By Marisa Torrieri, Contributing Editor
The Oct. 27 deadline is right around the corner, and federal agencies are scrambling to implement smart cards to comply with Homeland Security Presidential Directive (HSPD) 12. But for Shared Services Providers who provide the Public Key Infrastructure (or digital certificates) for Personal Identity Verification (PIV) cards, the game has only just begun.
Starting in October, more than 2,400,000 federal employees will be issued cards based on the FIPS 201 specification developed by the National Institute of Standards Technology (NIST). For every aspect of the card system, from the registration and card management systems to the card printing systems and security credentials embedded within cards, vendors who want a piece of the pie are extremely busy. All FIPS 201 components must be tested and approved by the General Services Agency, the group designated by OMB as the executive agent for the acquisition of HSPD 12 products and services for use by federal agencies and federal contractors.
Right now, though, it’s the Shared Service Providers like VeriSign and Cybertrust who have special reason to be excited – and stressed – about the prospect of winning contracts to provide the digital certificates to agencies. The Office of Management and Budget’s August 5, 2005 memo, “Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors” calls for all but handful of federal agencies to work with pre-approved PKI SSPs for the digital certificates for their new smart access cards.
The memo states that, “Compliance with the Standard requires the activation of at least one digital certificate on the identity credential for access control.” This digital certificate (and any optional digital certificates on the identity credential) must originate from an “approved Shared Service Provider” except in the case where an agency met the deadlines of “certification authority cross-certified with the Federal Bridge Certification Authority at medium assurance or higher by December 31, 2005.” (Grandfathered agencies include the Department of Defense, the Department of the Treasury and the Department of Homeland Security).
Because each agency is in various stages of planning for this, “you have to be flexible,” said Nicholas Piazzola, vice president of government programs for VeriSign, a longtime shared services provider, at last month’s “Smart Cards in Government” conference. “There’s no standard approach for how a federal agency will implement HSPD-12.”
Different agencies take different paths to certificate issuance
Some federal agencies, such as the Department of Defense, that already have smart card issuing systems, are addressing how to migrate them for FIPS 201-compliance. Others are just beginning to think about their approach to implementation, said Mr. Piazzola.
Some agencies favor the DIY route planning to acquire and manage their own HSPD 12 solution by outsourcing a PKI solution from a favored shared service provider, as well as taking different pieces of the solution from different, pre-approved vendors.
More often than not, though, PKI SSPs are hooking up with federal systems integrators such as Lockheed Martin Corporation or Northrop Grumman Corporation. These integrators are the large, major corporations that put all the PIV card systems components (e.g., PKI, physical access, logical access, etc.) into one package for agencies who want to outsource most or all of the components of their HSPD 12 solution.
Therefore, the time is ripe for new and existing SSPs to peddle their expertise – getting the word out about what they do in the hopes of beginning long-term relationships that will last for years to come.
“A lot of agencies still haven’t settled on a solution,” agrees Tom Greco, vice president of enabling infrastructures for Cybertrust, one of the major shared service providers working with federal agencies on the new FIPS 201 PIV cards. “What we’ve done is approach agencies individually. Word of mouth helps a lot, and we’ve been approached b a number of systems integrators.”
VeriSign, meanwhile, has given tutorials to about 20 agencies, says Mr. Piazzola. Demonstrations cover the digital-certificate enrollment process, and other steps needed for an end-to-end HSPD 12 solution. The company is touting its 10 years of experience delivering managed PKI across government and commercial industries.
Still other SSPs – and there will likely be more entering the playing field – are showing off other strengths and capabilities.
But time is certainly a factor due to the timelines established for HSPD-12 compliance. “There’s a lot of politics to this,” says Mr. Greco. “A lot of agencies want to play chicken with the deadline.”
To download a copy of The Office of Management and Budget’s August 5, 2005 memo, “Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors,” click here.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.