Return to Article: Mandated 'smart cards' affect tech contractors

By Aliya Sternstein National Journal's Technology Daily May 21, 2007
  • 23939

    The directive is titled as the Homeland Security Presidential Directive (HSPD) - 12 signed by President Bush on August 27, 2004. In essence this process is intended to replace the old userid and password concept in order to upgrade the overall functionality of eliminating the need for multiple userids and passwords for various systems within an organization. Some individuals view this process as the fabled Single Sign-On; whereby, a user enters a single userid and password to gain acces to all systems that they are authorized to have access to. It is interesting to note that this directive effects both the physical and logical access points. It is intended to supplement an organizations' badging and password procedures for gaining access to installations, buildings, floors, rooms, systems, applications, databases and hardware components for maintenance activities. The only thing not mentioned is the fact the HSPD-12 may incorporate Biometric materials that constitute a HIPPA requirement for all access points that will in essence eliminate the need for the FIPS 199 Data Categorization as Biometric materials will require a High Level of protection of the information contained within the Smart-Card and all components that handle the information. This analysis will require the recertification of all federal systems from low or moderate to a High categorization level. The comments provided here are the thoughts of only a single individual and are not to be construed as the opinion of any federal agency.

    Robert Edwards Posted May 23, 2007 7:32 AM
  • 23909

    The law in question, as memory serves, is Homeland Security Presidential Directive 12. It impacts ALL government agencies and requires a common "smart" card for identifying federal employees and contractors. The intent is to create a cross platform, multiple technology, PKI based system which allows for greater security using a two tiered system of control. The first tier is something the user has (the card) the second tier is a biometric or something the user knows (such as a password). The intent is to retrofit existing access control systems (of varying age and provenance) which will then accept a common card. The system will also tie into LAN and WANs as a mean of user authentication.

    The problem is that NIST has been changing the standards (monthly) and there is no consistent guidance on implementation. Factor in the fact that this card may also be a travel and procurement card and you have built a huge monster of a project that no agency is funded for, and for which no agency has staffing. Ultimately it will be like every other "idea" that has come down the pike- it will be late, over budget, and won't work as planned.

    Cynical Citizen Posted May 22, 2007 6:26 PM
  • 23875

    The directive was issued back in late 04 or early 05. It covers ALL government IT equipment including DoD. And no, just because you log onto your network does not mean you will be able to print. The system is designed to prevent government data from being released, emailed, printed, faxed etc. by unauthorized individuals and to track who sent it and to whom it was sent.

    I think that covers all the preceeding questions.

    Richard J. Posted May 22, 2007 12:07 PM
  • 23870

    Parts of this article do not make sense to me. What is the DHS directive that is cited and how does a DHS directive apply to the DoD? Are we talking about stand-alone machines, or machines that are accessed after authenticating to the network?

    The opening sentence ends with "over e-mail" which would indicate I have already authenticated myself to the network and have access to e-mail and other network objects - so why would I need to walk over and authenticate again at the machine?

    I am aware of the potential of threat by someone gaining access to the network via a backdoor from an external machine that may be linked to the network. However, I am not aware of any initiative within the DoD, unless it is a pilot in a separate organization.

    This article is vague, and requires some clarification please.

    Eric M Posted May 22, 2007 11:38 AM
  • 23811

    So tell me, how does this enhance the security of the homeland?

    I wonder what a cost/benifit analysis would reveal about this fiasco.

    Just another example why we should eliminate Homeland Security, return the agencies it controls back to their original status, and focus on a common sense approach to security.

    Is the mission security or filling the procurment trough?

    Mark J. Carter Posted May 22, 2007 8:15 AM

Post a Comment

To post a comment, you must provide a name and a valid e-mail address. Messages must be limited to 400 words. By using this Service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Although Government Executive does not monitor comments posted to this site (and has no obligation to), it reserves the right to delete, edit, or move any material that it deems to be in violation of this rule.

Mandated 'smart cards' affect tech contractors
*
*
*
Vendors Solutions Center