projects.

The Interoperability Challenge

In the past, some federal agencies have considered FIPS to be “guidelines” rather than “mandates.” This accommodation had been included in the Computer Security Act of 1987. However, the Federal Information Security Management Act (FISMA) of 2002 supersedes the Computer Security Act, and FISMA does not permit agencies to waive the Federal Information Processing Standards.

This content continues onto the next page...