HSPD-12: It’s a Big Deal

Oct. 27, 2008
Government’s new standards for access control could open (or shut) doors for dealers

When President Bush signed Homeland Security Presidential Directive 12 (HSPD-12) in August 2004, he set in a motion a major technological initiative by the federal government to standardize how ID badges are issued and used by federal employees. The goal is to improve security and reduce long-term costs by enabling all federal employees to have ID badges that use secure technology, require a background check, and are interoperable with all other governmental agencies.

As part of HSPD-12, new standards had to be created for the access control equipment to be used. These standards have been developed by the National Institute for Standards and Technology (NIST) and are called the Federal Information Processing Standards 201 (FIPS 201). Under FIPS 201, NIST has set minimum requirements for the Federal Personal Identification Verification (PIV) system (and ID badges will commonly be referred to as PIV cards).

While HSPD-12 was just a grand vision two years ago, today it is getting very close to a reality. In fact, with the upcoming October 27, 2006 deadline for all governmental agencies to start issuing FIP 201-compliant PIV cards, HSPD-12 is all over the news. A lot is happening fast and furious—and if these new government standards trickle down to the private sector as they are eventually expected to, then the changes will impact you, the security dealer integrator.


What's Happening Now

Although the October 27 deadline is important, it is not the final HSPD-12 deadline. Instead, the final deadline for HSPD-12 is still scheduled two years from now on October 27, 2008 for all background checks to be completed. Furthermore, each governmental agency is responsible for itself when it comes to implementing HSPD-12, so is it possible that some agencies are lagging behind or not taking it seriously?

“Every agency and department within the U.S. government is taking this seriously merely as a function of the fact that it is a presidential mandate,” explains Mark Visbal, director of research and technology, the Security Industry Association. “Every agency and department has a plan that was developed under PIV Part 1 (developed and submitted 10/27/05) that it is following to achieve compliance with HSPD-12.”

Beth Thomas, product manager, credentials and readers, Honeywell, agrees that government agencies have been taking HSPD-12 seriously. “Because the execution of FIPS 201 is complex, complying with the technical scope of integration involves concentrated effort,” she says.

“The rollout of program implementation across the federal sector is dependent upon available funding. Sites that had maintenance budgets in place for technology upgrades in 2006 have been purchasing hardware to implement FIPS 201 since the beginning of this year,” she continues.

According to Thomas, the GSA has already selected a badge issuance service provider and the Department of Commerce has requested information to get their own procurement process underway. “At Honeywell, we have been working with our customers at both large and small government facilities on planning system updates that are FIPS 201-ready,” she states.


Private Sector Begins To Follow Suit

Visbal expects the private sector to follow suit with regard to FIPS 201, but they will likely wait for the government to work out the kinks first. “Critical infrastructure (CI) protection will most likely be the proving ground for the application of FIPS 201 to the private sector,” he states. “A major reason for this is that there will be federal monies made available for CI protection (97% of which is in the private sector), as long as the security solutions adhere to established interoperability and performance standards (i.e. FIPS 201).”

Thomas notes that migration to the private sector has already begun. She cites the TWIC (Transportation Worker Identification Credential) and FRAC (First Responder Authentication Cards) programs as examples of FIPS 201-compliant technology and infrastructure being used to improve management of ports and first response of emergency personnel.

“I have responded to many inquiries regarding TWIC in the last week,” says Thomas. “In addition, several individuals have also asked me how they can benefit from FIPS 201 and apply its best practices to their organizations to improve security, reduce cost, and enhance efficiency.”


A Debate Over Security Integrators Capitalizing On New Standards

FIPS 201 is not the first nor will it be the last set of governmental standards that pertain to physical and/or information security. With Sarbanes-Oxley, GLBA, FISMA, HIPAA, and others, the security industry can expect more laws and more standards in the future. However, will this be something security dealers can capitalize on?

Eric Widlitz, senior director, OEM and government channels, HID Global, has some encouraging words on the matter. “Over time, I expect security dealers to be able to capitalize on these emerging standards,” he says. “Since most of the new standards require a migration to new technologies, security dealers should be able to capitalize as infrastructures will need to be upgraded to support the new technologies.” 

However, Visbal doesn't think it will be easy. While large integration companies such as BearingPoint, Maximus, EDS, and Lockheed-Martin have been awarded the government's HSPD-12 contracts thus far, he points out that IT companies have a “marked advantage” in getting the HSPD-12 contracts over traditional security integrators because HSPD-12 solutions are only available on GSA Schedule 70 (the IT acquisition vehicle) and not on Schedule 84 (where security usually is offered). He warns that there will be serious ramifications for manufacturers, integrators and dealers due to this decision by the government.

Thomas says that the HSPD-12/FIPS 201 solution involves physical access control, cards, and IT software; and each component requires domain expertise. As such, she has seen IT companies awarded contracts for badging and card manufacturers awarded contracts for cards.

She also has seen contracts for physical access control awarded to physical access control dealers. Honeywell is working closely with their dealers on installations to provide FIPS 201-ready hardware in preparation for the rollout of PIV II credentials and systems later this year. 

Ultimately, we believe that security dealers will be able to capitalize on these emerging standards because what we're seeing today is a form of information management and control across an organization,” Thomas concludes. “Security dealers will have many opportunities to serve the needs of their customers, whether they are called upon to provide single-card smart solutions, software that integrates physical access control into other software systems, or offer add-on solutions for logical (PC) access.”



For a list of products approved for FIPS 201, visit: www.idmanagement.gov.

For continuous coverage of HSPD-12 and FIPS 201, visit: www.securityinfowatch.com/hspd12/.

Courtesy of BigStock.com -- Copyright: nialowwa
While modern password managers, face or fingerprint ID, and other modern authentication and authorization technologies are positively embraced by global users, they should not be the only layer of security in app development.
(Photo courtesy ISC West/Reed Exhibitions - File photo)
If you are a security end-user, systems integrator or consultant - you can help refocus vendor thinking by asking questions that directly relate to your needs and concerns.
Courtesy of BigStock.com -- Copyright: Bankrx
Bigstock Grunge Green External Audit Wo 437995853
Courtesy of BigStock.com -- Copyright: Jose Calsina
Bigstock Informatic Hacker Man Coding A 469409879