Electronic Government: Additional OMB Leadership Needed to Optimize Use of New Federal Employee Identification Cards.
Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in August 2004, requiring the establishment of a governmentwide standard for secure and reliable forms of ID. The resulting standard is referred to as the personal identity verification (PIV) card. GAO was asked to determine the progress selected agencies have made in (1) implementing the capabilities of the PIV cards to enhance security and (2) achieving interoperability with other agencies. To address these objectives, GAO selected eight agencies that have a range of experience in implementing smart card-based ID systems and analyzed what actions the agencies have taken to implement PIV cards.
Much work has been accomplished to lay the foundations for implementation of HSPD-12, a major governmentwide undertaking. However, agencies have made limited progress in implementing and using PIV cards. The eight agencies GAO reviewed--including the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the Nuclear Regulatory Commission; and the National Aeronautics and Space Administration--have generally completed background checks on most of their employees and contractors and established basic infrastructure, such as purchasing card readers. However, none of them met the Office of Management and Budget's (OMB) goal of issuing PIV cards by October 27, 2007, to all employees and contractor personnel who had been with the agency for 15 years or less. In addition, for the limited number of cards that have been issued, most agencies have not been using the electronic authentication capabilities on the cards and have not developed implementation plans for those capabilities. In certain cases, products are not available to support those authentication mechanisms. A key contributing factor for why agencies have made limited progress is that OMB, which is tasked with ensuring that federal agencies successfully implement HSPD-12, has emphasized issuance of cards, rather than full use of the cards' capabilities. Specifically, OMB has set milestones that focus narrowly on having agencies acquire and issue cards in the near term, regardless of when the electronic authentication capabilities of the cards may be used. Furthermore, agencies anticipate having to make substantial financial investments to implement HSPD-12, since PIV cards are considerably more expensive than traditional ID cards. However, OMB has not considered HSPD-12 implementation to be a major new investment and thus has not required agencies to prepare detailed plans regarding how, when, and the extent to which they will implement the electronic authentication mechanisms available through the cards. Without implementing the cards' electronic authentication capabilities, agencies will continue to purchase costly PIV cards to be used in the same way as the much cheaper, traditional ID cards they are replacing. Until OMB revises its approach to focus on the full use of the capabilities of the new PIV cards, HSPD-12's objectives of increasing the quality and security of ID and credentialing practices across the federal government may not be fully achieved. While steps have been taken to enable future interoperability, progress has been limited in making current systems interoperate, partly because key procedures and specifications have not yet been developed to enable electronic cross-agency authentication of cardholders. According to General Services Administration officials, they have taken the initial steps to develop guidance to help enable the exchange of identity information across agencies, and they plan to complete and issue it by September 2008. Such guidance should help enable agencies to establish cross-agency interoperability--a primary goal of HSPD-12.
Categories: Government Operations, Contractors, Facility security, Federal employees, Government employees, Government facilities, Homeland security, Identification cards, Identity verification, Information systems, Personal identification numbers, Safety regulation, Safety standards, Security assessments, Security investigations, Security regulations, Security threats, Strategic planning
|Printer friendly Cite/link Email Feedback|
|Publication:||General Accounting Office Reports & Testimony|
|Date:||May 1, 2008|
|Previous Article:||Combating Terrorism: State Department's Antiterrorism Program Needs Improved Guidance and More Systematic Assessments of Outcomes.|
|Next Article:||Defense Travel System: Validity of Travel Payments Statistical Sampling in Question.|