HSPD-12 turns 10: But some agencies have a long way to go


Written by

Greetings to all my fellow techies. It’s hard to imagine the Homeland Security Presidential Directive 12 will turn 10 years old in August. President George W. Bush implemented the rule in 2004, and from that point on, two factor authentication was the norm for federal workers. Or at least that’s what was supposed to happen.

The military has embraced HSPD-12 more than any other government group, even issuing their own DOD Common Access Card instead of the civilian Personal Identity Verification (PIV) cards. The military has embraced HSPD-12 more than any other government group, even issuing their own DOD Common Access Card instead of the civilian Personal Identity Verification cards.

As we approach the 10th anniversary of the mandate, the Obama administration put out a report stressing that millions of common access cards have been issued to government employees. Most civilian agencies have issued Personal Identity Verification cards to more than 96 percent of their employees. The military, with its own Defense Department Common Access Card, is at 100 percent in terms of issuance. Both of those cards have more or less become synonymous with government employee access control. In fact, it’s quite easy to spot feds at trade shows and events. Many of them wear those cards on lanyards around their neck or attached to their belts.

The key to the cards in terms of cybersecurity is the integrated circuit chip that contains specific information relating to that employee. Their picture, service branch and the expiration date are all printed there too, but the chip is what makes two factor network access authentication possible.

I’ve been to places where common access cards are used to log into a network. It’s a pretty simple process. The person with the card just inserts it into a special reader and then types their username and password like everyone else. If the person who is logged into the system has to leave the room, they are supposed to take their card with them. Doing so automatically logs them out of the system.

The problem? Most of those places were at private companies, not government agencies. Though they all worked with the federal government, they weren’t feds in the proper sense.

Although there have been 5,315,299 CAC cards issued as of September 2013 — 96 percent of the federal workforce — they aren’t a requirement for network access at most agencies.

I suppose for an unfunded mandate, getting the cards out the door is a pretty big deal. The cards also expire and need to be re-issued. People get promoted or leave government service or are newly hired — all events that are supposed to trigger new cards — so 96 percent is pretty incredible. But the mandate was designed to make computer networks in government more secure. And just having a card with credentials hanging around an employee’s neck doesn’t do that.

On page 27 of the latest HSPD-12 report, the actual percentages of agencies that require smartcards for network access is broken down, and the numbers are not that great. DOD has the highest percentage of its users logging into its networks using a smartcard at 89 percent. That is followed by the Social Security Administration at 85 percent. The Education Department, the General Services Administration and Health and Human Services Department are close behind, all with 65 percent.

But it goes downhill from there. The Department of Homeland Security, whose name is mentioned in the directive, is only at 30 percent. And that is pretty good compared to most others. Agencies like the Department of Veterans Affairs, the Energy Department, the Transportation Department and the Treasury Department — all groups who do important work with sensitive information — were below 10 percent adoption rates. The State Department was at an embarrassing 1 percent, but at least they’ve gotten started. The Department of Housing and Urban Development, the Nuclear Regulatory Commission, the National Science Foundation, the Environmental Protection Agency, the Office of Personnel Management, the Labor Department and the United States Agency for International Development are at 0 percent usage ten years after the mandate and after issuing millions of cards.

2014_06_HSPD12chart A chart from the HSPD-12 report posted on Performance.gov showing what percentage of government agencies require smartcards for network access.

Wasn’t the entire point of issuing the PIV and CAC cards to provide more secure, two factor authentication for government networks?

There is speculation that new technologies like being able to input PIV data to smartphones or adding biometric credentials to networks might make the existing token-based system obsolete. But for right now, it’s what we have and should be used as intended. Even if a new authentication technology comes into favor and gets approved by the National Institute of Standards and Technology, how long would it take to implement?

The government has done most of the hard part, getting millions of cards into the hands of feds. It shouldn’t take another ten years to tie those cards back to government network access.

-In this Story-

Commentary, Guest Columns, HSPD-12, Technocrat
TwitterFacebookLinkedInRedditGoogle Gmail