Starting October 27, information technology pros in U.S. government agencies will be charged with beginning the implementation of security systems in which federal employees and contractors use new biometric smart cards.
The cards, which will provide unified physical access to government buildings and to information in computer systems, are mandated under the Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors. Each will combine biometric data, i.e. fingerprints, with an employee's photo and PIN number, as well as a government PKI certificate.
Whether most federal agencies will be able to meet the October deadline to begin handing out cards is doubtful, say some analysts.
"Many of them will be pilots and prototypes at that point, then the really hard work starts after that," said Gregg Kreizman, research director with Stamford, Conn.-based analyst firmGartner Inc. He estimates roughly half of government agencies will make the October deadline.
While experts praise the HSPD-12 initiative as a good idea, many doubt the ability of agencies to achieve such a sweeping security system overhaul in the fairly short time frame allotted.
"It involves all disciplines of security, everything having to do with a person and their credentials. It's unprecedented," said Kristin Parker, senior associate at McLean, Va.-based management consulting firm Booz Allen Hamilton Inc. She estimates it could take five to 10 years for everyone to have smart card systems in full operation.
A March 2006 survey of government systems integrators by RSA Security Inc. found lack of funding and technical interoperability problems to be the two key obstacles.
"Agencies like the DOD have been issuing smart cards for years, said Shannon Kellogg, director of government and industry affairs for RSA, which makes FIPS 201-compliant products. "But there are a lot of others that are scrambling pretty hard."
Products meeting the Federal Identity Processing Standard, publication 201, (FIPS 201), the standard that delineates personal identitiy verification requirements for government employees and contracts, have only recently become certified and available to agencies, shortening the time available for selection, testing and implementation. Some agencies may still opt to wait for more mature products.
"The fact that there are products available does not mean that those are the best products," said Dallas Bischoff, senior vice president for Authsec Inc., an identity and access management vendor based in Columbia, Md. "The technology will not be ready for broad-based deployment for at least another couple of months."
Cost is a big factor for smaller agencies. A smart card implementation requires card management software, card readers for doors and computer systems, credentialing stations for card production, integration with authorization, HR and access systems, and personnel to make it all work.
Parker said a single credentialing station for taking fingerprints, pictures and producing cards costs $50,000. The total tab for a complete system, she said, could run into tens of millions of dollars. Many agencies will be forced to wait for the government to certify shared service providers who can "rent" the hardware, software and labor for a fixed fee.
"It's just too hard [and] too expensive for smaller agencies to build an enterprise solution all by themselves," said Parker.
Once the prerequisite technology becomes more widely available, HSPD-12 is likely to have a trickle-down impact on the private sector. Among the first to be affected will be contractors who need access to government facilities or IT systems; they must comply with HSPD-12 just like the federal agencies. Eventually other businesses eager to merge physical and information access will likely adopt some or all of the procedures involved with HSPD-12, especially as it is more commonly supported by security vendors.
In the long run, HSPD-12 is expected to have a positive effect on the security industry.
"It's easier for the private sector to piggy back on what the feds have done, and it's easier for vendors to make things that fit one standard," said Kirk Brafford, vice president at Maximus Inc., an security systems integrator based in Reston, Va. "One of the reasons this market has not moved historically was because everybody was selling proprietary technologies. Now we have a set of standard specifications to build to, which facilitates the growth of this market."
Sue Hildreth is a freelance IT writer based in Waltham, Mass. She can be reached at Sue.Hildreth@Comcast.net.