The ID Nightmare
It's coming in three months and almost no one is ready.
The biggest governmentwide technology mandate ever takes effect before Halloween, but little of the necessary infrastructure exists. By Oct. 27, according to an August 2004 presidential directive, agencies must begin issuing interoperable smart card identification badges to new employees and contractors, designed for entry into buildings and access to computer systems. Eventually, everyone regularly working inside a federal agency must get one. The cards will carry a digital unique identification number, scanned fingerprint data protected by a separate personal identification number that employees would memorize and a digital certificate guaranteeing the card's authenticity.
But a growing chorus of managers charged with implementing the mandate says the deadline is impossible to meet. Though Homeland Security Presidential Directive 12 only requires agencies to begin issuing badges to new employees and contractors (existing employees come later) by Oct. 27, even that requirement is tough. Money, bureaucratic hurdles and squabbles, and timing all present problems. "There are still a lot of unanswered questions," says an agency chief financial officer. Like many people contacted about HSPD 12, the official said he could speak frankly only if granted anonymity.
Doubts about the new smart cards go beyond money and implementation. Some wonder whether the mandate will achieve its stated goals of better security and interoperability. The one hard and fast requirement is for agencies to issue cards, not necessarily to use them any differently from current ID badges. "It's a risk-based assessment based on what the agency feels is appropriate for their facility," says Karen Evans, Office of Management and Budget administrator of e-government and information technology. Agencies might never have to install card readers for physical access. If they decide their cybersecurity measures are adequate without HSPD 12 ID readers attached to computers, they don't need to add them. "We're in a wait-and-see mode," says an agency chief information officer. "As long as it's got a significant marginal cost, we've got to ask ourselves, does it have a significant marginal benefit?"
Paying for the new cards and all the equipment and software necessary to read them is the inevitable first sticking point. Although agencies can postpone or skip buying much of the infrastructure to allow them to take full advantage of the new badges, failure to issue the cards is not an option. OMB says the government has all the money it needs. Agencies already pay for some type of employee identity badge. Use that money for the cards, OMB says.
Agencies aren't buying it. "It's another unfunded mandate," fumes an agency CFO. "If [OMB] wants something done, they need to bring the funding to the table." The new cards will cost more than the ones the agency currently issues, the CFO says. Others join in the skepticism. "We were a little concerned with the OMB theory of funding-I'll call it a theory," said John de Ferrari, a Government Accountability Office information technology analyst, speaking at a Government Executive-sponsored breakfast earlier this year. OMB's reasoning that existing identity management budgets are sufficient might make sense in a steady state, but doesn't account for upfront spending, he added.
As a result, some agencies are cutting other programs to support HSPD 12-postponing information technology projects, trimming travel budgets or slicing into already lean administrative overhead budgets. Other agencies will try another tactic-deliberately miss the deadline and use the resulting negative inspector general audits as a means of forcing out money, says an agency manager. "We'll see how people play the game here the next six, eight months; it ought to be fun," he adds.
Even conscientious agencies likely will struggle to meet the deadline. In a move to ensure vendors' equipment is interoperable, OMB requires agencies to shop for HSPD 12 technology from a list of approved products certified through the National Institute of Standards and Technology and separately approved by the General Services Administration. GSA did not begin testing products until early June, however. Sources say the agency struggled to finalize its approval criteria, sowing confusion among companies attempting to comply with shifting timelines and requirements. The agency "keeps finding areas that need further clarification," says a private sector official.
OMB also strongly encourages agencies to buy their equipment through GSA. Officials at GSA said approved products would be on the information technology schedule by the end of June, but even they expressed uncertainty. "Will we make everything by then? I don't know," said John Sindelar, acting administrator of GSA's Office of Governmentwide Policy, in late May.
"I do know it's feasible," says an information technology company vice president, speaking of the end-of-June goal. "You've asked [is it] 'likely?' GSA is mighty f----d up."
A GSA official says the contracting office is doing its best to ensure that products make it quickly onto the IT schedule: "We're going to abbreviate everything we can to get these products up quickly, but we've got to follow certain rules because if we don't, the inspector general and the GAO will come in and shoot us."
Regardless of whether everything goes well at GSA, agencies aren't sure they can get orders for the equipment to their procurement shops in time. Procurement offices usually stop taking new orders in late summer as the fiscal year draws to a close. Even before then, agencies begin searching for unobligated money to make sure it will be spent prior to Sept. 30, lest the funds expire. But setting up an HSPD 12 acquisition will take extra time, they say. Before buying anything, many agencies will want to do their own product testing, a process that could take weeks to months. "Have you ever found a product that always works in your environment?" says one manager. "You don't know until you plug it in.
"If you're not queued up right now-and it's kind of hard to be queued up when you don't know what you're buying and what it costs-then how are you going to lock up the money in your agency's spending plan?" the manager adds.
A great number of agencies have pinned their hopes on outsourcing the entire process. Sending a check to the Interior Department's National Business Center to handle it all would be the easiest and best solution, says another agency implementation manager. But in addition to the usual problems of inter-agency accountability and fears of lost control associated with service centers, HSPD 12 presents a unique challenge to the service center model.
Initial demand for the cards will be high while agencies catch up on the backlog created by having to badge every civil servant and contractor. But demand will drop off as agencies issue badges only to new employees and contract workers. "Our business model is assuming that [downturn] will occur," says Doug Bourgeois, director of the National Business Center, which is considering adding HSPD 12 services to its portfolio.
Complications ensue because, despite the anticipated decline in demand, the government still must maintain a fixed number of card enrollment and issuance locations for employees nationwide. Even after the bow wave of demand dissipates, that infrastructure must remain in place. But, "When the volume drops off, your costs become almost cost prohibitive, on a unit basis," Bourgeois says. Also, employees staffing the issuance stations must be civil servants-not contractors who can be laid off when expenses need taming. "There really hasn't been an option put on the table for how to deliver those services economically" after the volume drops off, he says.
Deadline preparations weren't made easier when OMB and GSA dissolved an HSPD 12 interagency working group in March, according to many agency officials. It was "a forum for cats and dogs people from the agencies, not high-level people-implementation people, worker bee people," says a federal manager. Its replacement is an OMB-sanctioned executive steering committee, which another agency official characterizes as bureaucratic. "They're focused on 'Are we checking the boxes?' " the manager says.
But the move was necessary, says Sindelar, a member of the executive committee. "We had a number of working groups doing fine work, but in some cases it was redundant." Members of the disbanded working group say they've quietly reformed it, albeit on a smaller scale-no charter, no more issuing meeting minutes. "We're just going to get together and slug it out," one official says.
As they outfit their facilities to use new cards, agency officials are finding unanticipated challenges. Seeing as the cards are an inescapable expense, "I better darn well have card readers to improve security," says an agency CFO. After all, asks another agency official, what good are the cards without readers to access their data? But the cards' standardized design all but ensures their extra physical security features often will go unused.
NIST standards require the badges' microprocessor to include a radio antenna transmitting a unique identification number so cards can be read almost instantaneously as they are passed by readers. But the biometric information on the HSPD 12 cards-"templates" of two of each employee's fingerprints-can be accessed only by placing the card into a slot and punching a PIN into a keypad. After verifying the PIN, the card would allow the badge holder's identity to be authenticated by comparing a live fingerprint to the data stored on the badge chip. Privacy concerns dictate that biometric information never should be transmitted through the card antenna, for fear it could be surreptitiously intercepted. But that time-consuming process makes the biometric data all but unusable anywhere but lightly trafficked areas or highly secure and infrequently accessed areas.
It takes seconds to insert a card into a reader, type a PIN and place a finger on a reader-assuming employees correctly remember their PINs. "Just under a second for a transaction is acceptable for a choke-point door," says Mark Visbal, research and technology director at the Security Industry Association in Alexandria, Va. "If I get much more than that, I start getting lines behind me." The prospect of employees waiting in long lines every day just to enter their office buildings makes it unlikely that agencies will authenticate biometrics at many entry points.
What's more, agencies already using computerized identity badges likely will have difficulties with even the wireless part of HSPD 12 cards. When a badge reader unlocks a door, the reader interacts with a physical access control system-hidden and secure circuitry meeting stringent standards of energy consumption, heat output and interoperability with the fire alarm system so it can continue operating during emergencies. Some control systems have been around for 20 years, and the majority-about 70 percent, according to the Security Industry Association-operate on a data protocol called Wiegand. Most Wiegand protocol control panels can't process more than 26 bits of data.
But the unique identification number stored on HSPD 12 cards is 10 orders of magnitude larger, about 3,379 bytes. New card readers could trim the data stream flowing from cards to the physical access panels to between 48 and 75 bits, but even that's too much for most Wiegand panels, according to SIA. Badge designers appear to have assumed that physical access control systems were like computers, "that you could just upgrade the software and upgrade the memory and you'd be good to go," says SIA's Visbal. Not so, he adds. The microprocessors in today's panels are specialized and not easily replaceable. Most agencies are going to need new panels, he says.
In the short term, agencies dependent on Wiegand can get around the expense of replacing it by inserting into their new HSPD 12 badges an extra chip attuned to the 26-bit protocol. But the cards ultimately must be interoperable across government, so agencies with existing technology will have to replace it with HSPD 12 standardized equipment down the road. As long as extra chips, rather than the card's standard contents, are unlocking doors, there's no interagency compatibility.
"If a federal employee walks in and he turns out to be somebody other than who he says. . . . and he blows up a building, then all the criticism we get for this will stop," says GSA's Sindelar. And the new badges do offer a greater degree of security, says Ron Martin, a Commerce Department security specialist. While regular reading of employee fingerprints at main entry points would be excessive at most federal buildings, people of questionable identity-someone who looks different from their badge photograph, for example-could be taken aside for fingerprint validation, he adds. But without checking everyone's fingerprints, what's to prevent somebody from flashing a stolen card and gaining entry past less-than-attentive guards, or no guards? "Nothing," Martin says. "Somebody can take my card and, based on the parameters of my card, come in through a door."
A more sophisticated interloper could simply forge a card, complete with a duplicate copy of an employee or contractor's unique identification number. The number isn't encrypted, meaning anyone who has a card and a reader could download it.
"There's no strong technical protection measure to prevent that," says Bill MacGregor, NIST's personal identity verification program manager. Such a cloned card could not duplicate the digital certificate all badges must carry in order to guarantee authenticity-but most agencies probably won't regularly check for the digital certificate, says Curt Barker, chief of NIST's Information Technology Laboratory computer security division. Doing so would add processing time to the wireless readers, although technology improvements within the next few years might reduce it, MacGregor adds.
Agency officials unwilling to slow entry into their buildings, but who still want the kind of physical security that comes with biometric identification can work around HSPD 12 standards, says Walter Hamilton, chairman of the International Biometric Industry Association in Washington. But in the process, they'll likely compromise interagency interoperability. For example, agencies could upload biometric data directly into the physical access database, triggering a challenge whenever a wireless card reader detected an employee's card-transmitted unique identification number. That would bypass the keypad PIN requirement for unlocking the biometric data contained on the HSPD 12 card, Hamilton says. "Does that sound like it's circumventing the rules? Well, that's for the agencies to decide," Hamilton adds. The agency's uploaded biometric identifier wouldn't even have to be the two fingerprint template data included on the card. Fingerprint templates are not necessarily the most accurate of biometric identifiers.
Universal interoperability never was supposed to mean universally acceptable, OMB is quick to stress. Each agency always will retain the power to accept or reject those who seek entry into its buildings. But if agencies design a security system only loosely based on HSPD 12 cards, even when they grant advance permission for another agency's employee to enter, extra steps would be required. A security system based on biometric information up-loaded directly would require everyone seeking regular access to upload their biometric data into that system. The new badges would become interoperable only at specially monitored entry points-not in daily operations, Hamilton says.
Of course, it's unnecessary to look to the future for challenges to interoperability. Just check in at the Defense Department, where about 3.5 million smart cards are at work, based on technology developed long be-fore HSPD 12 came about. "We're dragging five years of infrastructure behind us," says Mike Butler, director of the Defense's Common Access Card program. "I can't just completely go to a new standard."
Defense officials emphasize they will comply with the Oct. 27 deadline to start issuing new HSPD 12-compliant badges. They're able to say so because NIST guidelines allow agencies that previously invested in smart card technology to adopt a "transitional" technology standard-one incompatible with the end state that the majority of agencies will adopt, but harmonious with CAC infrastructure. But, "That does leave us with the question of ultimately getting all the agencies together, and the date and time frame of that is not yet set," says GAO's de Ferrari.
Defense officials say they have no choice but to take a measured approach to interoperability with the rest of the government. It would be impossible to jump straight to the governmentwide end state, Butler says. About 2.2 million Defense computers require CAC to log on, some of them floating on ships at sea. The middleware on those CAC-protected computers can't understand end state code, and swapping out the middleware is a strenuous process. The last time Defense issued a CAC middleware patch, it took nine months to completely install. Plus, there's no way that the department could replace 3.5 million cards in one fell swoop.
"For physical access by itself, nobody can justify going from a $1.50 card to a $12 card," says an agency implementation manager. "It isn't changing anything. It's just another technology doing the same thing." In any event, attacking a federal building or government employees hardly requires getting past an entry point. Terrorists have driven truck bombs into federal buildings, crashed planes into them and have shot civil servants while parked in cars on the roads leading to their workplace-all with nary a thought to IDs.
But that's not to say investment in the cards will be squandered, if agencies know how to take advantage of them, a federal manager says. To get their money's worth, however, they will have to use the cards for computer access and look beyond compliance standards to other badge applications, he adds. User authentication for computer systems is more forgiving of a seconds-long verification process-it already takes longer than that for a desktop operating system to warm up. Even if the cards ward off a just a single major data loss, implementing them would be worth it, says an agency official. If the laptop containing personal information on 26.5 million veterans recently stolen from the home of a Veterans Affairs Department employee had required an identification card and a live biometric read just to log on, there would have been no crisis.
But adding card readers to computers requires expensive equipment and software, and it's difficult to get money. "You've got to have a problem in order to spend that kind of money," says an agency chief information officer.
Imaginative uses truly will reveal the benefits of the cards, say some officials. For example, rather than requiring employees to visit special offices to get parking passes, why not simply pop an HSPD 12 card into a machine, asks one federal manager. That would cut down on administrative tasks, eliminate personnel and wipe out the expense of extra card stock. "There's things here beyond the surface . . . but you haven't reinvented your business processes yet to think about," the official adds. The real value of HSPD 12 "is using the technology for business processes, not just as a physical and [computer] security tag, even though that's the current intent."