Zivney to Congress: HSPD-12 plans need review

SIA representative points to ongoing technical and collaboration challenges with HSPD-12

Despite challenges, SIA finds there are some agencies doing an exemplary job of provisioning credentials for their employees and upgrading their infrastructure to meet the requirements of HSPD-12. For those agencies that continue to work to improve their implementation of HSPD-12, SIA has formed a Government Infrastructure Security End User Group to assist in this process.

This SIA group serves as a bridge between industry and government and it is a conduit for information between these two entities. Over the past several months SIA has conducted non-product-specific training for federal employees to try to shorten the learning curve that agency security personnel are experiencing. These interactive sessions provide our industry with a means to learn about the needs of federal agencies. This helps our members develop products that meet those needs. I am pleased to say that this training is provided by SIA at no cost to federal employees. It is intended to help develop a federal security workforce that is better informed about physical security technologies so that the goal of maximizing tax dollars to provide security for government facilities is met.

Mr. Chairman, as part of SIA’s efforts to advance HSPD-12 implementation, we have proactively engaged NIST in extensive conversations related to FIPS-201 and its supporting Special Publications. SIA’s PIV Working Group also serves as a mechanism to quickly address government technical needs or questions related to physical security infrastructure. SIA also is an active participant in the Government Smart Card Interagency Advisory Board (IAB) and we take every opportunity to help government understand the ramifications of HSPD-12 on currently deployed security and life safety technologies as well as future technologies. We regularly and consistently provide comments on new and revised draft NIST publications that are posted for public review. In addition, we sponsor workshops and briefing sessions for industry, often with the participation of GSA, NIST, and other agencies involved with the development and implementation of the standards.

In conclusion, SIA would like to offer additional recommendations for the subcommittee’s consideration that may expedite full implementation of HSPD-12:

First, we would encourage this subcommittee to direct OMB to establish a dedicated team of professionals within its Office of E-Government and Information Technology. These employees have substantial knowledge of physical security technologies and physical security infrastructure within federal agencies.

This proposed OMB “physical security team” should regularly coordinate with the private sector toward implementation of HSPD-12 and the development of future Executive Branch policies and directives that may impact physical security at government facilities. As part of its responsibilities, this physical security team of experts would support the ongoing efforts of the Interagency Security Committee (ISC) that is charged with developing physical security policies, standards, and strategies at non-military government facilities. Established in 1995 under Executive Order 12977, the ISC is chaired by the Department of Homeland Security and comprised of senior level officials from federal government agencies.

Secondly, we recommend that OMB establish a policy for implementation of physical security similar to the policy document M-05-24. We have progressed to date with an “unfunded mandate” for PIV-I and PIV-II. However, physical access control systems are outside of that scope, and as such have neither funding nor a mandate. This requested policy must recognize that the PIV card is not compatible with most installed PACS currently in use and that the PACS will have to be, at a minimum, upgraded or, most likely, need to be replaced.

Finally, we encourage you to consider SIA as a resource for the effective utilization of the PIV credential with physical access control systems. We not only have the skills and knowledge for deployment and use, but are also an ANSI standards development organization (SDO). As such we are able to produce standards for physical security systems and indeed have many such applicable standards in development now.