OMB memo mandates FIPS 201 compliance for all new systems
When the White House Office of Management and Budget released a memorandum in February mandating that all agencies to start using the FIPS 201 PIV credentials for physical and logical access, it was met with mixed responses.
Vendors and consultants cheered. The credentials would finally be used for more than a flash badge and new contracts were in site. Agencies, however, bemoaned another unfunded mandate. Agency sources say it’s 2005 all over again referring to the original HSPD-12 document that mandated credential issuance with no additional budget.
Agencies were required to submit plans on how they would implement PIV-enabled systems by the end of March, and all new physical and logical access systems under development following the memo’s release must be PIV-enabled.
With more than 4.8 million PIV credentials issued to government employees and contractors, 84% complete, most would assume the IDs were widely used. The not so secret ‘dirty little secret’ is that with few exceptions the credentials are not used for much more than a flash badge.
The OMB memorandum, M-11-11, aims to change that. “This will see systems being implemented and FIPS 201, PIV and ICAM taken seriously for the first time,” says Salvatore D’Agostino, CEO at IDmachines.
As of early August there were very few agency requests for new physical or logical access systems that would use the PIV. This is likely to change before the end of the fiscal year on Sept. 30, explains D’Agostino. “Between now and then quite a few things will be committed,” he says.
A big question surrounds deployment timelines, says Patrick Hearn, vice president of government and identification markets for North America at Oberthur Technologies. The OMB memo doesn’t specify a deadline for the new systems to be deployed and for some it could take years. “The question is whether OMB will be tolerant of the smaller agencies,” he says.
Penalties for not deploying systems aren’t described in the memo, but in the past agencies failing to meet OMB’s guidance had funding pulled. This was the same threat agencies had when initially rolling out PIV. “OMB M-11-11 implies risk to budget if you don’t comply … it will be interesting to see if it bites anyone,” D’Agostino says.
It’s mixed as to whether agencies are prepared to rollout systems that would take advantage of the PIV cards, Hearn says. “Some agencies have prepared and implemented hardware,” he says.
Others are at a transition point waiting for further guidance from NIST and additional compliant products from vendors before moving forward, Hearn says. NIST Special Publication 800-73-3 deals with middleware for PIV and there’s an issue because few, if any, systems meet the current specification on the GSA’s approved product list.
D’Agostino says deploying systems shouldn’t be difficult for most agencies. The specifications have been out there and products exist. “People understand what PIV and FICAM entail and it’s just a matter of building out the infrastructure,” he says.
Using PIV for logical access is increasingly important as hacks on government agencies increase. “Part of the effort is to ensure on the logical access side that agencies use cryptographic algorithms as quickly as possible,” he says.
While work is underway in some agencies, some question whether the U.S. Department of Homeland Security, the agency charged with overseeing deployment of systems that would use PIV, is taking the OMB memo seriously. As of June 30 Homeland Security reported that it had, for the first time, issued credentials to all employees. Sources say the agency has historically been slow to rollout PIV-compliant systems.
With only a handful of agencies using PIV credentials for their intended purposes it’s overdue to see some pressure applied. But with no definitive timeline for deployment, it’s hard to say if agencies will feel any real pressure to rollout systems that take advantage of the PIV technology.
Current status of HSPD-12
HSPD-12 credentials issued as of June 1, 2011
Credentials issued to employees*: 4,151,358 (88%)
Credentials issued to contractors: 842,946 (81%)
Total credentials issued: 4,994,304 (87%)
Background investigations verified/completed as of June 1, 2011
Background investigations completed for employees*: 4,128,415 (87%)
Background investigations completed for contractors: 886,137 (85%)
Total investigations verified/completed: 5,014,552 (86%)
18 federal credential issuance infrastructures are in operation nationwide
59 system integrators
592 products on GSA Approved Products and Services List
APL product details: http://www.fips201.com
Agency specific status: http://www.whitehouse.gov/omb/e-gov/hspd12_reports/
*US Military Personnel are included in Employee Numbers