The Commerce Department is running into some unexpected challenges in implementing Homeland Security Presidential Directive-12.
Mike Maraya, Commerce’s program manager for IT security, said the headquarters office is more than 75 percent implemented, but still needs to figure out how to secure the identity cards of contract employees after they have left the job.
“There are of course costs associated with that and one of the issues we have is if you were to issue credentials under the current contract with GSA they are supposed to be issued for five years,” said Maraya, after a presentation at a recent conference. “We are working with GSA on that so that when a contractor does leave the department they do turn their cards in, but when they are valid for five years even one contractor not turning one back in is a huge risk.”
The 100-plus agencies using the managed service offering from the General Services Administration face this challenge more than departments managing their own card issuance.
Maraya said the benefits of the managed service keeps costs down, but Commerce must figure out how to address the expiration of vendor credentials.
“We are approaching it on multiple fronts, including working with GSA,” he said. “We are making sure we have the flexibility we need and the pricing that works for us. We also are working internally with some of the contractors. If we could use PIV-I, which is a contractor issued PIV card, that may help with our logical access implementation, but not much with physical access control. We still would have to question how these credentials were issued and if you have a background investigation. We are trying to attack it on multiple fronts.”
The Office of Management and Budget and the Homeland Security Department required all agencies to use these secure identity cards for all logical and physical access starting in fiscal 2012.
Every civilian agency missed the deadline to require all employees and contractors to log-on to the computer system using the HSPD-12 card.
OMB reported in its 2012 report to Congress on the implementation of the Federal Information Security Management Act, that 90 percent of all federal employee have HSPD-12 compliant smartcards, only four agencies — the departments of Defense, Education and Agriculture and the General Services Administration—- required at least 44 percent of all users to log to the network using the cards.
Of the other 18 agencies, only four showed any progress — the departments of Homeland Security, State and Commerce and NASA — in requiring logical access log-in.
“The FY 2011 FISMA metrics data indicates that 66 percent of government user accounts are configured to require Personal Identity Verification (PIV) cards to authenticate to agencies’ networks, up from 55 percent in FY 2010,” OMB stated. “The increase of 11 percent was attributable to several agencies which made significant strides in HSPD-12 implementation to include the Department of Education which increased 59 percent in PIV authentication usage in FY 2011. An additional 22 percent of user accounts are configured to optionally use PIV cards.”
Despite the challenges, Maraya said the use of secure identity cards is becoming ingrained in the agency more broadly.
Commerce bureaus, Census, Patent and Trademark and the National Oceanic and Atmospheric Administration, all are taking advantage of single sign-on capabilities and other cybersecurity benefits of logging onto the computer network with the HSPD-12 cards.
“We are leveraging their lessons learned and coordinating with them on implementing single sign-on capabilities,” he said. “If we could find some sort of internal shared service provider, we always look to other government agencies so we don’t have to build it ourselves.”
Maraya said moving to a single sign-on capability would make a huge difference for the agency.
He said the OMB’s MAX portal is a good example of why this technology is important.
“I don’t have to pay for it,” he said. “As a Commerce employee, it’s not funded out of my program. If I give you the software and hardware to use your card, that’s one less password you have to remember.”
Getting rid of passwords
Agencies spend a lot of money and effort managing passwords. It’s one of the most common helpdesk requests.
But through the use of HSPD-12 cards and the use of single sign-on, password management becomes much simpler.
“What I’m seeing is as newer sites and services come online, they can use Google, Facebook or an Amazon ID, and eventually in line with National Strategy for Trusted Identities in Cyberspace, you will have this identity ecosystem where you have these credential maintainers and as long as you have a Google ID — of course depending on what you are trying to get into you will have commiserate level of security — you will be able to reuse,” he said. “If you have a token or another form of authentication, it helps too. But gone are the days of having to build in a username and password management system in anything you build.”
Maraya said the integration of physical access and logical access remains one of the department’s biggest challenges, and it may have to wait a few years more as Commerce is renovating its headquarters building.
“There still needs to be more synergies between physical and logical access control systems, especially when you start building in these turnstiles,” he said. “How do you tie that into Active Directory and how do you tie that into the GSA’s managed service offering, which does your issuance? There are a lot of costs involved in that. Additionally, Commerce is in the middle of a building renovation, so if we were put something in place now, we may have to redo it in a few years as part of the renovation.”
Still, Maraya said the chief information officer’s office is working with the security and acquisition offices to figure out a plan to integrate the two systems with HSPD-12.