Zivney to Congress: HSPD-12 plans need review

SIA representative points to ongoing technical and collaboration challenges with HSPD-12

SIA believes the PIV II technical requirements for the implementation of HSPD-12 require an investment both financially and in the development of new infrastructure. However, the scope of the investment and time required for implementation were underestimated by the government when it set goals for the deployment of HSPD-12 through Office of Management and Budget (OMB) Memorandum M-05-24. Traditionally the functions of authentication and authorization have resided locally with the administrator of the physical access control system (PACS). The HSPD-12 and Federal Information Processing Standard (FIPS) 201 model have changed this: the credential issuer to a large degree now handles authentication while authorization remains a function of the PACS. This has created a unique challenge facing federal agencies, the development of a substantial shared infrastructure to accommodate the increased functionality and security features of the PIV II credential. For many agencies, the development of this new infrastructure presents a significant learning curve that they are working diligently to overcome.

Mr. Chairman, the implementation of HSPD-12 is truly a pioneering effort on behalf of the federal government. It requires that the human resources, information technology, and security departments interface and cooperate on an unprecedented level. These three disciplines traditionally are different in cultures and basic objectives. This creates challenges for all parties involved in implementing HSPD-12.

Although HSPD-12 may not draw the attention of our nation’s major media outlets, the world is watching. HSPD-12 is truly transformational. The issuance of OMB Memorandum M-05-24 was a bold move. In spite of the technical and procedural challenges, the subcommittee should note that there has been enough early success to attract scrutiny of HSPD-12 by other nations, state and local governments and other industry sectors.

Mr. Chairman, some may question the value of the PIV II credential because of the significant cost differential compared to traditional security technologies and the additional integration efforts required. How ever, the use of an identity credential coupled with the use of fingerprints for authentication of the bearer and the use of digital certificates and Public Key Infrastructure (PKI), promises to revolutionize government, significantly increase security, and conserve taxpayer dollars.

The methods and technologies needed to utilize the capabilities of the PIV II credential in a logical or physical access control system are still being discovered and developed. In the absence of clear guidance and specifications for the systems that will use the PIV card, some manufacturers have stepped up to the challenge and absorbed substantial research and development costs to produce next generation equipment capable of utilizing the features of a PIV II credential. These costs have been significant and made progress difficult as this work has been conducted without the benefit of having operational PIV II credentials available to manufacturers to develop and test associated products.

Mr. Chairman, given this subcommittee’s oversight responsibility over the General Services Administration (GSA), you will be interested to know that this situation is exacerbated by the fact that the GSA has had to design a specification for the credential readers, and is testing to that specification, a role it has never undertaken in the past.

As a result, the GSA Approved Product List (APL) testing program had to be created from scratch. The test specifications had to be inferred from the NIST specifications that were silent on the logical and physical access control systems that would actually use the cards and card production apparatus. This made for a very lengthy process, which was challenging for both GSA and the manufacturers submitting equipment for evaluation. There is also a catch 22; only federal employees and contractors are authorized to possess PIV cards. However, manufacturers need PIV cards to develop products that will use the cards. Operational card stock for R&D and testing remains a key priority for the electronic security industry, due to the many options and variations allowed for in the NIST specifications.

GSA’s current implementation of the approved products restricts these items to procurement from GSA Schedule 70, the Information Technology Schedule. However, the majority of the physical access control system components are assigned to Schedule 84, where they have always been. This makes it difficult both for the manufacturers submitting products and the government purchasers attempting to assemble systems from multiple GSA schedules. The decision to place the new PIV components “exclusively” on Schedule 70 was mandated by OMB. We believe this subcommittee should encourage the dual listing of approved HSPD-12 products on both Schedule 70 and Schedule 84 to serve both the IT security and physical security needs of agencies.