Government Security Progress Report

Oct. 27, 2008
House Subcommittee evaluates need for improved IDs, security clearance reform and HSPD-12

The need for American citizens to harden the security of their identification documents became apparent following the terrorist attacks of Sept. 11, 2001. Several of the Sept. 11 hijackers illegally obtained driver’s licenses and boarded commercial planes that became the means to executing the attack. It is no surprise that one of the most critical recommendations made by the 9/11 Commission was to improve the security of U.S. ID documents. In 2002, President Bush made strides towards achieving secure identification documents for all Federal employees when he issued HSPD-12.

On April 9, the House Oversight and Government Reform Subcommittee on Government Management, Organization and Procurement convened a hearing, “Federal Security: ID Cards and Background Checks.” The event marked the release of a GAO report evaluating the progress of HSPD-12 implementation.

According to the GAO report, much work had been accomplished to lay the foundations for implementation of HSPD-12; however, federal agencies have made limited progress in implementing and using PIV cards.
In opening remarks, Chairman Ed Towns (D-N.Y.) and Ranking Member Brian Bilbray (R-Calif.) noted the importance of secure identification documents for Americans, as well as the concern over the progress of HSPD-12 implementation. Bilbray questioned: “How are we (the Federal Government) setting the example for the use of secure ID cards in cities, states and counties?”

Witnesses, including government agency representatives, provided an update on the progress of HSPD-12 implementation. Karen Evans, administrator of E-Government and IT for the Office of Management and Budget (OMB), said they were holding agencies accountable and monitoring progress of implementation. However, she admitted that to date, only 3 percent of all federal employees have been issued ID cards, and that many were only being used as flash passes. When Towns asked Evans what had been “wasteful with HSPD-12 implementation,” she reiterated that only 3 percent of the cards were issued, and that OMB was being mindful of spending and the GAO had an opportunity to correct any missteps.

Thomas Wiesner, deputy chief information officer for the Department of Labor (DOL), testified and noted “We have issued PIV cards to 10,591 of the 15,407 employees at DOL (69 percent). We have issued PIV cards to 1,210 of the 2,400 contractors (more than 50 percent).”

Mike Sade, assistant commissioner for Acquisition Management for the General Services Administration (GSA) Federal Acquisition Service, highlighted GSA’s role in HSPD-12 implementation and discussed the establishment of the Approved Products List (APL). The APL is a list of HSPD-12 products certified to conform to FIPS-201. During the hearing Sade said, “There are more than 300 products on our APL available for purchase on Schedule 70.” In prepared testimony he said, “The infrastructure that GSA has established for HSPD-12 is critical to meet the requirements of the Presidential Directive and critical implementation milestones.”
The committee also heard testimony from Rob Zivney, vice-president of Marketing for Hirsch Electronics and the Security Clearance Reform Coalition. Zivney, who also chairs The Security Industry Association (SIA) PIV Working Group, testified on behalf of SIA. Zivney emphasized that SIA members strongly support the goals of HSPD-12 and welcome the subcommittee’s interest. He offered SIA’s resources to help ensure the successful implementation of this directive by all federal agencies.

“The implementation of HSPD-12 is truly a pioneering effort on behalf of the federal government. It requires that the human resources, information technology and security departments interface and cooperate on an unprecedented level,” Zivney said. “These three disciplines traditionally are different in cultures and basic objectives — this creates challenges for all parties involved.”
Despite the challenges, Zivney noted that several agencies were doing an exemplary job of provisioning credentials for their employees and upgrading their infrastructure to meet the requirements of HSPD-12. For agencies seeking to improve their HSPD-12 implementation plans, he noted that SIA has formed a Government Infrastructure Security End-User Group. “Managed by SIA, the Government End-User group serves as a bridge between industry and government,” Zivney said. “SIA held four non-product-specific training sessions this past year for these government security practitioners to learn about emerging products and technologies. These sessions also provided our members insight into the needs of federal agencies.”

Recommendations
Zivney urged the subcommittee to direct the Office of Management and Budget’s (OMB) Office of E-Government and Information Technology to establish a dedicated “physical security team,” composed of professionals with substantial knowledge of physical security technologies and physical security infrastructure within federal agencies. As part of its responsibilities, this physical security team would support the ongoing efforts of the Interagency Security Committee charged with developing physical security policies, standards and strategies at non-military government facilities.

Zivney, on behalf of SIA, also recommended OMB establish a policy for implementation of physical security similar to OMB Memorandum M-05-24. Currently, PIV-I and PIV-II are “unfunded mandates,” however, physical access control systems (PACS) are outside of that scope and have neither funding nor a mandate. This requested policy must recognize that the PIV card is not compatible with most installed PACS currently in use, and that the PACS will have to be, upgraded at a minimum, or most likely, replaced.

Finally, Zivney called on the committee to use SIA as a resource for the effective use of the PIV credential with physical access control systems. Zivney noted that SIA not only has the skills and knowledge for deployment and use, but as an ANSI standards development organization, is able to produce standards for physical security systems.

Zivney noted in a response to Congressman Towns, “As the GAO Report points out, the focus up to now has been on issuance. Now, we turn to usage of the PIV card. This is phase two, and the applications experience and disciplines of the physical security industry will be critical for our mutual success. The Security Industry Association looks forward to supporting the government in this effort.”

Don Erickson is director of government relations for The Security Industry Association. To learn more about SIA’s 2008 legislative agenda, please visit www.siaonline.org.