Federal Security Mandates: An Update on HSPD-12 and FIPS-201

In 2004, President Bush signed Homeland Security Presidential Directive 12 into law. HSPD-12 is a high-level policy statement that mandates all federal employees will have "a secure and reliable form of identification" and this credential will allow both "physical access to federally controlled facilities and logical access to federally controlled information systems.” The Office of Management and Budget (OMB) is in charge of issuing guidance and ensuring compliance, and the U.S. Department of Commerce is in charge of creating the standards.

Join SecurityInfoWatch.com for a webinar on HSPD-12, to be held live on May 24, 2007. Registration is free; sign up today

Soon thereafter, the National Institute for Standards and Technology (NIST) introduced a document establishing the minimum requirements of all federal identification and verification systems. HSPD-12 provides the mandate, and FIPS-201 provides the implementation standards for a more secure credential process, which is designed to substantially improve homeland security by providing better access control, reducing identity theft and ultimately establishing a three-factor, biometric authentication system as the standard for the federal government.

Roadblocks to Implementation

As you might imagine, this is a very complex project. Simply issuing a common credential to two million federal civilian employees is a daunting task. But issuing the credential is the easy part -- many other critical responsibilities must be completed in order for federal agencies to achieve compliance by this October.

For example:

  • All federal employees must receive a favorable background investigation, including a FBI fingerprint check. The background investigations are to be completed no later than Oct. 27. Even if you allow for batch meta-database screening, with nearly two million federal civilian employees to screen, the timelines for implementation are in jeopardy.
  • Select the appropriate biometric. Due to its small digital signature and the ease of capture, the fingerprint is the initial biometric of choice. Two or more fingerprints will be electronically imprinted in the credential.
  • Standardized identity assurance and registration procedures must be developed.
  • Each agency must complete a Privacy Act certification for the storage of personally identifiable information. The new credential will include the employee's name, photo, agency, a biometric authentication function, expiration date and employment status (i.e., employee or contractor) . Other parameters may be added.
  • The new credentials are to be used for both physical access to buildings and logical access to computer systems. The cards must function in two ways: with a non-contact reader and a contact reader, both of which must meet International Organization for Standardization (ISO) standards. In a recent interview, Kevin Wine, vice president of marketing for Lenel Systems, set some priorities. “First, we need a vetted and trusted credential, and then we can move to single sign-on.”
  • Oct. 27, 2006, was established as the deadline for all federal agencies to begin issuing the new credential. By Oct. 27 of this year, only the new credential will be authorized. It should be noted that there are no clearly defined penalties for non-compliance and no enforcement program. Many federal agencies still don't have adequate funding for their projects.

The Interoperability Challenge

In the past, some federal agencies have considered FIPS to be “guidelines” rather than “mandates.” This accommodation had been included in the Computer Security Act of 1987. However, the Federal Information Security Management Act (FISMA) of 2002 supersedes the Computer Security Act, and FISMA does not permit agencies to waive the Federal Information Processing Standards.

But the project is more than just creating the credential. Without a standard set of electronic interfaces, the credentials being issued would be nothing more than fancy ID cards. The General Services Administration (GSA) is working to standardize the multiple interfaces whose compatibility is essential to achieve system interoperability; however, these critical components are not ready for prime time. The design, testing and implementation of the interfaces that will enable the identity management system to communicate with the access control system, global positioning systems, etc., have not been completed.

Bruce Brotman of the National Biometrics Project says two areas still under construction are biometrics and encryption. The chief roadblocks still facing implementation are developing a process for managing biometrics and the unfunded mandate. Another area of concern to Brotman is the pervasive, ineffective testing of both hardware and software that may lead to cost overruns. More independent test labs should be involved, he says.

Without having the interfaces in-place, it is extremely difficult to ensure interoperability. Federal regulations require that all components must be purchased from the GSA's approved products list, but that list is incomplete. How can anyone design for interoperability without knowing what devices may be in play?

Legacy Systems Nightmare

Another area of concern is replacing the thousands of legacy systems currently in operation. Most legacy access control systems cannot support the memory required for the smart cards, and most legacy proximity readers function on a different frequency of 125 kilohertz (kHz). NIST chose to ignore the 125 kHz system interface devices in its initial FIPS-201 document. Mark Visbal, director of research and technology for the Security Industry Association, has expressed frustration that FIPS-201 did not attempt to integrate the legacy 125 kHz standard into FIPS-201. Instead, NIST chose to ignore the 125 kHz proximity cards already in wide use and mandated the 13.56 megahertz (MHz) smart cards in FIPS-201. Including the 125 standard makes good sense -- especially since the entire project is moving towards a migration methodology rather than a flash cutover.

Finally, most of the existing smart cards already deployed in the federal government are not compliant with the new FIPS standards. So, the question becomes should these agencies, such as the Veterans Administration, scrap the multi-million dollar legacy system for the new systems to achieve compliance -- or should the FIPS-compliant devices be added on a going-forward basis?

Inflexible Deadlines

Some of the problems facing federal agencies and their would-be private sector suppliers are tactical and some are strategic. Complaints have been heard that policy-makers are not providing adequate guidance for a project of this scale. Many agency heads feel that the timelines are unreasonable. The phrase “unfunded mandate” is frequently heard.

Consider the background checks that must be conducted on every federal civilian employee -- if the basic automated background check costs $25, that's $50 million that the agencies must come up with before the cards can be issued. However, according to the GSA and the Office of Management and Budget (OMB), the agencies are expected to find funding within their existing budgets. This means that existing IT projects may be put on hold or cancelled.

Interestingly, OMB insists that the deadline is firm and that compliance is expected. But clearly there is a problem. Many agencies missed interim deadlines. The emphasis seems to be shifting toward a migration strategy rather than a flash cutover. In 2006, OMB gave conditional permission for several agencies, including the Veterans Administration (VA) to continue with legacy systems and “transition” to the new methodologies. In the interim, the VA will have out-of-band access systems that may require employees to carry several badges. The length of the “interim” period has not been defined by OMB.

Mixed Reviews

Roy Bordes, Principal of the Bordes Group, participated in the FIPS-201 study group for encryption standards. He says “HSPD-12 will die on the vine,” adding that the FIPS-201 encryption algorithm has already been cracked and this project (FIPS-201) “is a total waste of time and effort.”

“Everyone is after the hundreds of millions of federal money that they think is waiting,” Bordes says. “But if the federal market doesn't develop as planned then the marketing focus will move to the private sector. The day [the federal government] adopted FIPS-201, they made everything on the street obsolete. Now the industry is changing to meet FIPS.”

Wine, on the other hand, is outspoken in his support for HSPD-12 and FIPS-201. “FIPS-201 is a positive change and will, in the end, add to the knowledge base, enhance the security process, and drive progress,” he says.

Lastly, what is the impact of HSPD-12 and FIPS-201 on the private sector? Whether this project is a migration, a transition or a flash cutover, it seems certain that there will be changes in access controls for the federal government. Remember, the real value received is best assessed over time.

HSPD-12 and FIPS-201 will:

• Lead to the creation of trusted cards and readers that are interoperable. There is direct application of these vetted products in the private sector;

• Establish a de facto standardization for access control products and software;

• Bring about a convergence of access control suppliers for both physical and logical systems;

• Focus the private sector on standards, such as NIST and ISO; and

• Lead to the development of similar federal regulations for public companies within five years.

About the author: Bob Wynn is the former CISO for the State of Georgia. His 20 years in the security field include experience in senior security management, infrastructure protection, computer crime investigations, policy writing and regulatory compliance. For six years, Mr. Wynn has been an instructor at the FBI National Academy in Quantico, Va., specializing in cyber-terrorism, trends in computer crime, and the behaviors and the motivations of computer-aided criminals.

Join SecurityInfoWatch.com for a webinar on HSPD-12, to be held live on May 24, 2007. Registration is free; sign up today