Hewlett Packard recently commissioned a survey of government IT executives to examine their awareness of Homeland Security Presidential Directive-12 and their readiness to meet the upcoming FIPS 201 deadline. HSPD-12, announced in August last year, mandates a government-wide common ID credential for federal employees and contractors. The FIPS 201 standard, which sets the criteria for the personal identity verification (PIV) credential and identification infrastructure, required federal agencies to implement standards for issuing and registering the PIV credential by October 27.
The findings of the HP study, released just before that final criteria date, showed that 48 percent of federal IT professionals surveyed had not heard of HSPD-12, and only 23 percent were confident their agency would meet the since-passed October 27 deadline. The full details of the study can be found at www.hp.com/go/idmanagement.
We spoke with Paul Fleischmann, security practice principal for public sector consulting and integration for HP, about the results.
What was the impetus behind this study?
It was to try to take a temperature of where everybody was and how well prepared or how well they understood HSPD and all the requirements.
Were you surprised with the results?
Some of it was a little surprising, but a lot of it is pretty consistent with what you get when you talk to people. (The standard) is broken out into two parts-PIV-I and PIV-2. Everybody's more comfortable with the PIV1 because it so much concerns business practices and policies of vetting and issuing the actual credential, and it doesn't include much technology. So they're more comfortable in that arena. One of the surprises was to see how many people really weren't prepared for it. But the understanding that people aren't prepared for PIV-2-that's been stated since (the directive) was released in August, so it wasn't that big of a surprise.
These results clearly show a failure at some level. In your opinion, whose failure is it? How can almost 50 percent of the federal IT professionals surveyed not even know of HSPD-12?
I don't know. I was baffled because the government smart card world has had agency boards, interoperability boards; they have workgroups; there are smart card specifications out. And in that arena everybody was very familiar with it; they knew it the second it came out. The agencies that really weren't looking into the technology or had no real interest in the technology - I think those are the ones who really got blindsided. We still will talk to agencies who say, "We just heard about this HSPD-12 thing; can you come down and talk with us about it?" I don't understand how or why that happens, but it does happen. So I think it's more on the agencies than the government, because the government has put out the presidential directive, the standard-FIPS-and special publications with it. OMB's held meetings, GSA's held meetings, NIST has held meetings. This was a well-publicized thing, and I think a lot of agencies got lulled into thinking, "No, we're not going to have to really worry about it."
At this point in the game, what can federal IT professionals do to prepare?
They have two weeks to meet PIV-1 [Editor's note, interview was completed prior to PIV-1 implementation] and a year to meet PIV-2. So for PIV-1-if they haven't started it, they're not going to meet it. Now they would need to start the planning process for meeting PIV-1, but if you haven't started the planning process to meet PIV-2 six months ago, a year ago, you're already behind. It's that big of an effort and that wide reaching. It's no longer simply an IT problem. Now you have to bring together ID assurance, policy, physical access control, logical access control-all these things have to come in, and you have to have buy-in from the upper levels. These are groups that are not accustomed to talking to each other, so it's not a minor task to get the stakeholders to the table.