Skip to Highlights
Highlights

Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in August 2004, requiring the establishment of a governmentwide standard for secure and reliable forms of ID. The resulting standard is referred to as the personal identity verification (PIV) card. GAO was asked to determine the progress selected agencies have made in (1) implementing the capabilities of the PIV cards to enhance security and (2) achieving interoperability with other agencies. To address these objectives, GAO selected eight agencies that have a range of experience in implementing smart card-based ID systems and analyzed what actions the agencies have taken to implement PIV cards.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget 1. The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by establishing realistic milestones for full implementation of the infrastructure needed to best use the electronic authentication capabilities of PIV cards in agencies.
Closed - Implemented
Memorandum M-11-11, which was issued in February 2011, included the milestones for issuance of implementation policies, by March 31, 2011, through which the agency will require use of the PIV credentials as the common means of authentication for access to that agency's facilities, networks, and information systems. The memorandum also set requirements for the designation of personnel to implement the infrastructure by February, 25 2011.
Office of Management and Budget 2. The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by treating the HSPD-12 implementation as an investment by requiring that each agency develop a detailed plan, based on a risk-based assessment of the agency's physical and logical access control needs, that supports the extent to which electronic authentication capabilities are to be implemented.
Closed - Implemented
Memorandum M-11-11, which was issued in February 2011, included the treatment of HSPD-12 implementation as an investment, by requiring agencies to produce a detailed plan that reflected the authentication capabilities that were to be implemented at the agencies.
Office of Management and Budget 3. The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by requiring agencies to align the acquisition of PIV cards with plans for implementing their technical infrastructure to best use the cards' electronic authentication capabilities.
Closed - Implemented
OMB Memorandum M-11-11, issued in February 2011, included the requirement for agencies to align the acquisition of PIV cards with plans for implementing their technical infrastructure.
Office of Management and Budget 4. The Director, Office of Management and Budget, should revise the agency's approach to overseeing implementation of HSPD-12 by ensuring that guidance is developed that maps existing physical security guidance to Federal Information Processing Standards 201 guidance.
Closed - Implemented
In November 2008, the National Institute of Standards and Technology (NIST) issued draft Special Publication 800-116, "A Strategy for the Use of PIV Credentials in Physical Access Control Systems (PACS)," which provides guidance on the relationship between facility security levels and PIV authentication use case assurance levels.

Full Report

GAO Contacts