Three of a Kind

Agencies rely on one of three HSPD-12 approaches to meet difficult compliance requirements.

Heather B. Hayes has been covering technology, business and education topics for more than 20 years and has written more than 2,000 published articles. She lives in Virginia.

Agencies may be under a single mandate to develop a secure, common identification card that lets employees verify their identities and enter federal buildings and access systems, but there’s certainly no one perfect way to successfully work through and solve the difficult process and technology issues involved.

As the milestone to begin issuing cards for Homeland Security Presidential Directive 12 loomed large late last summer, agencies each lined up behind one of three approaches that fit their particular needs. Nine agencies decided they had enough dollars and in-house technical expertise to tackle the challenge alone. Some agencies decided to team up with like-minded agencies and come up with a common solution. But the majority recognized that the mandate was too daunting to face without help and turned to the HSPD-12 shared-services expertise offered at the Interior Department’s National Business Center (NBC) and the General Services Administration.

No approach is easy or perfect, and each presents its own unique challenges and lessons learned. Here is a close look at each of the different strategies in action, detailing what works and what doesn’t. Feds working on HSPD-12 programs identify potential pitfalls and how to avoid them as agencies move forward creating a governmentwide approach to credentialing and using new ID cards for physical and logical access to federal buildings and systems.

The October 2006 deadline to begin issuing cards was just the launch for HSPD-12. For most agencies, the work of building out back-end identity management systems, setting access controls and making the new cards more than fancy flash passes lies ahead. Meanwhile, agencies also are preparing for this fall’s deadline, when they must complete background checks for all cardholders who have fewer than 15 years of government service. The three models established for issuing cards will form the basis for all the work that still lies ahead.

Going It Alone

For the Homeland Security Department, the decision to take a standalone approach to its HSPD-12 implementation was a no-brainer.

“We can do it cheaper on our own than we ever could by outsourcing it, but just our immense size and the fact that we have people in various places was justification enough to do it in-house,” says Cynthia Sjoberg, program manager for the HSPD-12 Program at Homeland Security. “We really needed to be able to cater the solution to our own needs.”

Photo: Randall Scott

Be willing to ask for help because “there are so many moving parts to this process that you really can’t anticipate what issues you might be coming up against,” Homeland Security’s Cynthia Sjoberg says.

In fact, DHS’ environment is so complex that officials decided to take a phased approach to the implementation, which meant rolling out the system first at headquarters, then to department components such as the Transportation Security Administration and then to legacy systems users. “It’s much more manageable for us to be on our own with the way we’re implementing this,” Sjoberg says.

But it’s not easy. Like any other agency, DHS initially faced numerous challenges, not the least of which was managing progress while waiting for officially selected technologies to be certified — many of which did not receive the designation until just a few months before the most recent Oct. 27, 2006, milestone.

DHS has managed the challenges by recognizing and implementing a series of lessons learned and best practices that will be published soon. Among them: Limit the scope of your implementation to what is necessary to meet Office of Management and Budget requirements, but prepare to take advantage of any opportunities to piggyback additional technologies, processes or programs that will improve security operations in the future. Also, Sjoberg suggests, agencies should set tighter milestones than OMB dictates.

“There are so many moving parts to this process that you really can’t anticipate what issues you might be coming up against,” Sjoberg says, noting that the strategy helped DHS beat the recent milestone by a week. “So build in that extra cushion as a way to guard against that unexpected problem that will suddenly throw you off track.”

Finally, Sjoberg says, be willing to ask for help. Even though DHS is taking a standalone approach, its representatives sit in on several multiagency HSPD-12 committees. “Just to see where other agencies stand, what challenges they’re facing and how they’re dealing with them, that is extremely valuable to us,” she says. “Everyone can use a little advice now and then.”

Lean on Me

The State Department had planned and was on course to tackle HSPD-12 on its own. But when officials from the U.S. Agency for International Development (USAID) and the Peace Corps asked if they wanted to work together as a team, the larger and better-equipped State decided to accept their offer.

“When you’re trying to come up with a brand-new recipe, I think it’s better to have more cooks in the kitchen working together,” says Tony Mosley, branch chief for Domestic Management and Engineering within the Office of Diplomatic Security at the State Department.

Photo: Randall Scott

“When you’re trying to come up with a brand-new recipe,
I think it’s better
to have more cooks in the kitchen working together,” says State’s Tony Mosley.

Clearly, though, the two smaller agencies stood to benefit the most from the arrangement, says Steve Stasiowski, chief of the Emergency Preparedness, Plans, Training, Exercise and Physical Security Division at Peace Corps.

“For an agency our size, the technology we needed to implement and the problems we had to solve just really cried out for expertise that nobody here could really provide,” Stasiowski says.

State had developed smart-card technology for physical and logical access in 1997 and, because of its highly sensitive mission, had plenty of experience vetting personnel, capturing fingerprints and utilizing ID cards. But, Mosley acknowledges, HSPD-12 presented new, difficult challenges, such as meeting stringent requirements for storing fingerprints and ensuring privacy, juggling short timelines and incorporating approved technology from the General Services Administration and the National Institute of Standards and Technology.

Once USAID and Peace Corps came on board, they were brought into State’s established working group for weekly meetings to work on solutions. And the newcomers added value almost instantly, Mosley says. In figuring out how to implement enrollment and clearance processes in field locations around the country, for example, the group used Peace Corps as a model, he says. “That allowed us to put a straw man together on how we would implement this in a wide-area network configuration at a later date, and that helped us figure out things like how to push and pull data, how to capture fingerprints, how to protect the data in transmission from Point A to Point B.”

Besides allowing Peace Corps and USAID to meet their HSPD-12 milestone on time and providing “a huge stress reliever,” according to Stasiowski, the teaming arrangement has offered other tangible benefits.

For instance, the two smaller agencies were able to use State’s systems integrator and leverage the already developed design implementation plan, which saved months of time and effort. The multiagency approach also meant all three agencies could enjoy economies of scale in buying equipment.

Most important, though, the arrangement has resulted in State acting as a kind of HSPD-12 application services provider (ASP) for Peace Corps and USAID. The two agencies’ card programs will ride on State’s networks, and State personnel are managing all the servers, back-end applications and security. “All we have on our end are enrollment and issuance terminals, and all the data goes directly to State,” Stasiowski says. “Our security guys are really happy that they don’t have to be involved. It just makes our lives incredibly easier.”

Stasiowski highly recommends that smaller agencies find more technically inclined partners but adds a caveat: A key element to an effective team approach, he says, is a meshing of mission and culture. “Our operations just tie in so well with State’s operations that it just made eminent sense for us to work together,” he says. “The closer you can find that alignment in a partner, I think the more successful you’ll end up being.”

One Size Fits All

Outsourcing HSPD-12 requirements is an option. For agencies either tiny or large with a dearth of technical resources, or those that would rather focus attention on mission-related tasks, it is probably the appropriate option. The staff at the National Business Center can certainly testify to that: With their administrative expertise and the technical help of contractor Lockheed Martin, NBC helped all 20 of its HSPD-12 clients — including the Interior Department — meet the Oct. 27 milestone to begin issuing cards.

“Bottom line: The cost efficiencies and expertise that result from relying on economies of scale and partnering makes it a lot easier on everyone,” says Donald Swain, NBC’s chief of staff.

This is not to say that agencies can simply drive up and drop their HSPD-12 problems at the door, Swain says. Agencies still have plenty of responsibility in a shared-services approach, including coordinating agency efforts on business plans, security and roles; providing demographic and statistical information to determine the best location for employee enrollment and card issuance offices; participating in user group meetings; detailing unique requirements; and providing any information needed to assess their current facility and information security infrastructure for upgrades. And of course, they need to bring their checkbooks.

By relying on shared services instead of their own in-house personnel, agencies can clearly save money, time and headaches — and ensure that the job gets done. NBC provides a centralized infrastructure and network connections for the identity management system and card management, as well as digital certificates and all equipment necessary for sponsorship, enrollment, adjudication, card issuance and card lifecycle management. It also offers enrollment and issuance services, does all work on the Exhibit 300 business cases, ensures that effective cybersecurity controls are in place and provides overall program management.

Swain notes that many agencies are piling on the potential benefits by coupling their HSPD-12 implementation with NBC’s Human Resources Line of Business offering. “It just adds to the efficiency that you can create because we can then help with onboarding and offboarding of employees and all the issues around position classification, employee relations, equal employment opportunity rules and the like,” he says. “It becomes sort of a package deal.”

Although NBC and GSA compete for agency business, Swain and his colleagues recognize that HSPD-12 collaboration on an even greater scale would be a boon for everyone. “We are actually looking for ways to partner with our fellow shared-services centers to make it even easier for agencies,” he says. “Anything that we can do to provide the lowest possible cost to meet this requirement is a good thing.”

A Helping Hand — and Mind

Eric Stout has become famous in federal circles for being anonymous. Joe Anonymous, that is: just your typical employee at a generic government agency. Stout, chief of the Personal Identity Verification Branch Division with the Office of Security and Emergency Planning at the Housing and Urban Development Department, took on the alter ego when he first began collaborating with other agency personnel who were grappling with HSPD-12 issues.

This informal band of early and desperate implementers, which started at about six people from three agencies and quickly grew to more than 150 people from 35 agencies, took collaboration to a new level, Stout says. “We bounced ideas off of one another and shared everything we had: working papers, drafts, diagrams, anything to help each other out,” he recalls.

Beneficial or not, HUD did not want any official documents released in draft phase. Stout was bent on helping his new HSPD-12 friends, however, so he took his documents — which included budget justifications, cost estimates, privacy impact assessments, and some checklists and scorecards — scrubbed them of any reference to his agency and made them completely generic. Eventually, implementers in more than 100 agencies took advantage, using Stout’s documents in whole or part in their own HSPD-12 efforts.

And the informal working group that Stout — along with Lolie Kull of the Homeland Security Department and other key people — fostered would eventually have an even larger impact. The group’s collaborative efforts and idea to band together to develop processes and buy equipment was so well received that they inspired the General Services Administration — and later the National Business Center — to offer a shared-services approach to HSPD-12.

Chicken or Egg?

Until now, public-key infrastructure (PKI) technology has not fulfilled its promise as a secure authentication method within the federal government — but that’s finally about to change, thanks to
HSPD-12, says Tim Polk, a computer scientist at the National Institute of Standards and Technology.

Agencies wanting to deliver PKI applications have faced two major impediments. One, the owner of the project has to justify paying for PKI on top of the application being built, which drives up perceived costs, and two, PKI works optimally when multiple organizations are involved.

These two hurdles have posed a kind of chicken-or-egg dilemma for widespread technology adoption, Polk says. The funding issue has made it impossible for PKI to get under way on any real scale, and the lack of multiple PKI users makes it difficult, if not impossible, to get funding for PKI projects.

The HSPD-12 mandate resolves this Catch-22 because it requires that each personal identity verification (PIV) card contain at least one PKI certificate and the corresponding private key.

“Basically, you’re replacing passwords with PKI,” Polk says. “And that clears up a lot of problems, because instead of trying to justify paying for PKI, you now have a community of users that will have at least one certificate for authentication.”

Most agencies, he adds, are also taking the opportunity to deploy digital signature certificates, which are used for signing e-mail documents and online contracts, and key establishment certificates, which are used when encrypting e-mail or other protocols. And since most agencies are adding the functionality now, ultimately all of them will.

“The ones that don’t immediately get the other two certificates will find that their employees won’t be able to participate in certain kinds of applications and, since no one wants to be disenfranchised from things that everyone else is doing, the momentum and incentive to adopt will definitely be there,” Polk says. “Eventually, I expect that PKI will get to where it’s pretty much ubiquitous throughout the federal government.”

HSPD-12 also is likely to jump-start the widespread use of two other technologies:

• Remote Access: Agencies not comfortable with passwords will be able to use PIV cards to more securely authenticate remote-user access to virtual private networks. Another bonus: PKI certificates — unlike passwords — don’t have to be issued or managed.

• Workflow: PIV cards can provide a more secure mechanism for authenticating users to different areas of workflow systems.
What’s more, if agencies also add a digital signature certificate to their PIV cards, they’ll have an even stronger mechanism to verify exactly who approved what. “Because a user actually ‘signs’ the document, they can prove that it is their version and that the data has not changed,” Polk says.