OMB, DHS working on new HSPD-12 guidance

By Jason Miller
Executive Editor
Federal News Radio

The Office of Management and Budget and the Homeland Security Department are working on two memos giving agencies new instructions around using their secure identity management cards.

Sources confirm that OMB will write one memo and DHS’s National Protection and Programs Directorate will issue the other around agency use of credentials under Homeland Security Presidential Directive-12 (HSPD-12).

Phil Reitinger, NPPD’s under secretary, would not comment on the memo or its status.


“What I can say, we are working broadly across government,” Reitinger said after his speech Thursday at the IdentEvent 2010 event sponsored by TechAmerica in Washington. “The genius of HSPD-12 unites the notion that we need to address both logical access controls and physical access controls. In the logical space, we operate, more recently, under a more specific delegation of Federal Information Security Management Act (FISMA) authorities, operational FISMA authorities, from the Office of Management and Budget, so we are moving forward aggressively in that space.”

Reitinger added that the General Services Administration is in charge, for the most part, of federal buildings for the physical security piece, and DHS is partnering with them and others to implement controls using HSPD-12 cards.

“We understand that moving forward on broad, interoperable authentication for government and government contractors is absolutely essential, and we are focused on that,” he said.

In the 2010 budget passback document Federal News Radio obtained last winter, OMB told agencies that in 2011 they should use development, modernization and enhancement (DME) funding or operations and maintenance (O&M) funding to upgrade physical and logical access control using the secure ID cards in 2011.

In the two years in office, OMB and the White House cybersecurity coordinator Howard Schmidt have issued only one memo referring to HSPD-12: the April 2010 FISMA reporting guidance.

At the same time, the administration is putting a lot of focus on the broader issue of identity management and authentication.

Reitinger said it is key to everything the White House wants to do to improve cybersecurity within government and across the country.

“There is nothing that is more important than deployment of broadly interoperable authentication,” he said. “It is a priority for me; it is a priority for DHS; and it is a priority for the administration.”

To that end, President Obama is expected to sign the final version of the National Strategy for Trusted Identities in Cyberspace (NSTIC) this winter.

The White House issued the draft strategy in June.

Ari Schwartz, a senior Internet policy advisor for the National Institute of Standards and Technology, said his agency and others are reviewing comments from industry and others about the draft.

“There were a lot of areas where it was important to clarify the vision of the strategy,” he said. “We are finally at the point where it’s working the way through the interagency process. We want to make sure we are in sync with all of the agencies, and that is part of why you hear a very similar message from DHS and Commerce on this. We are at the point of vetting the strategy at all the different agencies.”

The one area that needed to be addressed through the final document is the role the private sector must play.

Schwartz said the final version of the NSTIC likely will make it clearer that contractors and other private sector organizations must be a full partner in meeting the four goals of the strategy:

  • Identity solutions must be privacy enhancing and voluntary,
  • Identity solutions must be secure and resilient
  • Identity solutions must be interoperable
  • Identity solutions must be cost effective and easy to use.

“One of the key points is this idea of this identity ecosystem must be voluntary,” Schwartz said. “The government will neither mandate that individuals obtain certain online credentials nor will companies require specific kinds of online credentials as the only means to interact with them. That means we will need the private sector to implement different levels of authentication, different levels of assurance and to engage, design, build, promote, operation and maintain this new identity ecosystem.”

Reitinger said the strategy will help establish a community approach to security where identity management and authentication is the most important piece.

“Our mantra should be ‘we are mad as heck and we aren’t going to use passwords anymore,'” he said borrowing the famous line from the movie Network. “We have to get out of the game of usernames and passwords.”

He said authentication must be as easy as locking your door with a key and reduces the risk just as much.

“Without strong authentication that is voluntary and privacy enhancing, everything we do online is built on sand,” he said. “Why? My premise is that everything on the Internet is action at a distance. Even if it’s software on my home machine or on one of my multiple mobile devices, I can’t see it, feel it or touch it. It’s just a bunch of bits. I need to be able to strongly authenticate things. That may mean authenticate who it is I’m talking to. It may mean authenticate a piece of software. It may mean authenticate a device. But it may also just mean know with a high degree of confidence an attribute, where I don’t need to know their identity.”

(Copyright 2010 by All Rights Reserved.)