The idea behind HSPD-12 was to create a secure, interoperable credential to control physical access to facilities and logical access to networks for executive branch employees and contractors.
The directive was signed in 2004 and the FIPS 201 standard followed, along with accompanying guidance from the White House Office of Management and Budget. OMB Memorandum 05-24 was released in 2005 to provide implementation instructions for agencies deploying FIPS 201.
The memo requires an agency to issue a PIV credential to any contractor employed for more than six months. At the time this made sense. But since the emergence of the PIV-I standard, many government contractors began issuing credentials to their own employees.
Many in the contractor community want to the OMB guidance amended so that contractors with PIV-I credentials could use them instead of having to receive a new ID. But some government officials disagree, citing differences between PIV and PIV-I credentials. The former requires an in-depth background check, and there are technical differences as well.
It is not a large technical hurdle to provision a PIV-I credential on a federal network after the background check is complete, says Nicholas Piazzola, senior director of Government Authentication Solutions in the VeriSign Authentication Group. Changes could be made once the background check is complete to provision the PIV-I on a government network, creating a compromise between the contractor and government positions.
OMB declined an interview for the story but responded to questions via email. “Agencies have not raised any concerns to OMB regarding the requirement to issue identity credentials to their employees and contractors who require routine, long-term access (6 months or more) to federally controlled facilities and/or information systems,” a spokesperson states.
But agencies aren’t happy and security has become an issue, says Steve Howard, vice president of credentials at CertiPath. The federal government doesn’t have a good track record when it comes to enforcing who is employed by its contracting companies.
A host of questions arise. Is Joe Smith still employed by an agency’s cleaning contractor? How would the relying agency enforce this relationship? How quickly can an agency issue a PIV to all employees of the cleaning contractor to ensure they comply with OMB M-05-24?
Many agencies report a three to six month window in issuing a PIV to contractors. And during this delayed issuance window, what happens if the PIV credential applicant leaves his employer? What is done to allow a cleaning contractor access pending receipt of a PIV? Are they always under temporary badge escort rules? And what happens when a contract ends and the contractor moves to a new contract, potentially at a new agency?
“PIV-I handles the contractor relationship more elegantly and at lower or no cost to the federal government … all the while reducing security risks to a relying agency,” says Howard.
The Federal PKI policies directly tie the employee receiving a PIV-I credential to the human resources database of that employer. If an employee is fired or leaves, the credential is revoked. It’s this revocation process that improves the security of the agency’s relying system.
It’s also a matter of who knows the employee better than the contractor, Howard explains, stressing that it’s more likely to be the employer than the contracting federal agency. “The ability for employer issued PIV-I credentials to form the basis of agency security decisions is critical to going forward with PIV technology,” says Howard. “This is a significant weakness in the view of OMB M-05-24 and the interpretation of HSPD-12.”
The problem that arises, especially when dealing with contractors such as cleaning crews, is that they may switch agencies frequently. This can lead to a contractor with multiple agency-issued PIV credentials. If a contract employee changes their relationship annually, they could easily have up to three PIV credentials, one issued by each of the contracting agencies.
On the other hand, the individual could be issued one PIV-I by their employer, obtain one background investigation associated with that single credential, and greatly increase security and efficiency for the federal government, Howard explains.
Yet OMB M-05-24 does not allow this behavior. The federal government continues to spend money to credential and re-credential contractors, increasing security risks to relying agencies.
“Private sector PIV-I credential holders will realize benefits from using credentials on a single identity badge, says Gary Schneider, managing director and North America Public Sector Product head for Citi Transaction Services. “For all participants in the system it will save time, money and resources for their institutions. They will not have to issue or manage multiple badges for access to multiple locations as one federated credential can be used by all for access.”
There’s also the matter of the federal government enabling the PIV-I market to grow. Many companies have spent time and money to become certified to issue PIV-I credentials at the behest of the federal government. “The PIV-I market was created because the federal government asked for it,” says Bob Dulude, director of federal identity initiatives at HID Global. “A lot of time and resources went into creating a process as secure as PIV, and now the federal government is taking half of it away from us.”