Skip to main content

Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard

GAO-06-178 Published: Feb 01, 2006. Publicly Released: Mar 03, 2006.
Jump To:
Skip to Highlights

Highlights

Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President directed the establishment of a governmentwide standard--Federal Information Processing Standard (FIPS) 201--for secure and reliable forms of ID based on "smart cards" that use integrated circuit chips to store and process data with a variety of external systems across government. GAO was asked to determine (1) actions that selected federal agencies have taken to implement the new standard and (2) challenges that federal agencies are facing in implementing the standard.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should take steps to closely monitor agency implementation progress and completion of key activities by, for example, establishing an agency reporting process, to fulfill its role of ensuring that agencies are in compliance with the goals of HSPD-12.
Closed – Implemented
In response to our recommendation, OMB has developed and implemented a process for monitoring agency progress in issuing HSPD-12 compliant credentials. Beginning on March 1, 2007, agencies were required to post to their federal agency public website quarterly reports on the number of personal identity verification(PIV) credentials issued to their employees, contractors and other individuals. Agencies are also required to provide their quarterly reports to OMB. In addition, in August 2006, OMB required each agency to submit its updated HSPD-12 Implementation Plan to OMB for its evaluation. As a result, OMB has more insight into agencies' implementation progress and is better positioned to make management decisions to help ensure agencies implement HSPD-12.
Office of Management and Budget The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to provide specific deadlines by which agencies implementing transitional smart card systems are to meet the "end-point" specification, thus allowing for interoperability of smart card systems across the federal government.
Closed – Not Implemented
OMB officials reported that they did not plan to issue timelines to agencies for moving from the transition-state to the end-state specification because they did not agree that any interoperability problems existed between the transition cards and the end-state cards.
Office of Management and Budget The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to provide guidance to agencies on assessing risks associated with the variation in the reliability and accuracy among biometric products, so that they can select vendors that best meet the needs of their agencies while maintaining interoperability with other agencies.
Closed – Not Implemented
OMB officials told GAO that they did not see a need to issue any guidance in this area because they had not heard directly from any agencies that such guidance was needed.
Office of Management and Budget The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to clarify the extent to which agencies should make risk-based assessments regarding the applicability of FIPS 201 to specific types of facilities, individuals, and information systems, such as small offices, foreign nationals, and volunteers. The updated guidance should (1) include criteria that agencies can use to determine precisely what circumstances call for risk-based assessments and (2) specify how agencies are to carry out such risk assessments.
Closed – Not Implemented
OMB officials informed GAO that they did not intend to issue general guidance as recommended by GAO, stating that Federal Information Security Management Act (FISMA) procedures were adequate guidance to agencies on how to determine risks associated with facilities, personnel, and systems.

Full Report

GAO Contacts

Office of Public Affairs

Topics

AuthorizationFacility securityFederal agenciesFederal Information Processing StandardsIdentification cardsIdentity verificationInteroperabilityProgram evaluationSmart cardsPersonal identity verification