Much has been done but still a long way to go
As government documents go, “Homeland Security Presidential Directive 12” wasn’t very long – 717 words to be exact.
But length isn’t any indication of influence, as a decade later the directive’s impact is still being felt throughout the identity market and is showing no sign of slowing. HSPD-12 called for standardized credentials for physical access to facilities and logical access to secure computer networks. It came in the wake of the September 11 attacks as the nation struggled to guard against an uncertain future and an unknown foe.
Since the directive was signed in August 2004, almost 5 million credentials have been issued, covering 96% of executive branch employees and contractors. The smart card specification borne out of HSPD-12 is known as FIPS 201. It is now on its third iteration.
“The directive mobilized an entire security industry,” says Randy Vanderhoof, executive director at the Smart Card Alliance. “More than just the smart card credentials themselves, which was huge on its own, the directive altered the path of the identification and card issuance infrastructure that sits in front of the ID card, as well as the physical and logical access ecosystem that had to adapt to the cryptographic and biometric features of the credentials.”
HSPD-12 ushered in a culture change for the executive branch of the U.S. government, and it paved the way for other identity initiatives including the National Strategy for Trusted Identities in Cyberspace.
It’s not all a rosy portrait though. A decade in, use cases for the credential are few and the electronic functionality of the smart card is limited. Some agencies still look at smart cards as an “unfunded mandate” and more trouble than they’re worth.
The latest version of FIPS 201 will enable derived credentials on mobile devices, though exactly how this will be done is still being determined. This may be the advancement that enables more applications for the credentials, as tablets and other mobile devices are becoming de facto computing devices for federal employees.
It’s not perfect
Rolling out smart cards throughout the executive branch of government hasn’t been an easy or perfect process, says Tony Cieri, leader of the U.S. government’s smart card-focused Interagency Advisory Board. Cieri is on the front lines of government smart card projects and has been an advocate of the technology since the pioneering U.S. Navy projects in the 1990s.
“The real question is, are we better off than we were 10-years ago and has anything changed?” asks Cieri. He says yes.
The FIPS 201 standards, its numerous special publication supporting documents as well as the processes and infrastructure put in place are all positive developments, Cieri says. “When you gauge the success of this, look at how many things had to be done and what the landscape looked like in 2004 versus where we are now,” he explains. “A lot has been done.”
While the infrastructure and groundwork is in place, Cieri admits he would like to see more applications for the personal identity verification cards or PIV cards. “I would like to see the PIV used in many more ways,” he adds.
July event to commemorate HSPD-12
The Smart Card Alliance is planning a one-day event to commemorate Homeland Security Presidential Directive-12.
The “Government Conference Special Edition Event: Celebrating the 10th Anniversary of HSPD-12,” held with support from FICAM and the Interagency Advisory Board, will take place on July 31 at the Marriott Metro Center Hotel in Washington D.C.
The event commemorates the government-wide security directive signed by President George W. Bush in August 2004. The directive standardized the identity and credentialing efforts of government agencies and resulted in the FIPS 201 smart card standard and the PIV credential.
Speakers will review identity and security advances over the past decade, as well as look at future developments for PIV credentials including their use on mobile devices and cloud systems.
In addition to the main program, a small vendor showcase will enable attendees to learn about products and services fostered by HSPD-12.
Learn more or register online at SmartCardAlliance.org.
And these applications are coming. The latest General Services Administration guidelines for physical access control calls for all new systems to use the PIV. The Department of Defense is also in the process of rolling out a physical access control system that uses the Common Access Card. “This isn’t about changing technology it’s about changing culture and acquisitions,” Cieri says.
But HSPD-12 has also changed the technology. FIPS 201 and the PIV are considered by many to be the “gold standard” for identity credentials, says Jeremy Grant, senior executive advisor for Identity Management at NIST. Grant was working on government smart card projects at system integrator Maximus when the directive was enacted.
Many government agencies had smart card projects deployed but HSPD-12 and FIPS 201 brought them to another level, Grant says. “It helped accelerate the pace of government smart card deployments and set a standard approach for agencies to tackle these projects,” he explains.