Federal Security Mandates: An Update on HSPD-12 and FIPS-201

From August 2004 to May 2007: What has happened with the government unified identity card?

But the project is more than just creating the credential. Without a standard set of electronic interfaces, the credentials being issued would be nothing more than fancy ID cards. The General Services Administration (GSA) is working to standardize the multiple interfaces whose compatibility is essential to achieve system interoperability; however, these critical components are not ready for prime time. The design, testing and implementation of the interfaces that will enable the identity management system to communicate with the access control system, global positioning systems, etc., have not been completed.

Bruce Brotman of the National Biometrics Project says two areas still under construction are biometrics and encryption. The chief roadblocks still facing implementation are developing a process for managing biometrics and the unfunded mandate. Another area of concern to Brotman is the pervasive, ineffective testing of both hardware and software that may lead to cost overruns. More independent test labs should be involved, he says.

Without having the interfaces in-place, it is extremely difficult to ensure interoperability. Federal regulations require that all components must be purchased from the GSA's approved products list, but that list is incomplete. How can anyone design for interoperability without knowing what devices may be in play?

Legacy Systems Nightmare

Another area of concern is replacing the thousands of legacy systems currently in operation. Most legacy access control systems cannot support the memory required for the smart cards, and most legacy proximity readers function on a different frequency of 125 kilohertz (kHz). NIST chose to ignore the 125 kHz system interface devices in its initial FIPS-201 document. Mark Visbal, director of research and technology for the Security Industry Association, has expressed frustration that FIPS-201 did not attempt to integrate the legacy 125 kHz standard into FIPS-201. Instead, NIST chose to ignore the 125 kHz proximity cards already in wide use and mandated the 13.56 megahertz (MHz) smart cards in FIPS-201. Including the 125 standard makes good sense -- especially since the entire project is moving towards a migration methodology rather than a flash cutover.

Finally, most of the existing smart cards already deployed in the federal government are not compliant with the new FIPS standards. So, the question becomes should these agencies, such as the Veterans Administration, scrap the multi-million dollar legacy system for the new systems to achieve compliance -- or should the FIPS-compliant devices be added on a going-forward basis?

Inflexible Deadlines

Some of the problems facing federal agencies and their would-be private sector suppliers are tactical and some are strategic. Complaints have been heard that policy-makers are not providing adequate guidance for a project of this scale. Many agency heads feel that the timelines are unreasonable. The phrase “unfunded mandate” is frequently heard.

Consider the background checks that must be conducted on every federal civilian employee -- if the basic automated background check costs $25, that's $50 million that the agencies must come up with before the cards can be issued. However, according to the GSA and the Office of Management and Budget (OMB), the agencies are expected to find funding within their existing budgets. This means that existing IT projects may be put on hold or cancelled.

Interestingly, OMB insists that the deadline is firm and that compliance is expected. But clearly there is a problem. Many agencies missed interim deadlines. The emphasis seems to be shifting toward a migration strategy rather than a flash cutover. In 2006, OMB gave conditional permission for several agencies, including the Veterans Administration (VA) to continue with legacy systems and “transition” to the new methodologies. In the interim, the VA will have out-of-band access systems that may require employees to carry several badges. The length of the “interim” period has not been defined by OMB.

Mixed Reviews

Roy Bordes, Principal of the Bordes Group, participated in the FIPS-201 study group for encryption standards. He says “HSPD-12 will die on the vine,” adding that the FIPS-201 encryption algorithm has already been cracked and this project (FIPS-201) “is a total waste of time and effort.”