Survey: HSPD-12 Compliance Not Looking Good

According to a new survey by INPUT, a consulting company for government procurement and contracting, the outlook for HSPD-12 isn't very rosy.

The independent survey, which was released today, indicated that about half of federal IT security executives don't a have a plan in place to meet the Oct. 27 deadline for HSPD-12 implementation. The HSPD-12, a.k.a. Homeland Security Presidential Directive 12 requires government agencies adopt personal identity verification standards for a one-card merged access solution. By Oct. 27, all agencies are required to begin adoption of this identity standard, though most October implementations will likely be pilot projects only.

Commenting on the survey results, INPUT's vice president of information security, Bruce Brody, said that the Office of Management and Budget isn't providing enough direction for agency IT directors, and many in the government believe the compliance deadline may not be enforced.

"There appears to be considerable confusion in the industry as 46 percent of survey respondents do not feel that OMB is providing enough clarity for HSPD-12 compliance," said Brody in a statement announcing survey results. "Federal IT security executives cite a noticeable lack of guidance as to how to actually define success with the compliance efforts and how funding and budgetary issues would be addressed. There is even more grey area with regards to the deadline itself since 37 percent of respondents either do not believe or are unsure that OMB will hold fast to the HSPD-12 compliance deadline."

Other survey highlights:

- Most respondents seem to be behind the eight ball, with 56 percent reporting that they had not or had only initially begun implementing and identity and access control solution.

- Most respondents will be using smart-cards and ID badges as the authentication token.

Integration seems to be a key hold-up, with some 56 percent of respondents to the INPUT survey reporting that they were using seven or more physical access control systems in their facilities. Fifty-eight percent said they had not decided whether to standardize those systems or not. HSPD-12 would require that these systems be standardized such that they all work with the HSPD-12 identity and access standards. The survey also indicated that it would be nearly impossible for most of the government organizations to standardize their physical access in time for the Oct. 27 deadline.

But at least most agencies at least know that they need to be doing something. Some 74 percent have formed an HSPD-12 task force, but that doesn't mean it's easy street.

According to Christopher Michael, federal technology strategist for CA, which is holding an HSPD-12 and Identity and Access Management Symposium in Washington, D.C., today, that is simply far from the case.

"Agencies are clearly struggling with HSPD-12 compliance," said Michael.