Making Up For Lost Time

Agencies failed to meet the first deadline for HSPD-12. Now they need to get on the ball.

By Oct, 27, 2007, federal agencies were supposed to complete background checks for employees with 15 years' or less experience and begin issuing new identity cards. None met the deadline.

So now what?

That's the question many agencies are struggling with as they plan for the next deadline. Under Homeland Security Presidential Directive 12, issued in 2004, new identity cards must replace the standard employee flash-card badges by Oct. 27, 2008. The credentials, which include biometric information such as fingerprints, will provide a common identification standard to allow employees and contractors to access federal buildings and computer networks.

The Office of Management and Budget set a number of milestones to drive adoption, but progress has been slow so far. By the 2007 deadline, about 1 percent of the 1.9 million federal employees and 591,358 contractors had been issued cards. That leaves many agencies scrambling.

"Everyone is viewing milestones as the target dates-as if when they hit those dates, they're done," says Karen Evans, administrator of OMB's Office of Electronic Government and Information Technology. "But HSPD-12 activities and implementation are never going to be done. Milestones are just output indicators. Our goal is to get all processes ingrained so agencies can be cranking out credentials on a daily basis. That's what done means."

To get there, agencies first need to evaluate where they stand. As of the October 2007 deadline, 97 percent of federal employees and 79 percent of contractors had completed the required background checks. Much of the holdup in the second piece of the mandate-issuance of cards-was due to technical challenges in integrating with support systems. Those systems must maintain the data and provide interface with enrollment and issuance functions.

Many of the technical issues have since been remedied, Evans says. Still, before any mass production of cards, agencies should ensure that the issuance process is the least disruptive to employees and daily operations. Those steps could vary among agencies.

"Are they using the managed service from GSA or did they grow an issuance process in-house? Are they geographically dispersed or concentrated in relatively few geographic areas? Do they have a program in place to use the cards or will usage come later? The business process has to be well thought out in order to minimize the length of the interaction with each employee," says Robert Brandewie, senior vice president for public sector solutions at ActivIdentity, a Fremont, Calif.-based identity assurance product vendor. As former director of the Pentagon's Defense Manpower Data Center, Brandewie was architect of the Common Access Smart Card system.

So, who stands out as an example for agencies? Aside from the Defense Department, which was able to leverage the infrastructure and processes already in place from its smart card program, Evans says the Labor Department is making the most progress. By the first deadline, more than 60 percent of Labor employees and contractors had been issued cards; that percentage presumably has gone up in the months since, though current numbers have not yet been released.

Labor's success is due largely to a gradual rollout among the 19,000 employees and contractors eligible for credentials, located at 571 facilities in more than 400 cities. The department deployed infrastructure to nine regional centers first, issuing badges to staff within a 10-mile radius, followed by eligible personnel who traveled to the centers on official business, and finally contractors. Labor now is focusing on finishing enrollment and issuance at the national office in Washington as well as integrating the new credential management system with the access control system already in place.

The Education Department also is taking a gradual approach to rolling out HSPD-12. In 2005, the department developed plans for conducting background checks on its 4,452 employees and 1,004 contractors, though technical issues with existing networks slowed progress on issuing cards. For example, the department could not complete the certification and accreditation of the computer systems that would store the data, says Winona Varnon, director of security services at Education. Theoretically, the department could have moved forward without the official mark of approval to avoid delays, but she says, that was never an option-deadline or no deadline.

"Certification and accreditation was time-consuming, but well worth it," Varnon says. "If agencies are housing information, they have to make sure it's accurate and protected." The department juggled funding until all components could be procured, and then had to retrofit and upgrade identity access systems to meet HSPD-12 standards. Other delays occurred in June 2007, when guidelines for the information stored on the cards changed.

Despite such holdups, Education managed to issue cards for nearly all employees and contractors at headquarters, and plans to issue all remaining cards-including 987 for workers in field offices-between January and March 2008. While not quite on schedule, the department has had an easier time handling the challenges because it prioritized groups of employees.

Beyond a gradual approach, agencies need to streamline implementation for the long term.

Procedures should be clear, and involve various offices within the agency. HSPD-12 can't rest solely in the laps of chief information officers. "The major hurdles are no longer [about] technology," Brandewie says. "Planning the logistics of the implementation and involving executive management in both resourcing and guidance that will encourage employees to enroll. This is a challenge that can no longer be limited to involvement of the technology [group]. It must involve other communities, perhaps with a tiger team approach."

Human resources could perform background checks and maintain a central database of employee information, for example, while the procurement group manages logistical support and card purchasing, and the technology office-perhaps with help from industry-oversees integration and upkeep of systems.

The Veterans Affairs Department, for example, tapped EDS to support the implementation and deployment of HSPD-12 cards to more than 200 medical and benefit sites nationwide. EDS also provides training for the VA officials issuing cards, and establishes warehouse, staging and shipping facilities.

"As long as the focus remains on the card issuance, it [will be] much harder for information technology executives to get their arms around all the activities that have to happen to reach the goal," Brandewie says. "We have to move beyond issuance to usage-now."

Of course, no plan will succeed without employee cooperation. Agencies should provide adequate information and respect people's time by making card issuance as painless as possible. Results will improve as the process becomes more ingrained. When Evans first registered for her card, it took more than 30 minutes; now, OMB employees can complete the process in half that time.

"The credibility of this program is going to [depend on] trust from the contractors and employees that the card has meaning," she says. "If you make the process efficient, customer-oriented and convenient, they won't mind. And then they'll ask questions. 'How do I use it? And what's the next step?' "