Electronic Government

Agencies Face Challenges in Implementing New Federal Employee Identification Standard Gao ID: GAO-06-178 February 1, 2006

Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President directed the establishment of a governmentwide standard--Federal Information Processing Standard (FIPS) 201--for secure and reliable forms of ID based on "smart cards" that use integrated circuit chips to store and process data with a variety of external systems across government. GAO was asked to determine (1) actions that selected federal agencies have taken to implement the new standard and (2) challenges that federal agencies are facing in implementing the standard.

The six agencies we reviewed--Defense, Interior, Homeland Security, Housing and Urban Development (HUD), Labor, and the National Aeronautics and Space Administration (NASA)--had each taken actions to begin implementing the FIPS 201 standard. Their primary focus has been on actions to address the first part of the standard, which calls for establishing appropriate identity proofing and card issuance policies and procedures and which the Office of Management and Budget (OMB) required agencies to implement by October 27, 2005. Agencies had completed a variety of actions, such as instituting policies to require that at least a successful fingerprint check be completed prior to issuing a credential. Regarding other requirements, however, efforts were still under way. For example, Defense and NASA reported that they were still modifying their background check policies. Based on OMB guidance, agencies have until October 27, 2006, to implement the second part of the standard, which requires them to implement interoperable smart-card based ID systems. Agencies have begun to take actions to address this part of the standard. For example, Defense and Interior conducted assessments of technological gaps between their existing systems and the infrastructure required by FIPS 201 but had not yet developed specific designs for card systems that meet FIPS 201 interoperability requirements. The federal government faces significant challenges in implementing FIPS 201, including (1) testing and acquiring compliant commercial products--such as smart cards and card readers--within required time frames; (2) reconciling divergent implementation specifications; (3) assessing the risks associated with specific vendor implementations of the recently chosen biometric standard; (4) incomplete guidance regarding the applicability of FIPS 201 to facilities, people, and information systems; and (5) planning and budgeting with uncertain knowledge and the potential for substantial cost increases. Until these implementation challenges are addressed, the benefits of FIPS 201 may not be fully realized. Specifically, agencies may not be able to meet implementation deadlines established by OMB, and more importantly, true interoperability among federal government agencies' smart card programs--one of the major goals of FIPS 201--may not be achieved.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


GAO-06-178, Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard This is the accessible text file for GAO report number GAO-06-178 entitled 'Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard' which was released on March 3, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Government Reform, House of Representatives: February 2006: Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard: GAO-06-178: GAO Highlights: Highlights of GAO-06-178, a report to the Chairman, Committee on Government Reform, House of Representatives: Why GAO Did This Study: Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President directed the establishment of a governmentwide standard”Federal Information Processing Standard (FIPS) 201”for secure and reliable forms of ID based on ’smart cards“ that use integrated circuit chips to store and process data with a variety of external systems across government. GAO was asked to determine (1) actions that selected federal agencies have taken to implement the new standard and (2) challenges that federal agencies are facing in implementing the standard. What GAO Found: The six agencies we reviewed”Defense, Interior, Homeland Security, Housing and Urban Development (HUD), Labor, and the National Aeronautics and Space Administration (NASA)”had each taken actions to begin implementing the FIPS 201 standard. Their primary focus has been on actions to address the first part of the standard, which calls for establishing appropriate identity proofing and card issuance policies and procedures and which the Office of Management and Budget (OMB) required agencies to implement by October 27, 2005. Agencies had completed a variety of actions, such as instituting policies to require that at least a successful fingerprint check be completed prior to issuing a credential. Regarding other requirements, however, efforts were still under way. For example, Defense and NASA reported that they were still modifying their background check policies. Based on OMB guidance, agencies have until October 27, 2006, to implement the second part of the standard, which requires them to implement interoperable smart-card based ID systems. Agencies have begun to take actions to address this part of the standard. For example, Defense and Interior conducted assessments of technological gaps between their existing systems and the infrastructure required by FIPS 201 but had not yet developed specific designs for card systems that meet FIPS 201 interoperability requirements. The federal government faces significant challenges in implementing FIPS 201, including (1) testing and acquiring compliant commercial products”such as smart cards and card readers”within required time frames; (2) reconciling divergent implementation specifications; (3) assessing the risks associated with specific vendor implementations of the recently chosen biometric standard; (4) incomplete guidance regarding the applicability of FIPS 201 to facilities, people, and information systems; and (5) planning and budgeting with uncertain knowledge and the potential for substantial cost increases. Until these implementation challenges are addressed, the benefits of FIPS 201 may not be fully realized. Specifically, agencies may not be able to meet implementation deadlines established by OMB, and more importantly, true interoperability among federal government agencies‘ smart card programs”one of the major goals of FIPS 201”may not be achieved. Time Line of FIPS 201-Related Activities: [See PDF for image] [End of figure] What GAO Recommends: GAO recommends that the Director, OMB monitor FIPS 201 implementation progress by, for example, (1) establishing an agency reporting process to fulfill its role of ensuring FIPS 201 compliance and (2) amending or supplementing guidance to provide more complete direction to agencies on how to address implementation challenges. With the exception of OMB, which disagreed with GAO‘s second recommendation, agency officials generally agreed with the content of this report. www.gao.gov/cgi-bin/getrpt?GAO-06-178. To view the full product, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at (202) 512- 6249 or koontzl@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Agencies Have Taken Actions to Begin Implementing FIPS 201: The Federal Government Faces Challenges in Implementing FIPS 201: Conclusions: Recommendations: Agency Comments and Our Evaluation: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: NIST Guidelines on Implementing FIPS 201: Appendix III: Comments from the Office of Management and Budget: Appendix IV: Comments from the General Services Administration: Appendix V: Comments from the Department of Commerce: Appendix VI: Contacts and Staff Acknowledgments: Glossary: Figures: Figure 1: A Typical Smart Card: Figure 2: Major Provisions of PIV-I: Figure 3: Example of a FIPS 201 Card Showing Major Required Features: Figure 4: Time Line of FIPS 201 Related Activities: Figure 5: Common Fingerprint Feature: Abbreviations: BLM: Bureau of Land Management: CAC: Common Access Card: DHS: Department of Homeland Security: FBI: Federal Bureau of Investigation: FIPS: Federal Information Processing Standards: GSA: General Services Administration: GSC-IS: Government Smart Card Interoperability Specification: HSPD-12: Homeland Security Presidential Directive 12: HUD: Housing and Urban Development: IAB: Smart Card Interagency Advisory Board: ID: Identification: NACI: National Agency Check with Written Inquiries: NASA: National Aeronautics and Space Administration: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: OPM: Office of Personnel Management: PIN: Personal Identification Number: PIV: personal identity verification: PKI: public key infrastructure: Letter February 1, 2006: The Honorable Tom Davis: Chairman: Committee on Government Reform: House of Representatives: Dear Mr. Chairman: As you know, wide variations exist in the quality and security of forms of identification (ID) used to gain access to federal facilities and information systems. In an effort to increase the quality and security of ID and credentialing practices across the federal government, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in August 2004. This directive ordered the establishment of a mandatory, governmentwide standard for secure and reliable forms of identification for federal government employees and contractors that access government-controlled facilities and information systems. In February 2005, the National Institute of Standards and Technology (NIST) issued the required standard, titled the Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification (PIV) of Federal Employees and Contractors. Known as FIPS 201, the standard is divided into two parts. The first part, PIV-I, sets out uniform requirements for identity proofing--verifying the identity of individuals applying for official agency credentials--as well as issuing credentials, maintaining related information, and protecting the privacy of the applicants. The Office of Management and Budget (OMB), which is responsible for ensuring compliance with the standard, issued guidance requiring agencies to implement these requirements, with the exception of the privacy requirements, by October 27, 2005. The second part, PIV-II, specifies the technical requirements for credentialing systems for federal employees and contractors based on interoperable[Footnote 1] smart cards.[Footnote 2] Agencies are required by OMB to begin issuing credentials that meet these provisions by October 27, 2006. Subsequent publications from NIST and the General Services Administration (GSA) provided supplemental guidance on various aspects of FIPS 201, including an outline of two alternate approaches that agencies may take to comply with the standard, depending on their previous experience with smart cards. Smart cards offer the potential to enhance security by significantly improving the process of authenticating the identity of people accessing federal buildings and computer systems, especially when these cards are used in combination with other technologies, such as biometrics.[Footnote 3] This report responds to your request that we conduct a review of agencies' progress in implementing systems that conform to the new federal identity card standard, as directed by HSPD-12. Specifically, our objectives were to determine (1) actions that selected federal agencies have taken to implement systems, based on the new standard and (2) challenges that federal agencies are facing in implementing such systems. To address these objectives, we selected six agencies with a range of experience in implementing smart card-based identification systems-- the Departments of Defense, Interior, Homeland Security (DHS), Housing and Urban Development (HUD), Labor, and the National Aeronautics and Space Administration (NASA). To obtain information on the actions these agencies have taken and plan to take to implement the standard, we analyzed documentation such as agencies' implementation plans and interviewed their officials. To identify challenges and barriers associated with implementing the new federal ID standard, we obtained and analyzed documentation and interviewed officials from these agencies as well as from GSA, NIST, OMB and the Office of Personnel Management (OPM). We performed our work at Defense, Interior, DHS, HUD, Labor, NASA, NIST, OMB, OPM and GSA in the Washington, D.C., metropolitan area from April 2005 to December 2005, in accordance with generally accepted government auditing standards. Further details of our objectives, scope, and methodology are provided in appendix I. Results in Brief: The six agencies that we reviewed--Defense, Interior, DHS, HUD, Labor, and NASA--have each taken actions to begin implementing the FIPS 201 standard. Their primary focus has been on actions to address the first part of the standard, which calls for establishing appropriate identity proofing and card issuance policies and procedures. For example, five of the six agencies had instituted policies to require that at least a successful fingerprint check be completed prior to issuing a credential, and the sixth agency, Defense, was in the process of having such a policy instituted. Regarding other requirements, however, efforts were still under way. For example, Defense and NASA reported that they were making modifications to their background check policies. Four of the six agencies were still updating their policies and procedures or gaining formal agency approval for them. Labor and HUD officials had completed modifications of their policies and gained approval for their PIV-I processes. Agencies have begun to take actions to address the second part of the standard, which focuses on interoperable smart card systems. Defense and Interior conducted assessments of technological gaps between their existing systems and the infrastructure required by FIPS 201, for example, but had not yet developed specific designs for card systems that meet FIPS 201 interoperability requirements. The federal government faces a number of challenges in implementing FIPS 201, including the following: * Testing and acquiring compliant smart cards, card readers, and other related commercial products may not be completed within OMB-mandated deadlines. * Divergent agency implementations based on the two alternate approaches outlined in NIST guidance may delay governmentwide smart card interoperability. * Agencies may face difficulties assessing the risks associated with specific vendor implementations of the recently chosen biometric standard. * Incomplete guidance from OMB regarding the applicability of FIPS 201 to facilities, people, and information systems may make it difficult for agencies to meet FIPS 201 identity proofing and registration requirements consistently and economically. Existing guidance, for example, does not address significant categories of individuals, such as foreign nationals, who may need access to federal facilities and systems. * Planning and budgeting for FIPS 201 compliance with uncertain knowledge may make it difficult for agencies to prepare accurate business cases and may affect the overall implementation schedule and planned performance of smart card investments across government agencies. For example, agencies have not had reliable information about product costs and cost elements, which are necessary for cost-benefit analyses. Until these implementation challenges are addressed, the benefits of FIPS 201 may not be fully realized. Specifically, agencies may not be able to meet implementation deadlines established by OMB, and more importantly, true interoperability among federal government agencies' smart card programs--one of the major goals of FIPS 201--may not be achieved. To better ensure that the objectives of HSPD-12 are met, we are recommending that the Director, OMB, take steps to closely monitor agency implementation progress and the completion of key activities by, for example, (1) establishing an agency reporting process to fulfill its role of ensuring that agencies are in compliance with the goals of HSPD-12 and (2) amending or supplementing governmentwide guidance regarding compliance with the FIPS 201 standard to provide more complete direction to agencies on how to address implementation challenges. We received written comments on a draft of this report from the Administrator of E-Government and Information Technology of OMB, the Acting Associate Administrator of GSA, and the Deputy Secretary of Commerce. Letters from these agencies are reprinted in appendixes III through V. We received technical comments from the Director of the Access Card Office for Defense and, a Special Agent at OPM, via email, which we incorporated as appropriate. We also received written technical comments from the Assistant Secretary for Administration for HUD and the Assistant Secretary of Policy, Management, and Budget at the Interior. Additionally, representatives from NASA and Labor indicated via email that they reviewed the draft report and did not have any comments. Officials from Homeland Security did not respond to our request for comments. Officials from GSA, Commerce, HUD, Defense, Interior, and OPM generally agreed with the content of our draft report and our recommendations and provided updated information and technical comments, which have been incorporated where appropriate. OMB agreed with our recommendation on monitoring agency progress but disagreed with our recommendation on amending or supplementing government-wide policy guidance, stating that it did not think its guidance was incomplete. However, we believe OMB has not provided agencies with adequate guidance about when and how to apply the standard for important categories of individuals and facilities and for assessing risks associated with vendor implementations of the recently chosen biometric standard. Background: Today, federal employees are issued a wide variety of ID cards that are used to access federal buildings and facilities, sometimes solely on the basis of visual inspection by security personnel. These cards generally cannot be used to control access to an agency's computer systems. Furthermore, many can be easily forged or stolen and altered to permit access by unauthorized individuals. The ease with which traditional ID cards can be forged has contributed to increases in identity theft and related security and financial problems for both individuals and organizations. One means to address such problems is offered by the use of smart cards. What Are Smart Cards? Smart cards are plastic devices about the size of a credit card that contain an embedded integrated circuit chip capable of storing and processing data.[Footnote 4] The unique advantage that smart cards have over traditional cards with simpler technologies like magnetic stripes or bar codes is that they can exchange data with other systems and process information, rather than simply serving as static data repositories. By securely exchanging information, a smart card can help authenticate the identity of the individual possessing the card in a far more rigorous way than is possible with traditional ID cards. A smart card's processing power also allows it to exchange and update many other kinds of information with a variety of external systems, which can facilitate applications such as financial transactions or other services that involve electronic record-keeping. Figure 1 shows a typical example of a smart card. Figure 1: A Typical Smart Card: [See PDF for image] [End of figure] Smart cards can also be used to significantly enhance the security of an organization's computer systems by tightening controls over user access. A user wishing to log on to a computer system or network with controlled access must "prove" his or her identity to the system--a process called authentication. Many systems authenticate users merely by requiring them to enter secret passwords. This provides only modest security because passwords can be easily compromised. Substantially better user authentication can be achieved by supplementing passwords with smart cards. To gain access under this scenario, a user is prompted to insert a smart card into a reader attached to the computer as well as type in a password. This authentication process is significantly harder to circumvent because an intruder would not only need to guess a user's password but also possess that same user's smart card. Even stronger authentication can be achieved by using smart cards in conjunction with biometrics. Smart cards can be configured to store biometric information (such as fingerprints or iris scans) in an electronic record that can be retrieved and compared with an individual's live biometric scan as a means of verifying that person's identity in a way that is difficult to circumvent. An information system requiring users to present a smart card, enter a password, and verify a biometric scan provides what security experts call "three- factor" authentication, the three factors being "something you possess" (the smart card), "something you know" (the password), and "something you are" (the biometric). Systems employing three-factor authentication are considered to provide a relatively high level of security. The combination of smart cards and biometrics can provide equally strong authentication for controlling access to physical facilities.[Footnote 5] Smart cards can also be used in conjunction with public key infrastructure (PKI) technology to better secure electronic messages and transactions.[Footnote 6] A properly implemented and maintained PKI can offer several important security services, including assurance that (1) the parties to an electronic transaction are really who they claim to be, (2) the information has not been altered or shared with any unauthorized entity, and (3) neither party will be able to wrongfully deny taking part in the transaction. PKI systems are based on cryptography and require each user to have two different digital "keys" a public and a private key. Both public and private keys may be generated on a smart card or on a user's computer. Security experts generally agree that PKI technology is most effective when used in tandem with hardware tokens, such as smart cards. PKI systems use cryptographic techniques to generate and manage electronic "certificates" that link an individual or entity to a given public key. These digital certificates are then used to verify digital signatures and facilitate data encryption. The digital certificates are created by a trusted third party called a certification authority, which is also responsible for providing status information on whether the certificate is still valid or has been revoked or suspended. The PKI software in the user's computer can verify that a certificate is valid by first verifying that the certificate has not expired and then by checking the online status information to ensure that it has not been revoked or suspended. In addition to enhancing security, smart cards have the flexibility to support a wide variety of uses not related to security, such as tracking itineraries for travelers, linking to immunization or other medical records, or storing cash value for electronic purchases. Currently, a typical smart card can store and process up to 32 kilobytes of data, however newer cards have been introduced that can accommodate 64 kilobytes. The larger a card's electronic memory, the more functions it can support. Smart cards are grouped into two major classes: "contact" cards and "contactless" cards. Contact cards have gold-plated contacts that connect directly with the read/write heads of a smart card reader when the card is inserted into the device. Contactless cards contain an embedded antenna and work when the card is waved within the magnetic field of a card reader or terminal. Contactless cards are better suited to environments that require quick interaction between the card and the reader, such as places with a high volume of people seeking physical access. For example, the Washington Metropolitan Area Transit Authority has deployed an automated fare collection system using contactless smart cards as a way of speeding patrons' access to the Washington, D.C., subway system. Smart cards can be configured to include both contact and contactless capabilities, but two separate interfaces are needed because standards for the technologies are very different. Governmentwide Smart Card Efforts Were Under Way Prior to HSPD-12: Since the 1990s, the federal government has promoted the use of smart card technology as one option for improving security over buildings and computer systems.[Footnote 7] In 1996, OMB, which has statutory responsibility to develop and oversee policies, principles, standards, and guidelines--used by agencies for ensuring the security of federal information and systems--tasked GSA with taking the lead in facilitating a coordinated interagency management approach for the adoption of smart cards across government. Because the value of a smart card is greatly enhanced if it can be used with multiple systems at different agencies, GSA worked with NIST and smart card vendors to develop the Government Smart Card Interoperability Specification, which defined a uniform set of commands and responses for smart cards to use in communicating with card readers. This specification defined a software interface for smart card systems that served to bridge the significant incompatibilities among vendors' proprietary systems. Vendors could meet the specification by writing software for their cards that translated their unique command and response formats to the government standard. NIST completed the first version of the interoperability specification in August 2000. However, this and subsequent versions did not fully define all implementation details, and therefore the extent to which systems using the specification could interoperate was limited. In 2003, OMB created the Federal Identity Credentialing Committee to make policy recommendations and develop the Federal Identity Credentialing component of the Federal Enterprise Architecture[Footnote 8] to include processes such as identity proofing and credential management. In February 2004, the Federal Identity Credentialing Committee issued the Government Smart Card Handbook on the use of smart card-based systems in badge, identification, and credentialing systems with the objective of helping agencies plan, budget, establish, and implement identification and credentialing systems for government employees and their agents. In September 2004,[Footnote 9] we reported that nine agencies were planning or implementing agencywide smart card initiatives. Some of these initiatives included the Defense's Common Access Card (CAC), which had 3.2 million cards in use at the time of our review, and the Department of State's Domestic Smart Card Access Control project, which had issued 25,000 cards as of September 2004. HSPD-12 Requires Standardized Agency ID and Credentialing Systems: In August 2004, the President issued HSPD-12, which required the Department of Commerce to develop a new standard for secure and reliable forms of ID for federal employees and contractors by February 27, 2005. The directive defined secure and reliable ID as meeting four control objectives. Specifically, credentials must be: * based on sound criteria for verifying an individual employee's identity; * strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; * rapidly authenticated electronically; and: * issued only by providers whose reliability has been established by an official accreditation process. The directive stipulated that the standard include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. In addition, the directive required agencies to implement the standard for IDs issued to federal employees and contractors in order to gain physical access to controlled facilities and logical access to controlled information systems, to the maximum extent practicable, by October 27, 2005.[Footnote 10] NIST, OMB, and GSA Have Issued Guidance for Implementing HSPD-12: In response to HSPD-12, NIST published FIPS 201, titled "Personal Identity Verification of Federal Employees and Contractors" on February 25, 2005. The standard specifies the technical requirements for personal identity verification (PIV) systems to issue secure and reliable identification credentials to federal employees and contractors for gaining physical access to federal facilities and logical access to information systems and software applications. Smart cards are the primary component of the envisioned PIV system. The FIPS 201 standard is composed of two parts. The first part, PIV-I, sets standards for PIV systems in three areas: (1) identity proofing and registration, (2) card issuance and maintenance, and (3) protection of card applicants' privacy. OMB directed agencies to implement the first two requirements by October 27, 2005, but did not require agencies to implement the privacy provisions until they start issuing FIPS 201 compliant identity cards, which is not expected until October 2006. To verify individuals' identities, agencies are required to adopt an accredited[Footnote 11] identity proofing and registration process that is approved by the head of the agency and includes: * initiating or completing a background investigation, such as a National Agency Check with Written Inquiries (NACI), or ensuring that one is on record for all employees and contractors; * conducting and adjudicating a Federal Bureau of Investigation (FBI) National Criminal History Fingerprint Check (fingerprint check) for all employees and contractors prior to credential issuance;[Footnote 12] * requiring applicants to appear in person at least once before the issuance of a PIV card; * requiring applicants to provide two original forms of identity source documents from an OMB-approved list of documents; and: * ensuring that no single individual has the capability to issue a PIV card without the cooperation of another authorized person (separation of duties principle). Agencies are further required to adopt an accredited card issuance and maintenance process that is approved by the head of the agency and includes standardized specifications for printing photographs, names, and other information on PIV cards; loading relevant electronic applications into a card's memory; capturing and storing biometric and other data; issuing and distributing digital certificates; and managing and disseminating certificate status information. The process must satisfy the following requirements: * ensure complete and successful adjudication of background investigations required for federal employment and revoke PIV cards if the results of investigations so justify; * when issuing a PIV card to an employee or contractor, verify that the individual is the same as the applicant approved by the appropriate authority; and: * issue PIV cards only through accredited systems and providers. Finally, agencies are required to perform the following activities to protect the privacy of the applicants, including: * assigning an individual to the role of senior agency official for privacy to oversee privacy-related matters in the PIV system, * conducting a comprehensive privacy impact assessment on systems containing personal information for the purpose of implementing a PIV system, * providing full disclosure of the intended uses of the PIV card and related privacy implications to the applicants, * utilizing security controls described in NIST guidance to accomplish privacy goals where applicable, and: * ensuring that implemented technologies in PIV systems do not erode privacy protections. Figure 2 illustrates PIV-I provisions for identity proofing and registration, card issuance and maintenance, and protection of applicants' privacy. Figure 2: Major Provisions of PIV-I: [See PDF for image] [End of figure] The second part of the FIPS 201 standard, PIV-II, provides technical specifications for interoperable smart card-based PIV systems. Agencies are required to begin issuing credentials that meet these provisions by October 27, 2006. The requirements include the following: * specifications for the components of the PIV system that employees and contractors will interact with, such as PIV cards, card and biometric readers, and personal identification number (PIN) input devices; * security specifications for the card issuance and management provisions; * a suite of authentication mechanisms supported by the PIV card and requirements for a set of graduated levels of identity assurances;[Footnote 13] * physical characteristics of PIV cards, including requirements for both contact and contactless interfaces and the ability to pass certain durability tests; * mandatory information that is to appear on the front and back of the cards, such as a photograph, the full name, card serial number and issuer identification; and: * technical specifications for electronic identity credentials (i.e., smart cards) to support a variety of authentication mechanisms, including PINs, PKI encryption keys and corresponding digital certificates, biometrics (specifically, representations of two fingerprints), and unique cardholder identifier numbers. As outlined in a NIST special publication,[Footnote 14] agencies can choose between two alternate approaches to become FIPS 201 compliant, depending on their previous experience with smart cards. The guidance sets different specifications for each approach. One approach is to adopt "transitional" card interfaces, based on the Government Smart Card Interoperability Specification (GSC-IS). Federal agencies that have already implemented smart card systems based on the GSC-IS can elect to adopt the transitional card interface specification to meet their responsibilities for compliance with part II of the standard. The other approach is to immediately adopt the "end-point" card interfaces, which are fully compliant with the FIPS 201 PIV-II card standard. All agencies without previous large scale smart card implementations are expected to proceed with implementing PIV systems that meet the end- point interface specification. Figure 3 shows an example of a FIPS 201 card. Figure 3: Example of a FIPS 201 Card Showing Major Required Features: [See PDF for image] [End of figure] NIST has issued several other special publications providing supplemental guidance on various aspects of the FIPS 201 standard, including guidance on verifying that agencies or other organizations have the proper systems and administrative controls in place to issue PIV cards, and technical specifications for implementing the required encryption technology. Additional information on NIST's special publications is provided in appendix II. In addition, NIST was responsible for developing a suite of tests to be used by approved commercial laboratories in validating whether commercial products for the smart card and the card interface are in conformance with FIPS 201. NIST developed the test suite and designated several laboratories as interim NIST PIV Program testing facilities in August 2005. The designated facilities were to use the NIST test suite to validate commercial products required by FIPS 201 so that they could be made available for agencies to acquire as part of their PIV-II implementation efforts. According to NIST, during the next year, these laboratories will be assessed for accreditation for PIV testing. Once accreditation is achieved, the "interim" designation will be dropped. OMB is responsible for ensuring that agencies comply with the standard, and in August 2005, it issued a memorandum to executive branch agencies with instructions for implementing HSPD-12 and the new standard. The memorandum specifies to whom the directive applies; to what facilities and information systems FIPS 201 applies; and, as outlined below, the schedule that agencies must adhere to when implementing the standard: * October 27, 2005--for all new employees and contractors, adhere to the identity proofing, registration, card issuance, and maintenance requirements of the first part (PIV-I) of the standard. Implementation of the privacy requirements of PIV-I was deferred until agencies are ready to start issuing FIPS 201 credentials. * October 27, 2006--start issuing cards that comply with the second part (PIV-II) of the standard. Agencies may defer implementing the biometric requirement until the NIST guidance is final. * October 27, 2007--verify and/or complete background investigations for all current employees and contractors (Investigations of individuals who have been employees for more than 15 years may be delayed past this date.) * October 27, 2008--complete background investigations for all individuals who have been federal agency employees for over 15 years. OMB guidance also includes specific time frames in which NIST and GSA must provide additional guidance, such as technical references and Federal Acquisition Regulations. GSA, in collaboration with the Federal Identity Credentialing Committee, the Federal Public Key Infrastructure Policy Authority, OMB, and the Smart Card Interagency Advisory Board--which GSA established to address government smart card issues and standards--developed the Federal Identity Management Handbook. This handbook was intended to be a guide for agencies implementing HSPD-12 and FIPS 201 and includes guidance on specific courses of action, schedule requirements, acquisition planning, migration planning, lessons learned, and case studies. It is to be periodically updated; the most current draft version of the handbook was released in September 2005. In addition, on August 10, 2005, GSA issued a memorandum to agency officials that specified standardized procedures for acquiring FIPS 201- compliant commercial products that have passed NIST's conformance tests. According to the GSA guidance, agencies are required to use these standardized acquisition procedures when implementing their FIPS 201 compliant systems. Figure 4 is a time line that illustrates when FIPS 201 and additional guidance were issued as well as the major deadlines for implementing the standard. Figure 4: Time Line of FIPS 201 Related Activities: [See PDF for image] [End of figure] Agencies Have Taken Actions to Begin Implementing FIPS 201: The six agencies that we reviewed--Defense, Interior, DHS, HUD, Labor, and NASA--have each taken actions to begin implementing the FIPS 201 standard. Their primary focus has been on actions to address the first part of the standard, including establishing appropriate identity proofing and card issuance policies and procedures.[Footnote 15] For example, five of the six agencies had instituted policies to require that at least a successful fingerprint check be completed prior to issuing a credential; and the sixth agency, Defense, was in the process of having such a policy instituted. Regarding other requirements, efforts were still under way. For example, Defense and NASA reported that they were still making modifications to their background check policies. Four of the six agencies were still updating their policies and procedures or gaining formal agency approval for them. Labor and HUD officials had completed modifications of their policies and gained approval for their PIV-I processes. Agencies have begun to take actions to address the second part of the standard, which focuses on interoperable smart card systems. Defense and Interior, for example, have conducted assessments of technological gaps between their existing systems and the infrastructure required by FIPS 201, but they have not yet developed specific designs for card systems that meet FIPS 201 interoperability requirements. Department of Defense: Defense has been working on implementing smart card technology since 1993, when the Deputy Secretary of Defense issued a policy directive that called for the implementation of the CAC program, a standard smart card-based identification system for all active duty military personnel, civilian employees, and eligible contractor personnel. Defense began testing the CAC in October 2000 and started to implement it departmentwide in November 2001. Currently, the CAC program is the largest smart card deployment within the federal government, with approximately 3.8 million cards considered active or in use as of May 2005. The CAC addresses both physical and logical access capabilities and incorporates PKI credentials. Defense officials have taken steps to implement PIV-I requirements but have not yet completed all planned actions. For example, according to agency officials, Defense implemented its first PIV-I compliant credential issuance station, accredited and trained designated individuals to issue credentials, and took steps to better secure access to Defense personnel data. However, at the time of our review, Defense was still drafting modifications to the department's background check policy to meet PIV-I requirements, and agency officials expected to issue a revised policy by the end of December 2005. Work was also under way to modify an automated system used by contractors to apply for the CAC to comply with the PIV-I background check requirements for contractors. To address PIV-II, Defense program officials conducted an assessment to identify the technological gaps between their existing CAC infrastructure and the infrastructure required to meet PIV-II interoperability requirements. This assessment identified that of the 245 requirements specified by FIPS 201, the CAC did not support 98 of those requirements, which led to a strategy to implement each of the needed changes. Some of the changes include deploying cards that contain both contact and contactless capabilities; ensuring that information on the cards is in both visual and electronic form; and ensuring that the electronic credentials stored on PIV cards to verify a cardholder's identity contain all required data elements, including the cardholder's PIN, PIV authentication data (PKI encryption keys and corresponding digital certificates), and two fingerprints. Additionally, program officials prepared rough cost estimates for specific elements of their planned implementation, such as cards and card readers. Program officials have also begun developing agency- specific PIV applications to be stored on the cards. However, Defense has not yet developed a specific design for a card system that meets FIPS 201 interoperability requirements. Department of the Interior: In January 2002, Interior's Bureau of Land Management (BLM) launched a smart card pilot project to help improve security over its sites and employees. About 2,100 employees were given smart cards for personal ID and for access to sites in the pilot program. Having successfully implemented the smart card pilot at BLM, Interior began a program to implement smart cards agencywide. According to program officials, the agencywide smart card system is in compliance with the GSC-IS specification. As of October 19, 2005, the department had deployed approximately 20,000 smart cards, providing access control for approximately 25 buildings. Interior officials have taken steps to implement PIV-I requirements but have not yet had their system accredited or approved, as required by the standard. For example, Interior revised its policy on identity proofing and registration to require at least a fingerprint check be completed before issuing a credential. Regarding card issuance and maintenance processes, Interior revised its policies to include steps to ensure the completion and successful adjudication of a NACI or equivalent background investigation for all employees and contractor personnel. Additionally, Interior officials reported they had completed more than 90 percent of all required background checks for existing employees, and had signed a contract to develop a Web-enabled PIV-I identity proofing and registration process, which may eventually replace the current manual process. However, as of November 2005, Interior's identity proofing, registration, issuing, and maintenance processes had not been accredited or approved by the head of the agency. Regarding privacy protection, according to the officials, they had completed two privacy impact assessments on systems containing personal information for the purposes of implementing PIV-I. To meet PIV-II requirements, Interior officials reported that they had established a pilot PKI and had also conducted a gap analysis to identify specific areas in which their existing smart card system does not meet the FIPS 201 standard. In the absence of approved FIPS 201 compliant products, they had not developed a specific design for a card system that meets FIPS 201 interoperability requirements. Department of Homeland Security: Prior to the issuance of FIPS 201, DHS developed a smart card-based identification and credentialing pilot project that was intended to serve as a comprehensive identification and credentialing program for the entire department when fully deployed. This effort was based on the GSC-IS specification and was intended to use PKI technology for logical access and proximity cards that are read by electronic readers to gain building access. As of November 2005, program officials indicated that they had deployed approximately 150 cards as part of this effort. However, OMB directed DHS to not issue smart cards until it had developed and implemented a system based on cards that are fully compliant with the PIV-II section of FIPS 201. DHS officials have taken steps to implement PIV-I requirements but, as of November 2005, were still making necessary modifications to their policies and procedures. For example, DHS revised its policy on identity proofing and registration to require at least a fingerprint check be completed before issuing a credential. However, other DHS actions to implement PIV-I were still under way. For example, according to DHS officials, they had not yet fully implemented the requirements to ensure that background checks are successfully adjudicated or to establish a credential revocation process. DHS officials further stated that they were finalizing a security announcement that would outline the PIV-I process. DHS officials had begun to take actions to meet PIV-II requirements. According to program officials, to help plan and prepare the agency for deployment, they conducted a survey of all DHS components to determine the types of information systems their various components had deployed. However, officials have planned to wait until approved FIPS 201 products and services are available before purchasing any equipment or undergoing any major deployment of a PIV-II compliant system. National Aeronautics and Space Administration: NASA officials indicated that they had been working to improve their identity and credentialing process since 2000. Prior to the issuance of FIPS 201, NASA officials were planning for the implementation of the One NASA Smart Card Badge project. This project was intended to be deployed agencywide and was being designed to provide GSC-IS compliant smart cards for identity, physical access, and logical access to computer systems. However, NASA officials were directed by OMB to not implement this system because it had not initiated large-scale deployment of its smart cards prior to July 2005. In the meantime, NASA has been utilizing proximity cards,[Footnote 16] which are read by electronic readers, to gain building access. NASA officials have taken steps to implement PIV-I requirements; but, as of November 2005, they were still making necessary modifications to their policies and procedures. For example, regarding identity proofing and registration, NASA officials stated that they had modified their policy to address the fingerprint check requirement. According to NASA officials, they have also implemented a process for gathering all required data elements from individuals, with the exception of the biometric data. In addition, NASA officials conducted an analysis of how FIPS 201 requirements impact security within NASA. Other NASA actions to implement PIV-I were still under way. For example, NASA was getting its revised policy approved which specifies the completion and successful adjudication of the NACI. Regarding privacy protection, NASA was updating its privacy impact assessments for relevant systems containing personal information for the purpose of implementing PIV-I. NASA has begun to take actions to implement PIV-II requirements. NASA officials said they were planning to modify their existing PKI to issue digital certificates that can be used with the PIV cards that will be issued under FIPS 201. In the absence of approved FIPS 201 compliant products, NASA has not developed specific designs for a card system that meets FIPS 201 interoperability requirements. Department of Housing and Urban Development: HUD did not have an existing smart card program in place prior to HSPD- 12. Like NASA, HUD controls physical access to its buildings by using proximity cards that are read by electronic readers. HUD officials reported that they have taken steps to implement PIV-I requirements. To meet identity proofing and registration practices, for example, officials modified their policies to require that at least a fingerprint check be completed before issuing a credential. Policies regarding card issuance and maintenance processes were also modified to ensure that all necessary steps were in place regarding the completion and successful adjudication of a NACI or another equivalent background investigation. Additionally, HUD issued guidelines explaining policies and procedures to ensure that the issuance of credentials complies with PIV-I. Program officials have also been analyzing the differences between their existing processes and those required by FIPS 201. As of January 2006, HUD's identity proofing, registration, issuing, and maintenance processes were approved by HUD's Assistant Secretary for Administration, as required by PIV-I. Finally, regarding privacy protections, officials have drafted a document describing how personal information will be collected, used, and protected throughout the lifetime of the FIPS 201 cards. Thus far, HUD's actions related to PIV-II have been limited to analyzing their needs and planning for physical security and information technology infrastructure requirements. HUD officials said they had developed rough estimates to determine how much implementing FIPS 201 would cost. In the absence of approved FIPS 201 compliant products, HUD officials have not developed a specific design for a card system that meets FIPS 201 interoperability requirements. Department of Labor: Like HUD, Labor did not have an existing smart card program in place prior to HSPD-12. Labor currently utilizes a nonelectronic identity card that contains an employee's photograph and identifying information. The identity cards can only be used for physical access, which is granted by security personnel once they have observed the individual's identity card. As of November 2005, Labor officials reported that they had implemented the major requirements of PIV-I. As an example of Labor's efforts to implement identity proofing and registration requirements, the officials modified their policies to require that, at minimum, a fingerprint check is conducted and successfully adjudicated prior to issuing the credential. Regarding issuance and maintenance processes, Labor officials modified their policies to ensure all necessary steps were in place regarding the completion and successful adjudication of the NACI or another equivalent background investigation. In addition, the officials reported that they had implemented a system of tracking metrics for background investigations to ensure that they are completed and successfully adjudicated. Labor officials stated that they had not made substantial progress toward implementing PIV-II because they were waiting for compliant FIPS 201 products to become available before making implementation decisions. The Federal Government Faces Challenges in Implementing FIPS 201: The federal government faces a number of significant challenges to implementing FIPS 201, including testing and acquiring compliant products within OMB's mandated time frames; reconciling divergent implementation specifications; assessing risks associated with implementing the recently-chosen biometric standard; incomplete guidance regarding the applicability of FIPS 201 to facilities, people, and information systems; and planning and budgeting with uncertain knowledge and the potential for substantial cost increases. Addressing these challenges will be critical in determining whether agencies will be able to meet fast-approaching implementation deadlines and in ensuring that agencies' FIPS 201 systems are interoperable with one another. Testing and Acquiring Compliant Products within OMB-Mandated Time Frames: Based on OMB and GSA guidance, all commercial products, such as smart cards, card readers, and related software, are required to successfully complete interdependent tests before agencies can purchase them for use in their FIPS 201 compliant systems. These tests include (1) conformance testing developed by NIST to determine whether individual commercial products conform to FIPS 201 specifications, (2) performance and interoperability testing to be developed by GSA to ensure that compliant products can work together to meet all the performance and interoperability requirements specified by FIPS 201, and (3) agencies' testing to determine whether the products will work satisfactorily within the specific system environments at each of the agencies. Because it is difficult to predict how long each of these tests will take, and because they must be done in sequence, fully tested FIPS 201 compliant products may not become available for agencies to acquire in time for them to begin issuing FIPS 201 compliant ID cards by OMB's deadline of October 27, 2006. According to NIST officials, conformance testing of individual commercial products, based on the test suite developed by NIST, was authorized to begin on November 1, 2005. The officials indicated that it would take a minimum of several weeks to test and approve a product--assuming the product turned out to be fully FIPS 201 compliant--and would more likely take significantly longer. Experience with similar NIST conformance testing regimes, such as FIPS 140-2 cryptography testing, has shown that this process can actually take several months. According to a FIPS 140-2 consulting organization,[Footnote 17] the variability in the time it takes to test products depends on (1) the complexity of the product, (2) the completeness and clarity of the vendor's documentation, (3) how fast the vendor is able to answer questions and resolve issues raised during testing, and (4) the current backlog of work encountered in the lab. According to officials from NIST and the Smart Card Alliance,[Footnote 18] these factors are likely to keep FIPS 201 compliant products from completing conformance testing and becoming available for further testing until at least the early part of 2006. Furthermore, once commercial products pass conformance testing, they must then go through performance and interoperability testing. These tests are intended to ensure that the products meet all the performance and interoperability requirements specified by FIPS 201. According to GSA, which was developing the tests, they can only be conducted on products that have passed NIST conformance testing. GSA will also conduct performance and interoperability tests on other products that are required by FIPS 201, but not within the scope of NIST's conformance tests, such as smart card readers, fingerprint capturing devices, and software required to program the cards with employees' data. At the time of our review, GSA officials stated that they were developing initial plans for these tests and had planned to have the tests ready in March 2006. GSA officials indicated that once they finalized the tests, they estimated that it would take approximately 2 to 3 months to test each product. Officials stated that they do not expect to have multiple products approved until May 2006, at the earliest. Vendors with approved products and services will be awarded a blanket-purchase agreement, making them available for agencies to acquire. According to GSA officials, there will be a modification to the Federal Acquisition Regulation to require that agencies purchase PIV products through this blanket-purchase agreement. Prior to purchasing commercial products, each agency will also need to conduct its own testing to determine how well the products will work in conjunction with the rest of the agency's systems. According to agency officials, this process could take from 1 to 8 months, depending on the size of the agency. For example, GSA officials estimated that a small agency could complete this testing in about 1 month. Defense officials, in contrast, estimated it would take them about 4 months to conduct testing, and Interior officials have stated that, based on their prior experience, it would take 6 months to conduct the testing. When Defense initially implemented their CAC system, it took 8 months to conduct testing. Following this series of tests, agencies must also acquire products--which could add at least an additional month to the process- -and install them at agency facilities. OMB, which is tasked with ensuring compliance with the standard, has not indicated how it plans to monitor agency progress in developing systems based on FIPS 201 compliant products. For example, OMB has not stated whether it will require agencies to report on the status of their FIPS 201 implementations in advance of the October 2006 deadline. While in the best case scenario it may be possible for some agencies to purchase compliant products and begin issuing FIPS 201 compliant cards to employees by OMB's deadline of October 27, 2006, it will likely take significantly longer for many other agencies. With compliance testing scheduled to be complete in early 2006 and at least two sets of additional testing required, each of which could potentially take many months, many agencies are likely to be at risk of not meeting the deadline to begin issuing FIPS 201 compliant credentials. Given these uncertainties, it will be important to monitor agency progress and completion of key activities to ensure that the goals of HSPD-12 are being met. Reconciling Divergent Implementation Specifications: Recognizing that some agencies, such as Defense, have significant investments in prior smart card technology that does not comply with the new standard, NIST, in supplemental guidance on FIPS 201,[Footnote 19] allowed such agencies to address the requirements of FIPS 201 by adopting a "transitional" smart card approach. According to the guidance, the transitional approach should be based on the existing GSC- IS specification and should be a temporary measure prior to implementing the full FIPS 201 specification, known as the "end point" specification. Agencies without existing large-scale smart card systems were to implement only systems that fully conform to the end-point specification. NIST deferred to OMB to set time frames for when agencies adopting the transitional approach would be required to reach full compliance with the end-point specification. However, OMB has not yet set these time frames and has given no indication of how or when it plans to address this issue. The provision for transitional FIPS 201 implementations in NIST's guidance acknowledges that agencies with fully implemented GSC-IS smart card systems may already be meeting many of the security objectives of FIPS 201 and that it may be unreasonable to require them to replace all of their cards and equipment within the short time frames established by HSPD-12. However, according to NIST officials, the transitional specification is not technically interoperable with the end-point specification. Thus, cards issued by an agency implementing a transitional system will not be able to interoperate with systems at agencies that have implemented the end-point specification until those agencies implement the end-state specification, too. Although allowing for the transitional approach to FIPS 201 compliance in their guidance, NIST stated that agencies should implement the end- point specification directly, wherever possible. According to NIST, agencies that adopt the transitional specification will have to do more work than if they immediately adopt the end-point specification. Specifically, major technological differences between the two interfaces will require agencies to conduct two development efforts-- one to adopt the transitional specification and then another at a later date to adopt the end-point specification. Agencies with substantial smart card systems already deployed--such as Defense and Interior--have chosen the transitional option because they believe it poses fewer technical risks than the end-point specification, which is a new standard. These agencies do not plan to implement end-point systems by the October 2006 deadline for PIV-II compliance, nor have they determined when they will have end-point systems in place. According to OMB, these agencies will be allowed to meet OMB's October 2006 deadline by implementing the transitional specification. Defense officials stated that, based on their past experience in implementing the CAC system, they believe the transitional approach will entail fewer development problems because it involves implementing hardware and software that is similar to their current system. Further, Defense officials indicated that implementing the end-point specification would be risky. For example, Defense officials conducted a technical evaluation, which determined that the specification was incomplete. The officials stated that they would not plan to adopt the end-point specification until at least one other agency has demonstrated a successful implementation. Similarly, Interior officials said they also plan to use products based on the transitional specification until approved end-point products are readily available. While NIST and OMB guidance on FIPS 201 compliance allows agencies to meet the requirements of HSPD-12 using two divergent specifications that lead to incompatible systems, it does not specify when agencies choosing the transitional approach need to move from that approach to the end-point specification. Until OMB provides specific deadlines for when agencies must fully implement the end-point specification, achieving governmentwide interoperability--one of the goals of FIPS 201--may not be achieved. Assessing Risks Associated with Implementing the Recently-Chosen Biometric Standard: One of the major requirements of FIPS 201 is that electronic representations of two fingerprints be stored on each PIV card. In January 2005, NIST issued initial draft guidance for storing electronic images of fingerprints on PIV cards in accordance with a preexisting standard. NIST based its draft guidance on the fact that the existing fingerprint image standard is internationally recognized and thus can facilitate interoperability among multiple vendors' products. When agency officials and industry experts reviewed and commented on the initial draft guidance, they were strongly opposed to the use of fingerprint images, arguing instead for a more streamlined approach that would take less electronic storage space on the cards and could be accessed more quickly. According to industry experts, because the large amount of memory required for images can only be accessed very slowly, it could take approximately 30 seconds for card readers to read fingerprint information from an electronic image stored on a card--a length of time that would likely cause unacceptable delays in admitting individuals to federal buildings and other facilities. Instead of relying on electronic images, agency officials and industry experts advocated that the biometric guidance instead be changed to require the use of "templates" extracted from fingerprint "minutiae." A minutiae template is created by mathematically extracting the key data points related to breaks in the ridges of an individual's fingertip. As shown in figure 6, the most basic minutiae are ridge endings (where a ridge ends) and bifurcations (where a single ridge divides into two). Using minutiae templates allows for capturing only the critical data needed to confirm a fingerprint match, and storing just those key data points rather than a full representation of an individual's fingerprint. Thus, this technique requires much less storage space than a full electronic image of a fingerprint. Figure 5: Common Fingerprint Feature: [See PDF for image] [End of figure] An additional benefit of using minutiae templates is rapid processing capability. Because minutiae data require a much smaller amount of storage space than fingerprints in image format, the smaller data size allows for decreased transmission time of fingerprint data between the cards and the card readers--approximately 7 to 10 seconds, according to industry experts at Smart Card Alliance. Short transmission times are especially important for high traffic areas such as entrances to federal buildings.[Footnote 20] Despite these advantages, existing minutiae template technology suffers from two significant drawbacks. One disadvantage is that vendors' techniques for converting fingerprint images to minutiae are generally proprietary and incompatible; a minutiae template that one vendor uses cannot be used by another. Another disadvantage of template technology is its questionable reliability. Different algorithms for extracting minutiae produce templates with varying reliability in producing accurate matches with the original fingerprints. To resolve these issues, NIST began systematically testing minutiae template algorithms submitted by 14 vendors to determine if it is possible to adopt a standard minutiae template that can accurately match templates to individuals. NIST officials anticipate that testing will be completed by February 2006, when they expect to be able to determine the accuracy and level of interoperability that can be achieved for the 14 vendors being tested, using standard minutiae templates. In December 2005, NIST officials stated that they had conducted enough tests to determine that the reliability, accuracy, and interoperability of minutiae data among these 14 vendors were generally within the bounds of what was likely to be required for many applications of the technology. However they noted that the tests showed that the products of the 14 vendors varied significantly in their reliability and accuracy--by as much as a factor of 10. NIST officials expect that once they complete testing in February 2006, they will have sufficient data to establish the reliability and accuracy of each of the 14 vendors. Despite the fact that the testing of minutiae template technology was still under way, NIST was requested by the Executive Office of the President to issue revised draft guidance[Footnote 21] that replaced the previously proposed image standard with a minutiae standard. While the minutiae standard resolves the problems of storage and access speed associated with the image standard, it opens new questions about how agencies should choose vendor implementations of the minutiae standard, due to their varying reliability and accuracy. Agencies will need to ensure that the vendors they select to provide minutiae template matching will provide systems that provide the level of reliability and accuracy needed for their applications. Agencies will also have to determine the level of risk they are willing to accept that fingerprints may be incorrectly matched or incorrectly fail to match. According to NIST officials, agencies may find that in order to preserve interoperability across agencies' systems, they may need to allow for less reliability and accuracy in determining whether fingerprints match. This reduction in reliability and accuracy--and the associated higher security risk--could pose problems for secure facilities that require very high levels of assurance. Further, according to NIST officials, any vendors beyond the 14 currently being tested would need to undergo similar testing in order to determine their levels of reliability and accuracy. If agencies do not fully understand the implications of the variation in accuracy among the biometric vendors, the security of government facilities could be compromised and interoperability between agencies could be hindered. Incomplete Guidance Regarding the Applicability of FIPS 201 to Facilities, People, and Information Systems: FIPS 201 and OMB's related guidance provide broad and general criteria regarding the facilities, people, and information systems that are subject to the provisions of FIPS 201. For instance, according to FIPS 201, compliant identification credentials must be issued to all federal employees and contractors who require physical access to federally controlled facilities--including both federally owned buildings and leased space--and logical access to federally controlled information systems. OMB guidance adds that agencies should make risk-based decisions on how to apply FIPS 201 requirements to individuals and information systems that do not fit clearly into the specified categories. For example, OMB guidance states that applicability of FIPS 201 for access to federal systems from a nonfederally controlled facility (such as a researcher uploading data through a secure Web site or a contractor accessing a government system from its own facility) should be based on a risk determination made by following NIST guidance on security categorizations for federal information and information systems (FIPS 199). Although this guidance provides general direction, it does not provide sufficient specificity regarding when and how to apply the standard. For example, OMB's guidance does not explain how NIST's security categories can be used to assess types of individuals accessing government systems. FIPS 199 provides guidance only on how to determine the security risk category of government information and information systems, not how such a category relates to providing access from nonfederally controlled facilities. As a result, agencies are unlikely to make consistent determinations about when and how to apply the standard. HUD is one example of an agency that has not been able to finalize how it would implement FIPS 201, with regard to allowing access to federal information systems from remote locations; and according to a HUD official, they are considering multiple options. Further, the guidance does not address all categories of people who may need physical and logical access to federal facilities and information systems. Specifically, for individuals such as foreign nationals, volunteers, and unpaid researchers, meeting some of the FIPS 201 requirements--such as conducting a standard background investigation-- may be difficult. For example, Defense and NASA employ a significant number of foreign nationals--individuals who are not U.S. citizens and work outside the U.S. foreign nationals generally cannot have their identity verified through the standard NACI process. In order to conduct a NACI, an individual must have lived in the United States long enough to have a traceable history, which may not be the case for foreign nationals. According to NASA officials, approximately 85 percent of NASA's staff at its Jet Propulsion Laboratory are foreign nationals. However, OMB's guidance for such individuals states only that agencies should conduct an "equivalent investigation," without providing any specifics that would ensure the consistent treatment of such individuals. Specifically regarding foreign nationals, the Smart Card Interagency Advisory Board (IAB) and OMB have recognized that FIPS 201 may not adequately address this issue. The IAB obtained data from agencies who hire foreign nationals to more specifically identify the issues with identity proofing of foreign nationals. According to IAB representatives, these data were provided to OMB. In addition, OMB indicated that they planned to establish an interagency working group to assess whether additional guidance is necessary concerning background investigations for foreign nationals. However, no time frames have been set for issuing revised or supplemental guidance regarding foreign nationals. In addition to foreign nationals, other types of workers also have not been addressed. For example, Interior has approximately 200,000 individuals that serve as volunteers, some of whom require access to facilities and information systems. OMB's guidance provides no specifics on what criteria to use to make a risk-based decision pertaining to access to facilities and systems by volunteers. Moreover, the guidance is not clear on the extent to which FIPS 201 should be implemented at all federal facilities. While the standard provides for a range of identity authentication assurance levels based on the degree of confidence in the identity of cardholders,[Footnote 22] it does not provide guidance on establishing risk levels for specific facilities or how to implement FIPS 201 based on an assessment of the risks associated with facilities. Therefore, agencies such as HUD, which has 21 field offices with five or fewer employees, and Interior, which has 2,400 field offices, many of which are also quite small, do not have the guidance necessary to make decisions consistently about how to implement FIPS 201 at each of their facilities. Depending on how risks are assessed, to implement a FIPS 201 compliant access control system at each facility could represent a significant expense, including possibly acquiring and installing card readers, network infrastructure, biometric hardware and software. As of November 2005, OMB officials reported no specific plans to supplement or revise its FIPS 201 implementation guidance to address these issues. Without more specific and complete guidance on the scope of implementing FIPS 201 regarding individuals, facilities, and information systems, the objectives of HSPD-12 could be compromised. For instance, agencies could adopt varying and inconsistent approaches for identity proofing and issuing PIV cards to foreign nationals and volunteers needing physical and logical access to their facilities and information systems, thus undermining the objective of FIPS 201 to establish consistent processes across the government. Variations from the standard could also pose problems within each agency. Specifically, if agencies choose to make exceptions to implementing FIPS 201 requirements for specific categories of individuals, information systems, or facilities, such exceptions could undermine the security objectives of the agency's overall FIPS 201 implementation. Conversely, some agencies could expend resources implementing FIPS 201 infrastructure at locations where it is not really needed or may impose unnecessary constraints on access, due to the lack of clarity of FIPS 201 guidance. Planning and Budgeting with Uncertain Knowledge: Agencies have been faced with having to potentially make substantial new investments in smart card technology systems with little time to adequately plan and budget for such investments and little cost information about products they will need to acquire. To comply with budget submission deadlines, agencies would have had to submit budget requests for new systems to meet the October 2006 PIV-II deadline in the fall of 2004, several months prior to the issuance of FIPS 201. If a major information technology (IT) investment were expected, agencies also would have had to submit business cases at the same time. Agencies were not in a position to prepare such documentation in the fall of 2004, nor were they able to determine whether a major new investment would be required. As part of the annual federal budget formulation process, agencies are required to submit their budget requests 1 year in advance of the time they expect to spend the funds. In addition, in the case of major IT investments, which could include new smart-card based credentialing systems, OMB requires agencies to prepare and submit formal businesses cases, which are used to demonstrate that agencies have adequately defined the proposed cost, schedule, and performance goals for the proposed investments.[Footnote 23] In order for agencies to prepare business cases for future funding requests, they need to conduct detailed analyses such as a cost-benefit analysis, a risk analysis, and an assessment of the security and privacy implications of the investment. However, agencies have lacked the information necessary to conduct such reviews. For example, agencies have not had reliable information about product costs and cost elements, which are necessary for cost-benefit analyses. In addition, without FIPS 201 compliant products available for review, agencies have been unable to adequately conduct risk analyses of the technology. Most importantly, the lack of FIPS 201 compliant products has inhibited planning for addressing the investment's security and privacy issues. Several officials from the agencies we reviewed reported that they based their cost estimates on experience with existing smart card systems because they could not predict the costs of FIPS 201 compliant products. For example, HUD officials reported that in order to formulate their preliminary budget, they developed implementation estimates based on discussions with various vendors about similar technology as well as discussions with other agencies regarding their past experiences with smart card implementation. Furthermore, Defense and Labor officials reported that the only information they had on which to base costs was Defense's CAC--a smart card system that has significant differences from FIPS 201. While it is not known how much FIPS 201 compliant systems will cost, OMB maintains that agencies should be able to fund their new FIPS 201 compliant systems with funds they are spending on their existing ID and credentialing systems. However, officials from agencies such as HUD-- who stated that they estimate that implementing a FIPS 201 system will cost approximately 400 percent more than their existing identification system--have indicated that existing funds will be insufficient to finance implementation of the FIPS 201 system. As of November 2005, OMB officials did not report any specific plans to monitor agencies' funding of FIPS 201 compliant card systems to ensure that the systems can be implemented in a timely fashion. As a result of the lack of cost and product information necessary for the development of accurate budget estimates, agency officials believe they may not have sufficient funds to implement FIPS 201 within the time frames specified by OMB. Further, the overall implementation schedules and planned performance of FIPS 201 investments across the government could be affected. Conclusions: Agencies have been focusing their efforts on a range of actions to establish appropriate identity proofing and card issuance policies and procedures to meet the first part of the FIPS 201 standard. They have also begun to take actions to implement new smart card-based ID systems that will be compliant with the second part of the standard. With the deadline for implementing the second part of the standard approaching in October 2006, the government faces significant challenges in implementing the requirements of the standard. Several of these challenges do not have easy solutions--testing and acquiring compliant smart cards, card readers, and other related commercial products within OMB-mandated deadlines; implementing fully functional systems; and planning and budgeting for FIPS 201 compliance with uncertain knowledge. OMB officials have not indicated any plans to monitor the impact on agencies of the constrained testing time frames and funding uncertainties, which could put agencies at risk of not meeting the compliance goals of HSPD-12 and FIPS 201. Without close monitoring of agency implementation progress through, for example, establishing an agency reporting process, it could be difficult for OMB to fulfill its role of ensuring that agencies are in compliance with the goals of HSPD-12. Other challenges have arisen because guidance to agencies has been incomplete. For example, time frames have not been set for agencies implementing transitional smart card systems to migrate to the fully compliant end-point specification. Additionally, existing guidance related to the draft biometric standard does not offer the necessary information to help agencies understand the implications of variation in the reliability and accuracy of fingerprint matching among the biometric systems being offered by vendors. Further, complete guidance for implementing FIPS 201 with regard to specific types of individuals, facilities, and information systems has not been established. Without more complete time frames and guidance, agencies may not be able to meet implementation deadlines; and more importantly, true interoperability among federal government agencies' smart card programs--one of the major goals of FIPS 201--could be jeopardized. Recommendations: We recommend that the Director, OMB, take steps to closely monitor agency implementation progress and completion of key activities by, for example, establishing an agency reporting process, to fulfill its role of ensuring that agencies are in compliance with the goals of HSPD-12. Further, we also recommend that the Director, OMB, amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to take the following three actions: * provide specific deadlines by which agencies implementing transitional smart card systems are to meet the "end-point" specification, thus allowing for interoperability of smart card systems across the federal government; * provide guidance to agencies on assessing risks associated with the variation in the reliability and accuracy among biometric products, so that they can select vendors that best meet the needs of their agencies while maintaining interoperability with other agencies, and: * clarify the extent to which agencies should make risk-based assessments regarding the applicability of FIPS 201 to specific types of facilities, individuals, and information systems, such as small offices, foreign nationals, and volunteers. The updated guidance should (1) include criteria that agencies can use to determine precisely what circumstances call for risk-based assessments and (2) specify how agencies are to carry out such risk assessments. Agency Comments and Our Evaluation: We received written comments on a draft of this report from the Administrator of E-Government and Information Technology of OMB, the Acting Associate Administrator of GSA, and the Deputy Secretary of Commerce. Letters from these agencies are reprinted in appendixes III through V. We received technical comments from the Director of the Card Access Office for Defense and, a Special Agent at OPM, via e-mail, which we incorporated as appropriate. We also received written technical comments from the Assistant Secretary for Administration for HUD and the Assistant Secretary of Policy, Management, and Budget for Interior. Additionally, representatives from NASA and Labor indicated via e-mail that they reviewed the draft report and did not have any comments. Officials from DHS did not respond to our request for comments. Officials from GSA, Commerce, HUD, Defense, Interior, and OPM generally agreed with the content of our draft report and our recommendations and provided updated information and technical comments, which have been incorporated where appropriate. In response to our recommendation that OMB monitor agency implementation progress and completion of key activities, OMB stated that it would continue to oversee agency implementation using their existing management and budget tools to ensure compliance. However, as agencies continue to move forward with implementing FIPS 201, we believe that in order for OMB to successfully monitor agencies' progress, it will be essential for OMB to develop a process specifically for agencies to report on their progress toward implementing the standard. Regarding our recommendation to OMB to amend or supplement government wide policy guidance regarding compliance with the HSPD-12 standard, OMB stated that it did not think that its guidance was incomplete. Officials stated that their guidance provides the appropriate balance between the need to aggressively implement the President's deadlines, while ensuring agencies have the flexibility to implement HSPD-12, based on the level of risk their facilities and information systems present. While we agree that it is important for agencies to have flexibility in implementing the standard based on their specific circumstances, we believe that OMB has not provided agencies with adequate guidance in order for them to make well-informed, risk-based decisions about when and how to apply the standard for important categories of individuals and facilities that affect multiple agencies. For example, while multiple agencies employ foreign nationals to work at their facilities, OMB does not provide guidance on how agencies should investigate these foreign nationals prior to allowing them to access U.S. government facilities and information systems. Similarly, several agencies maintain very small facilities, yet OMB does not provide guidance on the extent to which FIPS 201 should be applied at these facilities. In addition, guidance has not been provided on assessing risks associated with the variation in the reliability and accuracy among biometric products, so that agencies can select vendors that best meet their needs while maintaining interoperability across the government. Additionally, OMB indicated that at this time, they do not have a full understanding of whether interoperability among the transitional and end-point specifications is a concern and stated that it can not comment on our recommendation to specify the time frame for when agencies implementing transitional smart card systems are to implement the end-point specification. However, our review showed that these two specifications are not interoperable and, until all agencies implement the end-state specification the interoperability objective of HSPD-12 may not be achieved. In commenting on our report, GSA stated that they agreed with our findings, conclusions, and recommendations. In addition, it provided us with technical comments that we incorporated as appropriate. It also suggested that in order to fully demonstrate the scope and scale of implementing HSPD-12 and FIPS 201 that we provide, as background, the current state of identity management systems across the government and industry and the impact of compliance with HSPD-12. We believe that we have adequately explained the benefits of using smart card-based ID systems and have outlined several of the significant requirements that agencies must implement as part of their new PIV systems. In Commerce's written comments, it stated that our report was fair and balanced. It also provided technical comments that we incorporated, where appropriate. Additionally, OMB and Commerce noted that NIST's biometric specification had recently been revised. We have made changes to our report to reflect the revised specification. Unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretaries of Homeland Security, Labor, Interior, Defense, and HUD; the Directors of OMB, OPM and NIST; the Administrators of NASA and GSA; and interested congressional committees. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. Should you or your staff have any questions on matters discussed in this report, please contact me at (202) 512-6240 or by e-mail at [Hyperlink, koontzl@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Other contacts and key contributors to this report are listed in appendix VI. Sincerely yours, Signed by: Linda D. Koontz: Director, Information Management Issues: [End of section] Appendixes: Appendix I: Objectives, Scope, and Methodology: Our objectives were to determine (1) actions that selected federal agencies have taken to implement the new standard and (2) challenges that federal agencies are facing in implementing the standard. We reviewed Homeland Security Presidential Directive 12 (HSPD-12), Federal Information Processing Standards 201 (FIPS 201), related National Institute of Standards and Technology (NIST) special publications, Office of Management and Budget (OMB) guidance, and General Services Administration (GSA) guidance. On a nonprobability basis and using the results of the 2005 Federal Computer Security Report Card--which includes an assessment of agencies' physical security--and the results of our previous reports on federal agencies' progress in adopting smart card technology,[Footnote 24] we selected six agencies that represented a range of experience in implementing smart card-based identification systems. For example, we included agencies with no prior experience implementing smart card systems as well as agencies with years of experience in implementing smart card systems. The agencies we selected were the Departments of Defense, Interior, Homeland Security (DHS), Housing and Urban Development (HUD), Labor, and the National Aeronautics and Space Administration (NASA). To obtain information on the actions these agencies have taken and plan to take to implement the standard, we analyzed documentation such as agencies' implementation plans. We also interviewed officials from selected agencies to obtain additional information on the actions their agencies took. We reviewed the completeness and appropriateness of actions reported to us. However, we did not determine whether agencies were fully compliant with HSPD-12 and FIPS 201. To identify challenges and barriers associated with implementing the new federal identification (ID) standard, we analyzed documentation and interviewed program officials as well as officials from GSA, NIST, the Office of Personnel Management (OPM), and OMB. In addition, we presented the preliminary challenges that we identified to agency officials to obtain their feedback and concurrence on the challenges. We performed our work at the offices of Defense, Interior, DHS, HUD, Labor, NASA, NIST, OMB, OPM, and GSA in the Washington, D.C., metropolitan area from April 2005 to December 2005, in accordance with generally accepted government auditing standards. [End of section] Appendix II: NIST Guidelines on Implementing FIPS 201: NIST has issued several special publications providing supplemental guidance on various aspects of the FIPS 201 standard. These special publications are summarized below. NIST Special Publication 800-73, Interfaces for Personal Identity Verification, April 2005: SP 800-73 is a companion document to FIPS 201 that specifies the technical aspects of retrieving and using the identity credentials stored in a personal identity verification (PIV) card's memory. This special publication aims to promote interoperability among PIV systems across the federal government by specifying detailed requirements intended to constrain vendors' interpretation of FIPS 201.[Footnote 25] SP 800-73 also outlines two distinct approaches that agencies might take to become FIPS 201 compliant and specifies a set of requirements for each: one set for "transitional" card interfaces that are based on the Government Smart Card Interoperability Specification (GSC-IS), Version 2.1 and another set for "end-point" card interfaces that are more fully compliant with the FIPS 201 PIV-II card specification. Federal agencies that have implemented smart card systems based on the GSC-IS can elect to adopt the transitional specification as an intermediate step before moving to the end-point specification. However, agencies with no existing implementation are required to implement PIV systems that meet the end-point specification. SP 800-73 includes requirements for both the transitional and end-point specifications and is divided into the following three parts: * Part 1 specifies the requirements for a PIV data model that is designed to support dual interface (contact and contactless) cards. The mandatory data elements outlined in the data model are common to both the transitional and end-point interfaces and include strategic guidance for agencies that are planning to take the path of moving from the transitional interfaces to the end-point interfaces. * Part 2 describes the transitional interface specifications and is for use by agencies with existing GSC-IS based smart card systems. * Part 3 specifies the requirements for the end-point PIV card and associated software applications. NIST SP 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005: SP 800-79 is a companion document to FIPS 201 that describes the attributes that a PIV card issuer--an organization that issues PIV cards that comply with FIPS 201--should exhibit in order to be accredited. Agency officials need complete, accurate, and trustworthy information about their PIV credential issuers to make decisions about whether to authorize their operation. Agencies can use the guidelines in this document to certify and accredit[Footnote 26] the reliability of such organizations.[Footnote 27] There are four phases (initiation, certification, accreditation, and monitoring) in the certification and accreditation processes that cover a PIV credential issuer's ability to carry out its primary responsibilities in identity proofing and registration, PIV card creation and issuance, and PIV card life-cycle management. By following the guidelines, federal agencies should be able to accomplish the following: * Satisfy the HSPD-12 requirement that all identity cards be issued by PIV credential issuers whose reliability have been established by an official accreditation process; * Ensure that a PIV credential provider (1) understands the requirements in FIPS 201; (2) is reliable in providing the required services; and (3) provides credible evidence that its processes were implemented as designed and adequately documented the processes in its operations plan; * Ensure more consistent, comparable, and repeatable assessments of the required attributes of PIV credential issuers; * Ensure more complete, reliable, and trusted identification of federal employees and contractors in controlling access to federal facilities and information systems; and: * Make informed decisions in the accreditation process in a timely manner and by using available resources in an efficient manner. NIST SP 800-78, Cryptographic Algorithms and Key Sizes for PIV, April 2005: FIPS 201 specifies mechanisms for implementing cryptographic techniques[Footnote 28] to authenticate cardholders, secure the information stored on a PIV card, and secure the supporting infrastructure. SP 800-78 contains the technical specifications needed to implement the encryption technology specified in the standard, including cryptographic requirements for PIV keys (e.g., algorithm and key size) and information stored on the PIV card (i.e., requiring the use of digital signatures to protect the integrity and authenticity of information stored on the card). In addition, this document specifies acceptable algorithms and key sizes for digital signatures on PIV status information (i.e., digital signatures on the certificate revocation lists or online certificate status protocol status response messages) and card management keys, which are used to secure information stored in the PIV card. For additional information on public key infrastructure technology, see our 2001 report.[Footnote 29] NIST SP 800-85, PIV Middleware and PIV Card Application Conformance Test Guidelines (SP 800-73 Compliance), October 2005: SP 800-85 outlines a suite of tests to validate a software developer's PIV middleware[Footnote 30] and card applications to determine whether they conform to the requirements specified in SP 800-73. This special publication also includes detailed test assertions[Footnote 31] that provide the procedures to guide the tester in executing and managing the tests. This document is intended to allow (1) software developers to develop PIV middleware and card applications that can be tested against the interface requirements specified in SP 800-73; (2) software developers to develop tests that they can perform internally for their PIV middleware and card applications during the development phase; and (3) certified and accredited test laboratories to develop tests that include the test suites specified in this document and that can be used to test the PIV middleware and card applications for conformance to SP 800-73. NIST SP 800-87, Codes for the Identification of Federal and Federally Assisted Organizations, October 2005: SP 800-87 outlines the organizational codes necessary to establish the unique cardholder identifier numbers. [End of section] Appendix III: Comments from the Office of Management and Budget: EXECUTIVE OFFICE OF THE PRESIDENT: OFFICE OF MANAGEMENT AND BUDGET: WASHINGTON, D.C. 20503: January 6, 2006: Ms. Linda D. Koontz: Director: Information Management Issues: Government Accountability Office: 441 G Street, SW: Washington, DC 20548: Dear Ms. Koontz: Thank you for the opportunity to comment on Government Accountability Office's (GAO's) draft report titled "Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard" (GAO-06-178). We appreciate GAO's effort to determine the extent to which selected agencies have taken actions to implement the Federal Information Processing Standard (FIPS) 201 and your analysis of the challenges facing the Federal government during implementation. While agencies are implementing their plans and taking the necessary steps to address many of the challenges, we acknowledge much more work must be done in order to be successful. Over the next year, we face a number of challenges in the areas of testing and acquiring commercial products and ensuring approved products are available in time for agency implementation. I am pleased to report the recent progress made in the area of biometrics. On December 15, 2005, the National Institute of Standards and Technology (NIST) posted Draft NIST Special Publication 800-76, "Biometric Data Specification for Personal Identity Verification." This progress ensures compliant identification cards using biometric technology will be available in time to meet the Federal government's upcoming deadlines. We suggest the draft report be updated to reflect this progress. In the draft report, GAO made two recommendations to the Office of Management and Budget (OMB). They are as follows: 1. The Director of OMB should take steps to closely monitor agency implementation progress and key activities. As required by the Directive, OMB will continue to oversee agency implementation using our numerous management and budget tools to ensure compliance. 2. OMB should amend or supplement government-wide policy guidance regarding compliance with the HSPD-12 standard. We disagree with GAO's assertion that our guidance is "incomplete." Our guidance provides the appropriate balance between the need to aggressively implement the President's deadlines while ensuring agencies have the flexibility to implement Directive based on the level of risk their facilities and information systems present. The Federal government operates a wide variety of information systems and facilities. Any guidance developed by OMB could neither properly nor appropriately address every type of situation. It does not make sense to treat a remote location in Wyoming the same as a government office building in Washington D.C. In your draft report, you mention there is no consistent guidance for volunteers and unpaid researchers. Given that agencies operate in a wide variety of situations, it is extremely important for the head of the agency to say whether a volunteer cleaning up campsites at Yellowstone National Park should be handled the same way as a volunteer who is filing Social Security Administration records. We firmly believe departments and agencies should have flexibility to make these determinations on the basis of the risks they face. While it may appear to promote uniformity to attempt to provide guidance on how to implement HSPD-12 in every single situation, this approach will not ensure facilities and information systems are appropriately secured in a manner balancing cost and risk. Your draft report requested OMB to provide specific deadlines by which agencies implementing transitional smart card systems are to meet the "end-point" specification, thus allowing for interoperability of smart card. As reported by NIST, both interfaces share the same data content and format requirements, thus interoperability may not be a concern. OMB will be in a better position to comment on this recommendation once the first round of products have completed conformance testing and we have a better understanding if interoperability is a concern. Thank you for the opportunity to review and comment on your draft report on this important issue. Sincerely, Signed by: Karen S. Evans: Administrator for E-Government and Information Technology: Office of Management and Budget: [End of section] Appendix IV: Comments from the General Services Administration: GSA: GSA Office of Governmentwide Policy: JAN 06 2005: Ms. Linda D. Koontz: Director, Information Management Issues: General Accounting Office: 441 G Street NW. Washington DC 20548: Dear Ms. Koontz: We appreciate the opportunity to provide comments to the General Accounting Office (GAO) draft report GA)-06-178 "ELECTRONIC GOVERNMENT: Agencies Face Challenges in Implementing New Federal Employee Identification Standard". We agree that the Federal Government faces major challenges in the governmentwide implementation of Homeland Security Presidential Directive 12. There has never been such a broad directive in establishing identity management and security standards and requirements for systems' interoperability on a governmentwide basis. We have seen extraordinary efforts by multiple Federal agencies to work collaboratively to meet the mandates of the Presidential Directive. These efforts have produced the Personal Identity Verification Standard for the Federal Government and associated technical specifications and implementation guidance in incredibly short timeframes. This alone is a major accomplishment. However, the Presidential Directive also calls for the deployed systems and credentials to interoperate in supporting authentication for both physical and logical access. This will require product and systems testing and integration on an enormous scale. While there are huge benefits within and external to the Federal Government to such an undertaking, there are certainly major challenges for all agencies and industry partners to meet mandated implementation timeframes and objectives. As a general comment, we believe that the report is well written and accurate. However, we are doubtful that uninitiated readers will fully comprehend the full impacts and scale in implementing the Presidential Directive. In order for readers of this report to truly understand the scope and scale of the governmentwide effort mandated by the Presidential Directive, we recommend that the GAO report provide as background the context of the current state of identity management systems across government and industry (e.g., current stand-alone systems, no common standards, no interoperability across systems, no industry inter-operability testing) and the impacts of "end-state" compliance with the Presidential Directive and the resulting increase to governmentwide security and systems' interoperability. We are providing specific comments to the draft audit as an enclosure. Any questions should be directed to Mary Mitchell, Deputy Associate Administrator, Office of Technology Strategy, at 202-501-0202. Sincerely, Signed by: John G. Sindelar: Acting Associate Administrator: Enclosure: [End of section] Appendix V: Comments from the Department of Commerce: THE DEPUTY SECRETARY OF COMMERCE: Washington, D.C. 20230: January 11, 2006: Ms. Linda Koontz: Director, Information Management Issues: Government Accountability Office: 441 G Street NW, Room 4T21: Washington, D.C. 20548: Dear Ms. Koontz: Thank you for the opportunity to review and comment on the draft Government Accountability Office (GAO) report entitled "Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard" (GAO-06-178). Overall, the draft report is fair and balanced. There are, however, two areas that we believe should be revised in light of information provided in the enclosure. These areas include the card interface characteristics reported by the Department of Defense to GAO, and the status of the Biometrics Interface Specification [National Institute of Standards and Technology Special Publication 800-76]. Since the initiation of the draft report there has been significant progress in biometrics standards development that has led to a change to the context for the report's recommendations. We are looking forward to receiving your final report. Please contact Steve Willett on (301) 975-8707, should you have any questions regarding this response. Sincerely yours, Signed by: David A. Sampson: Enclosure: [End of section] Appendix VI: Contacts and Staff Acknowledgments: GAO Contact: John de Ferrari, (202) 512-6335: Staff Acknowledgments: In addition to the person named above, Devin Cassidy, Derrick Dicoi, Neil Doherty, Sandra Kerr, Steven Law, Shannin O'Neill, and Amos Tevelow. [End of section] Glossary: Application programming interface: The interface between the application software and the application platform (i.e., operating system), across which all services are provided. Authentication: The process of confirming an asserted identity with a specified or understood level of confidence. Authorization: The granting of appropriate access privileges to authenticated users. Biometrics: Measures of an individual's unique physical characteristics or the unique ways that an individual performs an activity. Physical biometrics include fingerprints, hand geometry, facial patterns, and iris and retinal scans. Behavioral biometrics include voice patterns, written signatures, and keyboard typing techniques. Biometric template: A digital record of an individual's biometric features. Typically, a "livescan" of an individual's biometric attributes is translated through a specific algorithm into a digital record that can be stored in a database or on an integrated circuit chip. Card edge: The set of command and response messages that allow card readers to communicate effectively with the chips embedded on smart cards. Certificate: A digital representation of information that (1) identifies the authority issuing the certificate; (2) names or identifies the person, process, or equipment using the certificate; (3) contains the user's public key; (4) identifies the certificate's operational period; and (5) is digitally signed by the certificate authority issuing it. A certificate is the means by which a user is linked--"bound"--to a public key. Confidentiality: The assurance that information is not disclosed to unauthorized entities or computer processes. Contactless smart card: A smart card that can exchange information with a card reader without coming in physical contact with the reader. Contactless smart cards use 13.56 megahertz radio frequency transmissions to exchange information with card readers. Credential: An object such as a smart card that identifies an individual as an official representative of a government agency. Digital signature: The result of a transformation of a message by means of a cryptographic system using digital keys such that a relying party can determine (1) whether the transformation was created using the private key that corresponds to the public key in the signer's digital certificate and (2) whether the message has been altered since the transformation was made. Digital signatures may also be attached to other electronic information and programs so that the integrity of the information and programs may be verified at a later time. Electronic credentials: The electronic equivalent of a traditional paper-based credential--a document that vouches for an individual's identity. Identification: The process of determining to what identity a particular individual corresponds. Identity: The set of physical and behavioral characteristics by which an individual is uniquely recognizable. Identity proofing: The process of providing sufficient information, such as identity history, credentials, and documents, to facilitate the establishment of an identity. Interoperability: The ability of two or more systems or components to exchange information and to use the information that has been exchanged. Middleware: Software that allows applications running on separate computer systems to communicate and exchange data. Minutiae: Key data points--especially ridge bifurcations and end lines--within an individual's fingerprint that can be extracted and used to match against the same individual's live fingerprint. Online certificate status protocol: A communications protocol that is used to determine whether a public key certificate is still valid or has been revoked or suspended. Personal Identity Verification (PIV) card: A smart card that contains stored identity credentials--such as a photograph, digital certificate and cryptographic keys, or digitized fingerprint representations--that is issued to an individual so that the claimed identity of the cardholder can be verified against the stored credentials by another person or through an automated process. PIV issuer: An accredited and certified organization that procures FIPS 201 compliant blank smart cards, initializes them with appropriate software and data elements for the requested identity verification and access control application, personalizes the cards with the identity credentials of the authorized cardholders, and delivers the personalized cards to the authorized cardholders along with appropriate instructions for protection and use. PIV registrar: An entity that authenticates an individual's identity applying for a PIV card by checking the applicant's identity source documents through an identity proofing process, and to ensures that a proper background check was completed before the credential and the PIV card is issued to the individual. Privacy: The ability of an individual to control when and on what terms his or her personal information is collected, used, or disclosed. Public key infrastructure (PKI): A system of hardware, software, policies, and people that, when fully and properly implemented, can provide a suite of information security assurances--including confidentiality, data integrity, authentication, and nonrepudiation--that are important in protecting sensitive communications and transactions. Risk: The expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. Smart card: A tamper-resistant security device--about the size of a credit card-- that relies on an integrated circuit chip for information storage and processing. Standard: A statement published by organizations such as NIST, Institute of Electrical and Electronics Engineers, International Organization for Standardization, and others on a given topic--specifying the characteristics that are usually measurable, and must be satisfied in order to comply with the standard. (310733): FOOTNOTES [1] Interoperability is the ability of two or more systems or components to exchange information and to use the information exchanged. [2] Smart cards are plastic devices--about the size of a credit card-- that use integrated circuit chips to store and process data, much like a computer. This processing capability distinguishes these cards from traditional magnetic stripe cards, which cannot process or exchange data with automated information systems. [3] A biometric measures a person's unique physical characteristics (such as fingerprints, hand geometry, facial patterns, or iris and retinal scans) or behavioral characteristics (voice patterns, written signatures, or keyboard typing techniques) and can be used to recognize the identity, or verify the claimed identity, of an individual. [4] The term "smart card" also may be used to refer to cards with a computer chip that store information but do not provide any processing capability. Such cards, known as stored-value cards, are widely used for services such as prepaid telephone service or satellite television reception. [5] For more information about biometrics, see GAO, Technology Assessment: Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002). [6] PKI is a system of computers, software, and data that relies on certain cryptographic techniques for some aspects of security. For more information, see GAO, Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO-01- 277 (Washington, D.C.: Feb. 26, 2001). [7] For more information about previous smart card efforts, see GAO, Electronic Government: Progress in Promoting Adoption of Smart Card Technology, GAO-03-144 (Washington, D.C.: Jan. 3, 2003). [8] The Federal Enterprise Architecture is intended to provide a governmentwide framework to guide and constrain federal agencies' enterprise architectures and information technology investments. [9] GAO, Electronic Government: Federal Agencies Continue to Invest in Smart Card Technology, GAO-04-948 (Washington, D.C.: Sept. 2004). [10] In August 2005, OMB issued additional guidance to agencies clarifying which elements of the standard needed to be implemented by October 27, 2005. [11] NIST's SP 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations describes a set of attributes that should be exhibited by a PIV Card Issuer in order to be accredited. The guidelines should be used by each agency for assessing the reliability of any organization providing its PIV card issuing services. [12] In its August memorandum, OMB modified this requirement to state that if a National Agency Check is not completed within 5 days, the identity credential can be issued based solely on a FBI National Criminal History Check (fingerprint check). [13] The PIV assurance levels are (a) some confidence, (b) high confidence, and (c) very high confidence in authenticating the identity of PIV cardholders. For example, authentication mechanisms such as biometric and PKI technology could be implemented to provide a high or very high confidence level of assurance for physical access to federal facilities. [14] NIST, Interfaces for Personal Identity Verification, Special Publication 800-73 (April 2005). [15] The specific requirements for the first part of the standard (PIV- I) are outlined earlier in this report. [16] This is a security system utilizing cards with embedded radio frequency technology. [17] Corsec Security, Inc., provides consulting services to companies that are aiming to certify their products as being FIPS 140-2 compliant. [18] According to the Smart Card Alliance, it is a not-for profit, multi-industry association working to influence standards that are relevant to smart card adoption and implementation, maintain a voice in public policy that affects smart card adoption and implementation, serve as an educational resource to its members and the industry, and provide a forum for discussions and projects on issues surrounding smart cards. [19] NIST, Interfaces for Personal Identity Verification, Special Publication 800-73 (April 2005). [20] Agencies are not required to implement biometric authentication at all facilities. Instead, each agency must make a risk-based decision to determine where it will require the use of biometrics. [21] NIST, Biometric Data Specification for Personal Identity Verification, Special Publication 800-76 (Draft, December 2005). [22] FIPS 201 defines three levels of assurance for identity authentication supported by the PIV card, such as the card holder unique identification number, biometrics, and PKI. Each assurance level refers to the degree of confidence established in the identity of the PIV card holder. [23] In response to the Clinger-Cohen Act and other statutes, OMB developed section 300 ("business case") of Circular A-11, which provides policy for planning, budgeting, acquisition, and management of federal capital assets. This reporting mechanism, as part of the budget formulation and review process, is intended to enable an agency to demonstrate to its own management, as well as OMB, that it has employed the disciplines of good project management, developed a strong business case for the investment, and met other administration priorities in defining the cost, schedule, and performance goals proposed for the investment. [24] GAO-03-144 and GAO-04-948. [25] Interoperability is defined as the use of PIV identity credentials, such that client-application programs, compliant card applications, and compliant integrated circuit cards can be used interchangeably by all information processing systems across the federal government. [26] Certification is a formal process of assessing the attributes of a PIV credential issuer to verify that the issuer is reliable and capable of enrolling approved applicants and issuing PIV cards. Accreditation is the official management decision of a Designated Accreditation Authority to authorize the operation of a PIV credential issuer after determining that the issuer's reliability has been established through appropriate assessment and certification processes. [27] The use of SP 800-79 for accrediting the reliability of a PIV credential issuer and accrediting the security of computer systems used by the PIV credential issuer need to follow the guidance in SP 800-37, Guide for Security Certification and Accreditation of Federal Information Systems, May 2004; and SP 800-53, Recommended Security Controls for Federal Information Systems, February 2005. [28] Cryptography is the transformation of ordinary data (commonly referred to as "plaintext") into a code form (ciphertext) and back into plaintext using a special value known as a key and a mathematical process called an algorithm. Cryptographic techniques are used in public key infrastructure systems to generate and manage electronic "certificates," which link an individual or entity to a given public key. [29] GAO-01-277. [30] Middleware is software that allows software applications running on separate computer systems to communicate and exchange data. In this case, middleware allows external software applications to interact with applications on a smart card. [31] Test assertions are statements of behavior, action, or condition that can be measured or tested. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548:

The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.