Q&A: Hewlett Packard's Paul Fleischmann Speaks out on HSPD-12

Dec. 12, 2005
With only half of government IT directors aware of new regulations, how do public agencies meet the new demands?

Hewlett Packard recently commissioned a survey of government IT executives to examine their awareness of Homeland Security Presidential Directive-12 and their readiness to meet the upcoming FIPS 201 deadline. HSPD-12, announced in August last year, mandates a government-wide common ID credential for federal employees and contractors. The FIPS 201 standard, which sets the criteria for the personal identity verification (PIV) credential and identification infrastructure, required federal agencies to implement standards for issuing and registering the PIV credential by October 27.

The findings of the HP study, released just before that final criteria date, showed that 48 percent of federal IT professionals surveyed had not heard of HSPD-12, and only 23 percent were confident their agency would meet the since-passed October 27 deadline. The full details of the study can be found at www.hp.com/go/idmanagement.

We spoke with Paul Fleischmann, security practice principal for public sector consulting and integration for HP, about the results.

What was the impetus behind this study?

It was to try to take a temperature of where everybody was and how well prepared or how well they understood HSPD and all the requirements.

Were you surprised with the results?

Some of it was a little surprising, but a lot of it is pretty consistent with what you get when you talk to people. (The standard) is broken out into two parts-PIV-I and PIV-2. Everybody's more comfortable with the PIV1 because it so much concerns business practices and policies of vetting and issuing the actual credential, and it doesn't include much technology. So they're more comfortable in that arena. One of the surprises was to see how many people really weren't prepared for it. But the understanding that people aren't prepared for PIV-2-that's been stated since (the directive) was released in August, so it wasn't that big of a surprise.

These results clearly show a failure at some level. In your opinion, whose failure is it? How can almost 50 percent of the federal IT professionals surveyed not even know of HSPD-12?

I don't know. I was baffled because the government smart card world has had agency boards, interoperability boards; they have workgroups; there are smart card specifications out. And in that arena everybody was very familiar with it; they knew it the second it came out. The agencies that really weren't looking into the technology or had no real interest in the technology - I think those are the ones who really got blindsided. We still will talk to agencies who say, "We just heard about this HSPD-12 thing; can you come down and talk with us about it?" I don't understand how or why that happens, but it does happen. So I think it's more on the agencies than the government, because the government has put out the presidential directive, the standard-FIPS-and special publications with it. OMB's held meetings, GSA's held meetings, NIST has held meetings. This was a well-publicized thing, and I think a lot of agencies got lulled into thinking, "No, we're not going to have to really worry about it."

At this point in the game, what can federal IT professionals do to prepare?

They have two weeks to meet PIV-1 [Editor's note, interview was completed prior to PIV-1 implementation] and a year to meet PIV-2. So for PIV-1-if they haven't started it, they're not going to meet it. Now they would need to start the planning process for meeting PIV-1, but if you haven't started the planning process to meet PIV-2 six months ago, a year ago, you're already behind. It's that big of an effort and that wide reaching. It's no longer simply an IT problem. Now you have to bring together ID assurance, policy, physical access control, logical access control-all these things have to come in, and you have to have buy-in from the upper levels. These are groups that are not accustomed to talking to each other, so it's not a minor task to get the stakeholders to the table.

I know that in the agencies we work with, one of their first priorities was to make sure physical access, IT, and all the stakeholders were together at the start rather than trying to start the planning process and then bring people in. Because this is going to be a shift in the way business is done on the physical access side. That group generally likes to keep everything very closed off and tightly controlled. They don't want anybody else to have access, and all of a sudden now you have different requirements. It was important to have them there so they could hear the discussion. They may not have had anything to input at the time, but they heard the discussion about how the planning was going to be done from the IT infrastructure side.

What guidance and resources would you point federal IT professionals to, to get them back up to speed?

They need to read and understand FIPS 201, the special publications that go with that-800-73, 76, and 78-because those are the defining parts about what's going to be used within the technology. There's also OMB guidance, there's a GSA handbook out-there are several different government resources to use, and they have to have an understanding of that or they'll be lost. Also the government smart card community is very open. It's a very good group; they're very helpful, and they'll be more than happy to share lessons learned. They have meetings - it's a very good community to use as a resource in itself.

What can vendors do to help security professionals establish plans?

Well, we need to break vendors into a couple areas. You have vendors who are developing the smart card, biometric piece of this, the physical access readers. Then there are integrators and consultants who are there to help with the planning and management.

I would say there are several good vendors who can help understand the steps necessary to put management plans in place and to ensure you have a coordinated effort. But you also need to have discussions with product vendors to understand their roadmap, because when this came out, all the vendors were working toward the government smart card interoperability specification (GSC-IS), and then they put this PIV out, which is a shift, so now all these product vendors are having to go back and redo their products to meet PIV. So you really need to understand their timing, roadmap, when the product is going to be available, what's out there.

This is driving a shift towards enterprise solutions, because it's an unfunded mandate. So some of the ways they're deferring some of the cost is to do all this as an enterprise service. And the big shift now too is to ID management, because you're looking at issuing every single employee and contractor in the federal government a digital ID. And you need to manage that. So they're all starting to say, I need to make sure I have a good approach and plan not only to issue a card, but to be able to manage that, to manage the enterprise and to have all the information I need at the enterprise level.

At the end of the study there's a question about the top challenge of HSPD-12, and cost wins out. But the study sort of marginalizes that concern.

Let me rephrase that for you, then. Of those agencies which are aware of HSPD-12, their biggest issue is money. Those who aren't aware don't understand the cost or scope of it. Cost is a major issue. Making it an enterprise solution is the way to deal with the cost issue. We can start talking about ROI and cost-effective methods of implementing a solution, but at the end of the day what it comes down to is that you want to be able to deliver a service to your customers for the least amount of money you can. You want the most services for the least money. You have to base that upon being able to actually perform and accomplish your mission for the least amount of money, so that's why they're looking at the enterprise. And that's a good approach, because instead of paying for multiple departments to run the same services, you're doing it at one time. It reduces initial infrastructure costs. It reduces support and admin costs, and daily operational costs are lower, so it makes sense to approach it that way.