Q&A: Hewlett Packard's Paul Fleischmann Speaks out on HSPD-12

With only half of government IT directors aware of new regulations, how do public agencies meet the new demands?


I know that in the agencies we work with, one of their first priorities was to make sure physical access, IT, and all the stakeholders were together at the start rather than trying to start the planning process and then bring people in. Because this is going to be a shift in the way business is done on the physical access side. That group generally likes to keep everything very closed off and tightly controlled. They don't want anybody else to have access, and all of a sudden now you have different requirements. It was important to have them there so they could hear the discussion. They may not have had anything to input at the time, but they heard the discussion about how the planning was going to be done from the IT infrastructure side.

What guidance and resources would you point federal IT professionals to, to get them back up to speed?

They need to read and understand FIPS 201, the special publications that go with that-800-73, 76, and 78-because those are the defining parts about what's going to be used within the technology. There's also OMB guidance, there's a GSA handbook out-there are several different government resources to use, and they have to have an understanding of that or they'll be lost. Also the government smart card community is very open. It's a very good group; they're very helpful, and they'll be more than happy to share lessons learned. They have meetings - it's a very good community to use as a resource in itself.

What can vendors do to help security professionals establish plans?

Well, we need to break vendors into a couple areas. You have vendors who are developing the smart card, biometric piece of this, the physical access readers. Then there are integrators and consultants who are there to help with the planning and management.

I would say there are several good vendors who can help understand the steps necessary to put management plans in place and to ensure you have a coordinated effort. But you also need to have discussions with product vendors to understand their roadmap, because when this came out, all the vendors were working toward the government smart card interoperability specification (GSC-IS), and then they put this PIV out, which is a shift, so now all these product vendors are having to go back and redo their products to meet PIV. So you really need to understand their timing, roadmap, when the product is going to be available, what's out there.

This is driving a shift towards enterprise solutions, because it's an unfunded mandate. So some of the ways they're deferring some of the cost is to do all this as an enterprise service. And the big shift now too is to ID management, because you're looking at issuing every single employee and contractor in the federal government a digital ID. And you need to manage that. So they're all starting to say, I need to make sure I have a good approach and plan not only to issue a card, but to be able to manage that, to manage the enterprise and to have all the information I need at the enterprise level.

At the end of the study there's a question about the top challenge of HSPD-12, and cost wins out. But the study sort of marginalizes that concern.

Let me rephrase that for you, then. Of those agencies which are aware of HSPD-12, their biggest issue is money. Those who aren't aware don't understand the cost or scope of it. Cost is a major issue. Making it an enterprise solution is the way to deal with the cost issue. We can start talking about ROI and cost-effective methods of implementing a solution, but at the end of the day what it comes down to is that you want to be able to deliver a service to your customers for the least amount of money you can. You want the most services for the least money. You have to base that upon being able to actually perform and accomplish your mission for the least amount of money, so that's why they're looking at the enterprise. And that's a good approach, because instead of paying for multiple departments to run the same services, you're doing it at one time. It reduces initial infrastructure costs. It reduces support and admin costs, and daily operational costs are lower, so it makes sense to approach it that way.