Electronic Government:

Additional OMB Leadership Needed to Optimize Use of New Federal Employee Identification Cards

GAO-08-292: Published: Feb 29, 2008. Publicly Released: Apr 9, 2008.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6240
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in August 2004, requiring the establishment of a governmentwide standard for secure and reliable forms of ID. The resulting standard is referred to as the personal identity verification (PIV) card. GAO was asked to determine the progress selected agencies have made in (1) implementing the capabilities of the PIV cards to enhance security and (2) achieving interoperability with other agencies. To address these objectives, GAO selected eight agencies that have a range of experience in implementing smart card-based ID systems and analyzed what actions the agencies have taken to implement PIV cards.

Much work has been accomplished to lay the foundations for implementation of HSPD-12, a major governmentwide undertaking. However, agencies have made limited progress in implementing and using PIV cards. The eight agencies GAO reviewed--including the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the Nuclear Regulatory Commission; and the National Aeronautics and Space Administration--have generally completed background checks on most of their employees and contractors and established basic infrastructure, such as purchasing card readers. However, none of them met the Office of Management and Budget's (OMB) goal of issuing PIV cards by October 27, 2007, to all employees and contractor personnel who had been with the agency for 15 years or less. In addition, for the limited number of cards that have been issued, most agencies have not been using the electronic authentication capabilities on the cards and have not developed implementation plans for those capabilities. In certain cases, products are not available to support those authentication mechanisms. A key contributing factor for why agencies have made limited progress is that OMB, which is tasked with ensuring that federal agencies successfully implement HSPD-12, has emphasized issuance of cards, rather than full use of the cards' capabilities. Specifically, OMB has set milestones that focus narrowly on having agencies acquire and issue cards in the near term, regardless of when the electronic authentication capabilities of the cards may be used. Furthermore, agencies anticipate having to make substantial financial investments to implement HSPD-12, since PIV cards are considerably more expensive than traditional ID cards. However, OMB has not considered HSPD-12 implementation to be a major new investment and thus has not required agencies to prepare detailed plans regarding how, when, and the extent to which they will implement the electronic authentication mechanisms available through the cards. Without implementing the cards' electronic authentication capabilities, agencies will continue to purchase costly PIV cards to be used in the same way as the much cheaper, traditional ID cards they are replacing. Until OMB revises its approach to focus on the full use of the capabilities of the new PIV cards, HSPD-12's objectives of increasing the quality and security of ID and credentialing practices across the federal government may not be fully achieved. While steps have been taken to enable future interoperability, progress has been limited in making current systems interoperate, partly because key procedures and specifications have not yet been developed to enable electronic cross-agency authentication of cardholders. According to General Services Administration officials, they have taken the initial steps to develop guidance to help enable the exchange of identity information across agencies, and they plan to complete and issue it by September 2008. Such guidance should help enable agencies to establish cross-agency interoperability--a primary goal of HSPD-12.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: OMB Memorandum M-11-11, issued in February 2011, included the requirement for agencies to align the acquisition of PIV cards with plans for implementing their technical infrastructure.

    Recommendation: The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by requiring agencies to align the acquisition of PIV cards with plans for implementing their technical infrastructure to best use the cards' electronic authentication capabilities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: Memorandum M-11-11, which was issued in February 2011, included the treatment of HSPD-12 implementation as an investment, by requiring agencies to produce a detailed plan that reflected the authentication capabilities that were to be implemented at the agencies.

    Recommendation: The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by treating the HSPD-12 implementation as an investment by requiring that each agency develop a detailed plan, based on a risk-based assessment of the agency's physical and logical access control needs, that supports the extent to which electronic authentication capabilities are to be implemented.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: Memorandum M-11-11, which was issued in February 2011, included the milestones for issuance of implementation policies, by March 31, 2011, through which the agency will require use of the PIV credentials as the common means of authentication for access to that agency's facilities, networks, and information systems. The memorandum also set requirements for the designation of personnel to implement the infrastructure by February, 25 2011.

    Recommendation: The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by establishing realistic milestones for full implementation of the infrastructure needed to best use the electronic authentication capabilities of PIV cards in agencies.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: In November 2008, the National Institute of Standards and Technology (NIST) issued draft Special Publication 800-116, "A Strategy for the Use of PIV Credentials in Physical Access Control Systems (PACS)," which provides guidance on the relationship between facility security levels and PIV authentication use case assurance levels.

    Recommendation: The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by ensuring that guidance is developed that maps existing physical security guidance to Federal Information Processing Standards 201 guidance.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Dec 19, 2014

Dec 17, 2014

Nov 6, 2014

Oct 14, 2014

Sep 30, 2014

Sep 24, 2014

Sep 18, 2014

Looking for more? Browse all our products here