Electronic Government
Additional OMB Leadership Needed to Optimize Use of New Federal Employee Identification Cards Gao ID: GAO-08-292 February 29, 2008Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in August 2004, requiring the establishment of a governmentwide standard for secure and reliable forms of ID. The resulting standard is referred to as the personal identity verification (PIV) card. GAO was asked to determine the progress selected agencies have made in (1) implementing the capabilities of the PIV cards to enhance security and (2) achieving interoperability with other agencies. To address these objectives, GAO selected eight agencies that have a range of experience in implementing smart card-based ID systems and analyzed what actions the agencies have taken to implement PIV cards.
Much work has been accomplished to lay the foundations for implementation of HSPD-12, a major governmentwide undertaking. However, agencies have made limited progress in implementing and using PIV cards. The eight agencies GAO reviewed--including the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the Nuclear Regulatory Commission; and the National Aeronautics and Space Administration--have generally completed background checks on most of their employees and contractors and established basic infrastructure, such as purchasing card readers. However, none of them met the Office of Management and Budget's (OMB) goal of issuing PIV cards by October 27, 2007, to all employees and contractor personnel who had been with the agency for 15 years or less. In addition, for the limited number of cards that have been issued, most agencies have not been using the electronic authentication capabilities on the cards and have not developed implementation plans for those capabilities. In certain cases, products are not available to support those authentication mechanisms. A key contributing factor for why agencies have made limited progress is that OMB, which is tasked with ensuring that federal agencies successfully implement HSPD-12, has emphasized issuance of cards, rather than full use of the cards' capabilities. Specifically, OMB has set milestones that focus narrowly on having agencies acquire and issue cards in the near term, regardless of when the electronic authentication capabilities of the cards may be used. Furthermore, agencies anticipate having to make substantial financial investments to implement HSPD-12, since PIV cards are considerably more expensive than traditional ID cards. However, OMB has not considered HSPD-12 implementation to be a major new investment and thus has not required agencies to prepare detailed plans regarding how, when, and the extent to which they will implement the electronic authentication mechanisms available through the cards. Without implementing the cards' electronic authentication capabilities, agencies will continue to purchase costly PIV cards to be used in the same way as the much cheaper, traditional ID cards they are replacing. Until OMB revises its approach to focus on the full use of the capabilities of the new PIV cards, HSPD-12's objectives of increasing the quality and security of ID and credentialing practices across the federal government may not be fully achieved. While steps have been taken to enable future interoperability, progress has been limited in making current systems interoperate, partly because key procedures and specifications have not yet been developed to enable electronic cross-agency authentication of cardholders. According to General Services Administration officials, they have taken the initial steps to develop guidance to help enable the exchange of identity information across agencies, and they plan to complete and issue it by September 2008. Such guidance should help enable agencies to establish cross-agency interoperability--a primary goal of HSPD-12.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-292, Electronic Government: Additional OMB Leadership Needed to Optimize Use of New Federal Employee Identification Cards
This is the accessible text file for GAO report number GAO-08-292
entitled 'Electronic Government: Additional OMB Leadership Needed to
Optimize Use of New Federal Employee Identification Cards' which was
released on April 9, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
February 2008:
Electronic Government:
Additional OMB Leadership Needed to Optimize Use of New Federal
Employee Identification Cards:
Electronic Government:
GAO-08-292:
GAO Highlights:
Highlights of GAO-08-292, a report to congressional committees.
Why GAO Did This Study:
Many forms of identification (ID) that federal employees and
contractors use to access government-controlled buildings and
information systems can be easily forged, stolen, or altered to allow
unauthorized access. In an effort to increase the quality and security
of federal ID and credentialing practices, the President issued
Homeland Security Presidential Directive 12 (HSPD-12) in August 2004,
requiring the establishment of a governmentwide standard for secure and
reliable forms of ID. The resulting standard is referred to as the
personal identity verification (PIV) card. GAO was asked to determine
the progress selected agencies have made in (1) implementing the
capabilities of the PIV cards to enhance security and (2) achieving
interoperability with other agencies. To address these objectives, GAO
selected eight agencies that have a range of experience in implementing
smart card-based ID systems and analyzed what actions the agencies have
taken to implement PIV cards.
What GAO Found:
Much work has been accomplished to lay the foundations for
implementation of HSPD-12, a major governmentwide undertaking. However,
agencies have made limited progress in implementing and using PIV
cards. The eight agencies GAO reviewed”including the Departments of
Agriculture, Commerce, Homeland Security, Housing and Urban
Development, the Interior, and Labor; the Nuclear Regulatory
Commission; and the National Aeronautics and Space Administration”have
generally completed background checks on most of their employees and
contractors and established basic infrastructure, such as purchasing
card readers. However, none of them met the Office of Management and
Budget‘s (OMB) goal of issuing PIV cards by October 27, 2007, to all
employees and contractor personnel who had been with the agency for 15
years or less. In addition, for the limited number of cards that have
been issued, most agencies have not been using the electronic
authentication capabilities on the cards and have not developed
implementation plans for those capabilities. In certain cases, products
are not available to support those authentication mechanisms. A key
contributing factor for why agencies have made limited progress is that
OMB, which is tasked with ensuring that federal agencies successfully
implement HSPD-12, has emphasized issuance of cards, rather than full
use of the cards‘ capabilities. Specifically, OMB has set milestones
that focus narrowly on having agencies acquire and issue cards in the
near term, regardless of when the electronic authentication
capabilities of the cards may be used. Furthermore, agencies anticipate
having to make substantial financial investments to implement HSPD-12,
since PIV cards are considerably more expensive than traditional ID
cards. However, OMB has not considered HSPD-12 implementation to be a
major new investment and thus has not required agencies to prepare
detailed plans regarding how, when, and the extent to which they will
implement the electronic authentication mechanisms available through
the cards. Without implementing the cards‘ electronic authentication
capabilities, agencies will continue to purchase costly PIV cards to be
used in the same way as the much cheaper, traditional ID cards they are
replacing. Until OMB revises its approach to focus on the full use of
the capabilities of the new PIV cards, HSPD-12‘s objectives of
increasing the quality and security of ID and credentialing practices
across the federal government may not be fully achieved.
While steps have been taken to enable future interoperability, progress
has been limited in making current systems interoperate, partly because
key procedures and specifications have not yet been developed to enable
electronic cross-agency authentication of cardholders. According to
General Services Administration officials, they have taken the initial
steps to develop guidance to help enable the exchange of identity
information across agencies, and they plan to complete and issue it by
September 2008. Such guidance should help enable agencies to establish
cross-agency interoperability”a primary goal of HSPD-12.
What GAO Recommends:
GAO is making recommendations to OMB, including setting realistic
milestones for implementation of the electronic authentication
capabilities and requiring that each agency develop detailed plans
regarding the extent to which it will implement these capabilities. OMB
provided comments on GAO‘s recommendations but did not specifically
agree or disagree with any of them.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-292]. For more
information, contact Linda D. Koontz at (202) 512-6240 or
koontzl@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Limited Progress Has Been Made in Implementing PIV Cards and in Using
Their Full Capabilities:
Efforts Are Under Way to Address the Limited Progress Made in Achieving
Interoperability to Enable Cross-Agency Authentication of Cardholders:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Requirements and Components of PIV-II:
Appendix III: Selected NIST Guidance:
Appendix IV: Comments from the Office of Management and Budget:
Appendix V: GAO Contact and Staff Acknowledgments:
Glossary:
Tables:
Table 1: The Three PIV Card Authentication Capabilities and Their
Associated Assurance Levels:
Table 2: Agencies' Progress in Implementing Background Checks and Basic
Infrastructure and in Using the PIV Cards for Physical and Logical
Access Control as of December 1, 2007:
Table 3: Disparate Guidance for Physical Access Control:
Figures:
Figure 1: A Typical Smart Card:
Figure 2: A PIV Card Showing Major Physical Features:
Figure 3: Major Activities of the PIV System and Its Intended Day-to-
Day Use:
Figure 4: Timeline of HSPD-12-Related Activities:
Abbreviations:
CHUID: cardholder unique identifier:
DHS: Department of Homeland Security:
DOJ: Department of Justice:
FIPS: Federal Information Processing Standards:
GSA: General Services Administration:
GSC-IS: Government Smart Card Interoperability Specification:
HSPD-12: Homeland Security Presidential Directive 12:
HUD: Department of Housing and Urban Development:
ID: identification:
MSO: Managed Service Office:
NASA: National Aeronautics and Space Administration:
NIST: National Institute of Standards and Technology:
NRC: Nuclear Regulatory Commission:
OMB: Office of Management and Budget:
PIN: personal identification number:
PIV: personal identity verification:
PKI: public key infrastructure:
USDA: U.S. Department of Agriculture:
United States Government Accountability Office:
Washington, DC 20548:
February 29, 2008:
The Honorable Joseph Lieberman:
Chairman:
The Honorable Susan M. Collins:
Ranking Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Edolphus Towns:
Chairman:
The Honorable Brian Bilbray:
Ranking Member:
Subcommittee on Government Management, Organization, and Procurement:
Committee on Oversight and Government Reform:
House of Representatives:
As you know, wide variations exist in the quality and security of the
various forms of identification (ID) that federal agencies issue to
their employees to use to access federal facilities and information
systems. In an effort to increase the quality and security of ID and
credentialing practices across the federal government, the President
issued Homeland Security Presidential Directive 12 (HSPD-12) in August
2004. This directive ordered the establishment of a mandatory,
governmentwide standard for secure and reliable forms of ID for federal
government employees and contractors who access government-controlled
facilities and information systems. In addition, one of the primary
goals of HSPD-12 is to enable interoperability across federal agencies.
In February 2005, the Department of Commerce's National Institute of
Standards and Technology (NIST) issued Federal Information Processing
Standards (FIPS) 201, Personal Identity Verification of Federal
Employees and Contractors. Known as FIPS 201, the standard is divided
into two parts. The first part, personal identity verification (PIV)-I,
sets out uniform requirements for identity proofing--verifying the
identity of individuals applying for official agency credentials--and
for issuing credentials, maintaining related information, and
protecting the privacy of the applicants. The Office of Management and
Budget (OMB), which is responsible for ensuring compliance with the
standard, issued guidance requiring agencies to implement these
requirements, with the exception of the privacy requirements, by
October 27, 2005. The second part, PIV-II, specifies the technical
requirements for credentialing systems for federal employees and
contractors on the basis of interoperable[Footnote 1] smart
cards.[Footnote 2] OMB directed that by October 27, 2007, PIV
credentials be issued to and used by all employees and contractors who
have been with the agency for 15 years or less. It also directed that
the remainder of the employees be issued cards and begin using their
cards no later than October 27, 2008.
In February 2006, we reported on agencies' progress toward implementing
the first part of the standard, PIV-I.[Footnote 3] This report responds
to your request that we conduct a review of agencies' progress in
implementing the second part of the standard, PIV-II. Specifically, our
objectives were to determine the progress selected agencies have made
in (1) implementing the capabilities of the PIV cards to enhance
security and (2) achieving interoperability with other agencies.
To address these objectives, we selected eight agencies that have a
range of experience in implementing smart card-based ID systems--the
Departments of Agriculture (USDA), Commerce, the Interior, Homeland
Security (DHS), Housing and Urban Development (HUD), and Labor; the
Nuclear Regulatory Commission (NRC); and the National Aeronautics and
Space Administration (NASA). To obtain information on the agencies'
progress, we analyzed documentation such as agencies' high-level plans
for HSPD-12 implementation, system architectures, cost estimates, and
documentation of agencies' implementation activities. We also
interviewed program officials from these agencies as well as General
Services Administration (GSA), OMB, and NIST officials who have been
involved in supporting implementation of HSPD-12 across the government.
We also discussed implementation challenges with industry experts to
obtain additional information and their perspectives. To obtain
information on agencies' progress toward achieving cross-agency
interoperability, we reviewed and analyzed documentation, such as
existing interface specifications, and met with GSA officials and
industry experts to discuss the steps they have taken to establish
cross-agency interoperability.
We performed our work at Commerce, DHS, GSA, HUD, Interior, Labor,
NASA, NIST, NRC, OMB, and USDA in the Washington, D.C., metropolitan
area from June 2007 to February 2008. We conducted this audit in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives. Additional details of our
objectives, scope, and methodology are provided in appendix I. Also, we
provide a glossary of terms at the end of this report.
Results in Brief:
Much work has been accomplished to lay the foundations for
implementation of HSPD-12, a major governmentwide undertaking. However,
agencies have made limited progress in implementing and using PIV
cards. The eight agencies we reviewed have generally completed
background checks on most of their employees and contractors and
established basic infrastructure, such as purchasing card readers.
However, none of the agencies met OMB's goal of issuing PIV cards by
October 27, 2007, to all employees and contractor personnel who had
been with the agency for 15 years or less. In addition, for the limited
number of cards that have been issued, agencies generally have not been
using the electronic authentication capabilities on the cards and have
not developed implementation plans for those authentication mechanisms.
Key products have not been available to support all of those
capabilities. A key contributing factor for why agencies have made
limited progress in adopting the use of PIV cards is that OMB, which is
tasked with ensuring that federal agencies successfully implement HSPD-
12, has emphasized the issuance of cards, rather than the full use of
the cards' capabilities. Specifically, OMB has set milestones that
focus narrowly on having agencies acquire and issue cards in the near
term, regardless of when the electronic authentication capabilities of
the cards could be used. Furthermore, agencies anticipate having to
make substantial financial investments to implement HSPD-12, since PIV
cards are considerably more expensive than traditional ID cards. For
example, PIV cards and related services, offered by GSA, cost $226 per
card over the 5-year life of a card, whereas traditional ID
credentialing systems with little or no electronic authentication
capabilities cost significantly less. However, OMB does not consider
the implementation of HSPD-12 to be a major new investment. As a
result, OMB has not directed agencies to prepare detailed plans to
support their decisions regarding how, when, and the extent to which
they will implement the various electronic authentication capabilities.
Furthermore, without implementing the cards' electronic authentication
capabilities, agencies will continue to purchase costly PIV cards and
use them in the same way as the much cheaper, traditional ID cards they
are replacing. Until OMB revises its approach to focus on the full use
of card capabilities, HSPD-12's objectives of increasing the quality
and security of ID and credentialing practices across the federal
government may not be fully achieved.
While steps have been taken to enable future interoperability, progress
has been limited in implementing such capabilities in current systems,
partly because key procedures and specifications have not yet been
developed to enable electronic cross-agency authentication of
cardholders. According to GSA officials, they have taken the initial
steps to develop guidance to help enable the exchange of identity
information across agencies, and they plan to complete and issue it by
September 2008.
We are making recommendations to OMB to revise its approach to
overseeing the implementation of HSPD-12, including establishing
realistic milestones for implementation of electronic authentication
capabilities and treating HSPD-12 implementation as a major new
investment by requiring that each agency develop detailed plans that
support its decisions regarding how, when, and the extent to which it
will implement the electronic authentication capabilities of the cards.
We received written comments on a draft of this report from the
Administrator of the Office of E-Government and Information Technology
of OMB. The letter is reprinted in appendix IV. We also received
written technical comments from the director of the DHS liaison office
for GAO and the Office of the Inspector General, the Associate Deputy
Secretary of the Interior, the Administrator of GSA, a Program
Specialist from NASA, and the Acting Chief Information Officer for
Commerce. The Deputy Assistant Secretary for Administration and
Management from Labor provided technical oral comments, and a senior
policy analyst from OMB provided technical comments via e-mail. We have
incorporated these comments, as appropriate. In addition, a GAO liaison
from NRC indicated via e-mail, and the Assistant Secretary for
Administration of HUD stated in writing, that their respective agency
officials had reviewed the draft report and did not have any comments.
Officials from USDA did not respond to our request for comments.
OMB provided comments on our recommendations but did not specifically
agree or disagree with any of them. Furthermore, in subsequent
discussions, OMB staff declined to agree or disagree with our
recommendations, indicating that they did not want to characterize
their comments in those terms.
Regarding our recommendation that OMB establish realistic milestones
for full implementation of the infrastructure needed to best use the
electronic authentication capabilities of PIV cards, the agency stated
that its guidance requires agencies to provide milestones for when they
intend to leverage the capabilities of PIV credentials. However, to
ensure consistent governmentwide implementation of HSPD-12, it is
important for OMB to establish such milestones across agencies, rather
than to allow individual agencies to choose their own milestones. By
not setting time frames for agencies to implement this infrastructure,
OMB has left it uncertain when these capabilities, which are critical
to the success of HSPD-12, should be implemented across the government.
Regarding our recommendation that it require each agency to develop a
risk-based, detailed plan for implementing electronic capabilities, OMB
stated that previous guidance required agencies to provide milestones
for when they plan to fully leverage the capabilities of PIV
credentials for physical and logical access control. However, agencies
were required to provide only the dates they plan to complete major
activities, such as becoming fully compliant with HSPD-12 and having a
plan for phasing in physical and logical access control. OMB did not
require agencies to develop detailed, risk-based plans.
Regarding our recommendation that OMB require agencies to align the
acquisition of PIV cards with plans for implementing the cards'
electronic authentication capabilities, OMB stated that HSPD-12 aligns
with other information security programs. While OMB's statement is
correct, it is important that agencies time the acquisition of PIV
cards to coincide with the implementation of the technical
infrastructure necessary for enabling electronic authentication
techniques.
Regarding our recommendation that OMB ensure that guidance is developed
that maps existing physical security guidance to FIPS 201 guidance, the
agency stated that NIST is in the process of developing additional
guidance to clarify the relationship between facility security levels
and PIV authentication levels. Until complete guidance is available,
agencies will likely continue either to delay in making decisions on
their implementations or to make decisions that may need to be modified
later.
Background:
Historically, federal employees have been issued a wide variety of ID
cards that are used to access federal buildings and other facilities.
In many cases, security personnel allow access on the basis of visual
inspection of these cards. However, many of these cards can be easily
forged and have other limitations in their ability to effectively
authenticate individuals seeking access to federal facilities.
Access Control Techniques Provide Varying Levels of Assurance:
Access control is the process of determining the permissible activities
of users and authorizing or prohibiting activities by each user.
Controlling a user's access to facilities and computer systems includes
setting rights and permissions that grant access only to authorized
users.
There are two types of access control: physical access and logical
access. Physical access control focuses on restricting the entry and/or
exit of users from a physical area, such as a building or a room in a
building. Physical access control techniques include devices such as
locks that require a key to open doors or ID cards that establish an
individual's authorization to enter a building. Logical access control
is used to determine what electronic information and systems users and
other systems may access and what may be done to the information that
is accessed. Methods for controlling logical access include requiring a
user to enter a password to access information stored on a computer.
Access control techniques vary in the extent to which they can provide
assurance that only authorized individuals and systems have been
granted access. Some techniques can be easily subverted, while others
are more difficult to circumvent. Generally, techniques that provide
higher levels of assurance are more expensive, more difficult to
implement, and cause greater inconvenience to users than less
sophisticated techniques. When deciding which access control mechanisms
to implement, agencies must first understand the level of risk
associated with the facility or information that is to be protected.
The higher the risk level, the greater the need for agencies to
implement a high-assurance-level access control system.
Smart Cards Can Provide Higher Levels of Assurance:
One means to implement a high-assurance-level access control system is
through the use of smart cards. Smart cards are plastic devices that
are about the size of a credit card and contain an embedded integrated
circuit chip capable of storing and processing data.[Footnote 4] The
unique advantage that smart cards have over traditional cards with
simpler technologies, such as magnetic strips or bar codes, is that
they can exchange data with other systems and process information,
rather than simply serving as static data repositories. By securely
exchanging information, a smart card can help authenticate the identity
of the individual possessing the card in a far more rigorous way than
is possible with traditional ID cards. A smart card's processing power
also allows it to exchange and update many other kinds of information
with a variety of external systems, which can facilitate applications
such as financial transactions or other services that involve
electronic record-keeping. Figure 1 shows an example of a typical smart
card.
Figure 1: A Typical Smart Card:
This figure is a photograph of a typical smart card.
[See PDF for image]
Source: GSA.
[End of figure]
Smart cards can also be used to significantly enhance the security of
an agency's computer systems by tightening controls over user access. A
user wishing to log on to a computer system or network with controlled
access must "prove" his or her identity to the system--a process called
authentication. Many systems authenticate users by requiring them to
enter secret passwords. This requirement provides only modest security
because passwords can be easily compromised. Substantially better user
authentication can be achieved by supplementing passwords with smart
cards. To gain access under this scenario, a user is prompted to insert
a smart card into a reader attached to the computer as well as type in
a password. This authentication process is significantly harder to
circumvent because an intruder would not only need to guess a user's
password but would also need to possess that same user's smart card.
Even stronger authentication can be achieved by using smart cards in
conjunction with biometrics. Smart cards can be configured to store
biometric information (such as fingerprints or iris scans) in an
electronic record that can be retrieved and compared with an
individual's live biometric scan as a means of verifying that person's
identity in a way that is difficult to circumvent. An information
system requiring users to present a smart card, enter a password, and
verify a biometric scan uses what is known as "three-factor
authentication," which requires users to authenticate themselves by
means of "something they possess" (the smart card), "something they
know" (the password), and "something they are" (the biometric). Systems
employing three-factor authentication provide a relatively high level
of security. The combination of a smart card used with biometrics can
provide equally strong authentication for controlling access to
physical facilities.[Footnote 5]
Public Key Infrastructure Technology Can Further Enhance Access Control
Based on Smart Cards:
Smart cards can also be used in conjunction with public key
infrastructure (PKI) technology to better secure electronic messages
and transactions. PKI is a system of computers, software, and data that
relies on certain cryptographic techniques to protect sensitive
communications and transactions.[Footnote 6] A properly implemented and
maintained PKI can offer several important security services, including
assurances that (1) the parties to an electronic transaction are really
who they claim to be, (2) the information has not been altered or
shared with any unauthorized entity, and (3) neither party will be able
to wrongfully deny taking part in the transaction. PKI systems are
based on cryptography and require each user to have two different
digital "keys" to gain access: a public key and a private key. Both
public and private keys may be generated on a smart card or on a user's
computer. Security experts generally agree that PKI technology is most
effective when used in tandem with hardware tokens, such as smart
cards. PKI systems use cryptographic techniques to generate and manage
electronic "certificates" that link an individual or entity to a given
public key. These digital certificates are then used to verify digital
signatures and facilitate data encryption. The digital certificates are
created by a trusted third party called a certification authority,
which is also responsible for providing status information on whether
the certificate is still valid or has been revoked or suspended. The
PKI software in the user's computer can verify that a certificate is
valid by first verifying that the certificate has not expired, and then
by checking the online status information to ensure that it has not
been revoked or suspended.
Implementing a functioning PKI across government agencies involves much
more than just establishing the basic hardware and software
infrastructure at individual agencies. For example, for PKI
certificates to work across the government, a vast network of
interoperable online directories would need to be in place so that each
user's identity could be looked up and his or her digital certificate
verified before any transaction takes place. Software applications
would likely need to consult a number of disparate directories to
validate an incoming user's digital certificate. Significant costs are
involved in developing, fielding, and maintaining a production PKI to
meet these requirements. Systems must be set up to positively identify
users and manage the exchange and verification of certificates. In
addition, existing software applications, electronic directories, and
other legacy systems must be modified so that they can interact with
the PKI. As a result, the total costs associated with building a PKI
and enabling applications to use it can be significant.
HSPD-12 Requires Standardized Agency ID and Credentialing Systems:
In August 2004, the President issued HSPD-12, which directed Commerce
to develop a new standard for secure and reliable forms of ID for
federal employees and contractors to enable interoperability across the
federal government by February 27, 2005. The directive defined secure
and reliable ID as meeting four control objectives. Specifically, the
identification credentials must be:
* based on sound criteria for verifying an individual employee's or
contractor's identity;
* strongly resistant to identity fraud, tampering, counterfeiting, and
terrorist exploitation;
* able to be rapidly authenticated electronically; and:
* issued only by providers whose reliability has been established by an
official accreditation process.
HSPD-12 stipulates that the standard must include criteria that are
graduated from "least secure" to "most secure" to ensure flexibility in
selecting the appropriate level of security for each application. In
addition, the directive directs agencies to implement, to the maximum
extent practicable, the standard for IDs issued to federal employees
and contractors in order to gain physical access to controlled
facilities and logical access to controlled information systems by
October 27, 2005.[Footnote 7]
FIPS 201: Personal Identity Verification of Federal Employees and
Contractors:
In response to HSPD-12, Commerce's NIST published FIPS 201, Personal
Identity Verification of Federal Employees and Contractors, on February
25, 2005. The standard specifies the technical requirements for PIV
systems to issue secure and reliable ID credentials to federal
employees and contractors for gaining physical access to federal
facilities and logical access to information systems and software
applications. Smart cards are a primary component of the envisioned PIV
system.
The FIPS 201 standard is composed of two parts. The first part, called
PIV-I, sets standards for PIV systems in three areas: (1) identity
proofing and registration, (2) card issuance and maintenance, and (3)
protection of card applicants' privacy. The second part of the FIPS 201
standard, PIV-II, provides technical specifications for interoperable
smart card-based PIV systems.
Personal Identity Verification I:
To verify individuals' identities, agencies are directed to adopt an
accredited[Footnote 8] identity proofing and registration process that
is approved by the head of the agency. There are many steps to the
verification process, such as completing a background investigation of
the applicant, conducting[Footnote 9] and adjudicating a fingerprint
check prior to credential issuance, and requiring applicants to provide
two original forms of identity source documents from an OMB-approved
list of documents.
Agencies are also directed to adopt an accredited card issuance and
maintenance process that is approved by the head of the agency. This
process should include standardized specifications for printing
photographs, names, and other information on PIV cards and for other
activities, such as capturing and storing biometric and other data, and
issuing, distributing, and managing digital certificates.
Finally, agencies are directed to perform activities to protect the
privacy of the applicants, such as assigning an individual to the role
of "senior agency official for privacy" to oversee privacy-related
matters in the PIV system; providing full disclosure of the intended
uses of the PIV card and related privacy implications to the
applicants; and using security controls described in NIST guidance to
accomplish privacy goals, where applicable.
Personal Identity Verification II:
As we have previously mentioned, the second part of the FIPS 201
standard, PIV-II, provides technical specifications for interoperable
smart card-based PIV systems. The components and processes in a PIV
system, as well as the identity authentication information included on
PIV cards, are intended to provide for consistent authentication
methods across federal agencies. The PIV-II cards (see example in fig.
2) are intended to be used to access all federal physical and logical
environments for which employees are authorized. Appendix II provides
more information on the specific requirements and components of PIV-II.
Figure 2: A PIV Card Showing Major Physical Features:
This figure is a picture of a PIV card showing major physical features.
[See PDF for image]
Source: GAO analysis of FIPS 201 guidance (data). Copyright 1997 Corel
Corp. All rights reserved (seal).
[End of figure]
The PIV cards contain a range of features--including photographs,
cardholder unique identifiers (CHUID), fingerprints, and PKI
certificates--to enable enhanced identity authentication at different
assurance levels. To use these enhanced capabilities, specific
infrastructure needs to be in place. This infrastructure may include
biometric (fingerprint) readers, personal ID number (PIN) input
devices, and connections to information systems that can process PKI
digital certificates and the CHUIDs. Once acquired, these various
devices need to be integrated with existing agency systems. For
example, PIV system components may need to interface with human
resources systems, so that when an employee resigns or is terminated
and the cardholder's employment status is changed in the human
resources systems, the change is also reflected in the PIV system.
Furthermore, card readers that are compliant with FIPS 201 need to
exchange information with existing physical and logical access control
systems in order to enable doors and systems to unlock once a
cardholder has been successfully authenticated and access has been
granted.
FIPS 201 includes specifications for three types of electronic
authentication that provide varying levels of security assurance. OMB
guidance and FIPS 201 direct agencies to use risk-based methods to
decide which type of authentication is appropriate in a given
circumstance. The three authentication methods for PIV cards specified
under FIPS 201 and their associated assurance levels are described in
table 1.
Table 1: The Three PIV Card Authentication Capabilities and Their
Associated Assurance Levels:
Description of authentication capability;
CHUID authentication or visual authentication (some confidence): The
CHUID is a number comprising several pieces of data, including the
federal agency smart credential number, global unique identifier,
expiration date, and digital signature. These components are used to
authenticate the card and ensure that the card has not expired. Visual
inspection consists of a guard visually comparing the photograph on the
card with the cardholder;
Biometric authentication only (high confidence): PIV cards are directed
to store two electronic fingerprints on the cards to allow live scans
of the cardholders' fingerprints to be compared with previously stored
fingerprint data to determine if there is a match;
PKI authentication and/or biometric authentication with visual
authentication (very high confidence): The PIV card carries mandatory
and optional asymmetric private keys and corresponding certificates
that can be used for authentication. Using cryptographic functions, the
certificates are verified, and the revocation status of the certificate
is checked to ensure that the certificate has not been revoked.
Description of assurance level;
CHUID authentication or visual authentication (some confidence): Use of
the CHUID provides limited assurance, since it is not encrypted and is
able to authenticate only the card, not the cardholder. According to
NIST officials, use of only the CHUID may be appropriate in very
limited circumstances. For example, once a cardholder has been
authenticated using both the CHUID and visual inspection to get into a
federal facility, it may be appropriate to use just the CHUID for
accessing relatively low security/criticality areas within the
facility. Similarly, according to NIST officials, exclusive use of
visual inspection may also be appropriate in limited circumstances,
such as at a federal office that has very few employees;
Biometric authentication only (high confidence): Biometric
authentication without the presence of a security guard or attendant at
the access point offers a high level of assurance of the cardholders'
identity;
PKI authentication and/or biometric authentication with visual
authentication (very high confidence): PKI can be used independently or
in conjunction with both biometric and visual authentication. These
methods offer a very high level of assurance in the identity of the
cardholder.
Source: GAO analysis of FIPS 201 and related guidance.
[End of table]
In addition to the three authentication capabilities discussed in table
1, PIV cards also support the use of PIN authentication, which may be
used in conjunction with one of these capabilities. For example, the
PIN can be used to control access to biometric data on the card when
conducting a fingerprint check.
Figure 3 illustrates the major activities of the PIV system and its
intended day-to-day use.
Figure 3: Major Activities of the PIV System and Its Intended Day-to-
Day Use:
This figure illustrates major activities of the PIV system and its
intended day to day use.
[See PDF for image]
Source: GAO analysis of FIPS 201 guidance (data). Copyright 1997 Corel
Corp. All rights reserved (seal).
[End of figure]
Additional NIST, GSA, and OMB Guidance:
NIST has issued several special publications that provide supplemental
guidance on various aspects of the FIPS 201 standard, including
guidance on verifying that agencies or other organizations have the
proper systems and administrative controls in place to issue PIV cards
and have the technical specifications for implementing the directed
encryption technology. Additional information on NIST's special
publications is provided in appendix III.
In addition, NIST developed a suite of tests to be used by approved
commercial laboratories to validate whether commercial products for the
PIV card and the card interface are in conformance with FIPS 201. These
laboratories use the NIST test to determine whether individual
commercial products conform to FIPS 201 specifications.
Once commercial products pass conformance testing, they must then go
through performance and interoperability testing. GSA developed these
tests, which are intended to ensure that products and services meet
FIPS 201 requirements. The GSA tests include products that have
successfully passed NIST's conformance tests as well as other products
that are directed by FIPS 201 but are not within the scope of NIST's
conformance tests, such as PIV card readers, fingerprint capturing
devices, and software directed to program the cards with employees'
data. Products that successfully pass GSA's conformance tests are
listed on its list of products that are approved for agencies to
acquire.
OMB is responsible for ensuring that agencies comply with the standard.
In August 2005, OMB issued a memorandum to executive branch agencies
with instructions for implementing HSPD-12 and the new standard. The
memorandum specifies to whom the directive applies; to what facilities
and information systems FIPS 201 applies; and, as outlined in the
following text, the schedule that agencies must adhere to when
implementing the standard.
* October 27, 2005--For all new employees and contractors, adhere to
the identity proofing, registration, card issuance, and maintenance
requirements of the first part (PIV-I) of the standard.
* October 27, 2006--Begin issuing cards that comply with the second
part (PIV-II) of the standard and implementing the privacy
requirements.
* October 27, 2007--Verify and/or complete background investigations
for all current employees and contractors who have been with the agency
for 15 years or less. Issue PIV cards to these employees and
contractors and require that they begin using their cards by this date.
* October 27, 2008--Complete background investigations for all
individuals who have been federal agency employees for more than 15
years. Issue cards to these employees and require them to begin using
their cards by this date.[Footnote 10]
In addition, OMB directed that each agency provide certain information
on its plans for implementing HSPD-12, including the number of
individuals requiring background checks and the dates by which the
agency plans to be compliant with PIV-I and PIV-II requirements.
Agencies were not directed to provide information on the cost of their
implementations, but they were directed to submit this information to
OMB by June 29, 2005. Subsequently, agencies were directed to submit
updated planning information to OMB by September 8, 2006. Finally,
after the October 27, 2007, milestone had passed, OMB requested that
agencies provide it with an updated plan.
Other related guidance that OMB has issued includes guidance to federal
agencies on electronic authentication practices, sample privacy
documents for agency use in implementing HSPD-12, a memorandum to
agencies about validating and monitoring agency issuance of PIV
credentials, guidance on protecting sensitive agency information, a
memorandum to agencies on safeguarding against and responding to the
breach of personally identifiable information, and updated instructions
to agencies on publicly reporting their HSPD-12 implementation status.
Figure 4 shows a timeline that illustrates when HSPD-12 and additional
guidance was issued as well as the major deadlines for implementing
HSPD-12.
Figure 4: Timeline of HSPD-12-Related Activities:
This figure is a timeline of HSPD-12 related activities.
[See PDF for image]
Source: GAO analysis of FIPS 201 guidance.
[End of figure]
GSA, in collaboration with the Federal Identity Credentialing
Committee,[Footnote 11] the Federal Public Key Infrastructure Policy
Authority,[Footnote 12] OMB, and the Smart Card Interagency Advisory
Board[Footnote 13]--which GSA established to address government smart
card issues and standards--developed the Federal Identity Management
Handbook. This handbook was intended to be a guide for agencies in
implementing HSPD-12 and FIPS 201 and includes guidance on specific
courses of action, schedule requirements, acquisition planning,
migration planning, lessons learned, and case studies. It is to be
periodically updated; the most current version of the handbook was
released in December 2005.
On June 30, 2006, GSA and OMB issued a memorandum to agency officials
that specified standardized procedures for acquiring FIPS 201-compliant
commercial products that have passed NIST's and GSA's testing.
According to the GSA guidance, agencies are directed to use these
standardized acquisition procedures when implementing their FIPS 201-
compliant systems.
In addition, GSA established a managed service office that offers
shared services to federal civilian agencies to help reduce the costs
of procuring FIPS 201-compliant equipment, software, and services by
sharing some of the infrastructure, equipment, and services among
participating agencies. According to GSA, the shared service offering-
-referred to as the USAccess Program--is intended to provide several
services, such as producing and issuing the PIV cards. As of October
2007, GSA had 67 agency customers with more than 700,000 government
employees and contractors to whom cards would be issued through shared
service providers. In addition, as of December 31, 2007, the Managed
Service Office (MSO) had installed over 50 enrollment stations with 15
agencies actively enrolling employees and issuing PIV cards. While
there are several services offered by the MSO, it is not intended to
provide support for all aspects of HSPD-12 implementation. For example,
the MSO does not provide services to help agencies integrate their
physical and logical access control systems with their PIV systems.
In 2006, GSA's Office of Governmentwide Policy established the
interagency HSPD-12 Architecture Working Group, which is intended to
develop interface specifications for HSPD-12 system interoperability
across the federal government. As of July 2007, the group had issued 10
interface specification documents, including a specification for
exchanging data between an agency and a shared service provider.
Previously Reported FIPS 201 Implementation Challenges:
In February 2006, we reported that agencies faced several challenges in
implementing FIPS 201, including constrained testing time frames and
funding uncertainties as well as incomplete implementation
guidance.[Footnote 14] We recommended that OMB monitor agencies'
implementation process and completion of key activities. In response to
this recommendation, beginning on March 1, 2007, OMB directed agencies
to post to their public Web sites quarterly reports on the number of
PIV cards they had issued to their employees, contractors, and other
individuals. In addition, in August 2006, OMB directed each agency to
submit an updated implementation plan.
We also recommended that OMB amend or supplement governmentwide
guidance pertaining to the extent to which agencies should make risk-
based assessments regarding the applicability of FIPS 201. OMB has not
yet implemented this recommendation.
Limited Progress Has Been Made in Implementing PIV Cards and in Using
Their Full Capabilities:
Agencies have made limited progress in implementing and using PIV
cards. While the eight agencies we reviewed have generally taken steps
to complete background checks on most of their employees and
contractors and establish basic infrastructure, such as purchasing card
readers, none of the agencies met OMB's goal of issuing PIV cards by
October 27, 2007, to all employees and contractor personnel who had
been with the agency for 15 years or less. In addition, for the limited
number of cards that have been issued, agencies generally have not been
using the electronic authentication capabilities on the cards and have
not developed implementation plans for those capabilities. Key products
are not available to support all of those capabilities.
A key contributing factor for why agencies have made limited progress
in adopting the use of PIV cards is that OMB, which is tasked with
ensuring that federal agencies successfully implement HSPD-12, has
focused agencies' attention on card issuance, rather than on full use
of the cards' capabilities. Specifically, OMB set milestones that
focused narrowly on having agencies acquire and issue cards in the near
term, regardless of when the electronic authentication capabilities of
the cards could be used. Furthermore, although agencies anticipate
having to make substantial financial investments to implement HSPD-12,
OMB has not considered this to be a major new investment and has not
directed agencies to prepare detailed plans to support their decisions
regarding how, when, and the extent to which they plan to implement the
cards' electronic authentication capabilities.
Without implementing these capabilities, agencies will continue to
purchase costly PIV cards to be used in the same way as the much
cheaper, traditional ID cards they are replacing. More significantly,
until OMB revises its approach to focus on the full use of card
capabilities, HSPD-12's objective of increasing the quality and
security of ID and credentialing practices across the federal
government may not be fully achieved.
While Agencies Have Generally Completed Background Checks and
Established Basic Infrastructure, They Are Not Using the Electronic
Authentication Capabilities of PIV Cards to Enhance Security:
As we have previously described, by October 27, 2007, OMB directed
federal agencies to issue PIV cards and require PIV card use by all
employees and contractor personnel who have been with the agency for 15
years or less. HSPD-12 requires that the cards be used for physical
access to federally controlled facilities and logical access to
federally controlled information systems. In addition, to issue cards
that fully meet the FIPS 201 specification, basic infrastructure--such
as identity management systems, enrollment stations, PKI, and card
readers--will need to be put in place. OMB also directed that agencies
verify and/or complete background investigations by this date for all
current employees and contractors who have been with the agency for 15
years or less.
Agencies have taken steps to complete the directed background checks on
their employees and contractors and establish basic infrastructure to
help enable the use of PIV capabilities. For example, Commerce,
Interior, NRC, and USDA established agreements with GSA's MSO to use
its shared infrastructure, including its PKI, and enrollment stations.
Other agencies, including DHS, HUD, Labor, and NASA--which chose not to
use GSA's shared services offering--have acquired and implemented other
basic elements of infrastructure, such as ID management systems,
enrollment stations, PKI, and card readers.
However, none of the eight agencies met the October 2007 deadline
regarding card issuance. In most cases, agencies had not begun issuing
cards to more than a small number of their employees and contractor
personnel. In addition, for the limited number of cards that had been
issued, agencies had generally not been using the electronic
authentication capabilities on the cards. Instead, for physical access,
agencies were using visual inspection of the cards as their primary
means to authenticate cardholders. While it may be sufficient in
certain circumstances--such as in very small offices with few
employees--in most cases, visual inspection will not provide an
adequate level of assurance. OMB strongly recommends minimal reliance
on visual inspection. Also, seven of the eight agencies we reviewed
were not using the cards for logical access control.
Furthermore, most agencies did not have detailed plans in place to use
the various authentication capabilities. For example, as of October 30,
2007, Labor had not yet developed plans for implementing the electronic
authentication capabilities on the cards. Similarly, Commerce officials
stated that they would not have a strategy or time frame in place for
using the electronic authentication capabilities of PIV cards until
June 2008.
Table 2 provides details about the progress each of the eight agencies
had made as of December 1, 2007.
Table 2: Agencies' Progress in Implementing Background Checks and Basic
Infrastructure and in Using the PIV Cards for Physical and Logical
Access Control as of December 1, 2007:
Background investigations and basic infrastructure: Number of PIV-
compliant cards issued (total population requiring PIV cards)[A];
Commerce: 23 (54,420);
Labor: 10,146 (17,707);
Interior: 17[B] (90,034);
HUD: 2,192 (9,335);
DHS: N/A[C];
NRC: 1 (6,245);
USDA: 313[D] (162,000);
NASA: 136 (75,467).
Background investigations and basic infrastructure: Completed
background investigations (total population requiring background
investigations)[A];
Commerce: 52,246 (54,420);
Labor: 14,327 (17,707);
Interior: 83,363[B[(90,034)] 34);
HUD: 6,234 (9,335);
DHS: N/A[C];
NRC: 6,021 (6,245);
USDA: 99,735[D[(162,000)] 00);
NASA: 38,922 (75,467).
Background investigations and basic infrastructure: Established an ID
management system;
Commerce: Implemented[E];
Labor: Implemented;
Interior: Implemented[E];
HUD: Implemented;
DHS: Implemented;
NRC: Implemented[E];
USDA: Implemented[E];
NASA: Implemented.
Background investigations and basic infrastructure: Established
enrollment stations;
Commerce: Implemented[E];
Labor: Implemented;
Interior: Implemented[E];
HUD: Implemented;
DHS: Implemented;
NRC: Implemented[E];
USDA: Implemented[E];
NASA: Implemented.
Background investigations and basic infrastructure: Established a PKI;
Commerce: Implemented[E, F];
Labor: Implemented;
Interior: Implemented[E];
HUD: Implemented;
DHS: Implemented;
NRC: Implemented;
USDA: Implemented[E];
NASA: Implemented.
Background investigations and basic infrastructure: Purchased card
readers;
Commerce: Not implemented;
Labor: Not implemented;
Interior: Implemented;
HUD: Implemented;
DHS: Implemented;
NRC: Implemented;
USDA: Implemented;
NASA: Implemented.
Use for physical access: Used visual inspection to authenticate;
Commerce: Implemented;
Labor: Implemented;
Interior: N/A;
HUD: Implemented;
DHS: Implemented;
NRC: Implemented;
USDA: Implemented;
NASA: Implemented.
Use for physical access: Used CHUID to authenticate;
Commerce: Not implemented;
Labor: Not implemented;
Interior: Not implemented;
HUD: Implemented;
DHS: Not implemented;
NRC: Not implemented;
USDA: Not implemented;
NASA: Implemented.
Use for physical access: Used PKI to authenticate;
Commerce: Not implemented;
Labor: Not implemented;
Interior: Not implemented;
HUD: Not implemented;
DHS: Not implemented;
NRC: Not implemented;
USDA: Not implemented;
NASA: Not implemented.
Use for physical access: Used biometrics to authenticate;
Commerce: Not implemented;
Labor: Not implemented;
Interior: Not implemented;
HUD: Not implemented;
DHS: Not implemented;
NRC: Not implemented;
USDA: Not implemented;
NASA: Not implemented.
Use for logical access: Used CHUID to authenticate;
Commerce: Not implemented;
Labor: Not implemented;
Interior: Not implemented;
HUD: Not implemented;
DHS: Not implemented;
NRC: Not implemented;
USDA: Not implemented;
NASA: Not implemented.
Use for logical access: Used PKI certificates to authenticate;
Commerce: Not implemented;
Labor: Not implemented;
Interior: Not implemented;
HUD: Not implemented;
DHS: Not implemented;
NRC: Not implemented;
USDA: Not implemented;
NASA: Not implemented.
Use for logical access: Used biometrics to authenticate;
Commerce: Not implemented;
Labor: Not implemented;
Interior: Not implemented;
HUD: Not implemented;
DHS: Not implemented;
NRC: Not implemented;
USDA: Not implemented;
NASA: Not implemented.
Source: GAO analysis of documentation provided by agency officials.
[A] These data are as reported by the agencies.
[B] Interior initially issued 17 cards using an independent provider of
cards and services. In August 2007, Interior decided to change its
approach and use GSA's shared services offering. These 17 cards expired
on October 27, 2007. As of November 2007, Interior had not been issued
any new cards from GSA.
[C] According to DHS officials, the public release of the total number
of employees requiring and carrying DHS PIV cards could pose a security
risk.
[D] The number of cards issued for USDA is as of November 30, 2007, and
the number of background checks completed is as of August 31, 2007.
Officials did not provide us with figures for December 1, 2007.
[E] This infrastructure is being supplied by GSA's MSO.
[F] Most of Commerce's component agencies plan to use the PKI provided
by GSA's MSO. However, the Patent and Trademark Office and the National
Oceanic and Atmospheric Administration use their own PKI services.
[End of table]
Three of the eight agencies we reviewed--HUD, NASA, and USDA--indicated
that, while they were not currently using the enhanced authentication
capabilities, they were in the process of testing products, such as
biometric readers and readers that can access and authenticate PKI
certificates, to determine whether they could be integrated into their
agencies' existing access control systems.
Products to Use Certain Electronic Authentication Capabilities Have Not
Been Available:
A challenge to full use of the enhanced authentication capabilities of
PIV cards is that key products have not yet been commercially
available. As a result, agencies have been constrained in their ability
to build systems that use key authentication capabilities.
Currently available products are only partially able to implement
electronic authentication based on the CHUID that is included on all
PIV cards. The CHUID is a special type of serial number that
incorporates an electronic signature and is used to electronically
validate that the information contained in the CHUID, such as the card
expiration date, has not been altered. However, existing physical
access control systems are unable to receive and process a full CHUID,
which is up to 27,016 bits long. Most legacy control panels for
physical access control systems were built to process only a 26-bit
identification number, and even the newest control panels are only able
to process 256 bits, at best. Consequently, agencies that have
implemented CHUID-based authentication have had to implement systems
that truncate the CHUID so that only a subset of information--without
the electronic signature--is transmitted to the control panel for
authentication. Use of the truncated CHUID does not provide the same
level of assurance as processing the full CHUID, because the electronic
signature information is not included. According to industry
representatives, it could take at least 5 to 7 years before a physical
access control system could be commercially available that is capable
of reading the full CHUID. Depending on the risk level of a system or
facility, using the truncated CHUID authentication approach could have
important security implications.
Another product not yet on the market is a PIV card reader that can
access and validate the PKI certificate on a PIV card. According to
industry representatives, it will be expensive to develop such readers,
and many industry suppliers are not involved because they do not
anticipate that they will be able to market these readers to
organizations outside of the federal government. The industry
representatives indicated that a few companies that have a federal
government focus are developing products for this application, and they
anticipate that products will become available later in 2008.
OMB's Focus on Near-Term Card Issuance Has Hindered Progress in
Achieving the HSPD-12 Objectives:
A key contributing factor to why agencies have made limited progress is
that OMB--which is tasked with ensuring that federal agencies
successfully implement HSPD-12--has emphasized the issuance of cards,
rather than the full use of the cards' capabilities. Specifically,
OMB's milestones have not focused on implementation of the electronic
authentication capabilities that are available through PIV cards, and
have not set acquisition milestones that would coincide with the
ability to make use of these capabilities. Furthermore, despite the
cost of the cards and associated infrastructure, OMB has not treated
the implementation of HSPD-12 as a major new investment and has not
ensured that agencies have guidance to ensure consistent and
appropriate implementation of electronic authentication capabilities
across agencies. Until these issues are addressed, agencies may
continue to acquire and issue costly PIV cards without using their
advanced capabilities to meet HSPD-12 goals.
OMB's Implementation Milestones Have Been Narrowly Focused:
While OMB has established milestones for near-term card issuance, it
has not established milestones that require agencies to develop
detailed plans for making the best use of the electronic authentication
capabilities of PIV cards. Consequently, agencies have concentrated
their efforts on meeting the card issuance deadlines. For example,
several of the agencies we reviewed have chosen to focus their efforts
on meeting the next milestone--that cards be issued to all employees
and contractor personnel and be in use by October 27, 2008.
Understandably, meeting this milestone is perceived to be more
important than making optimal use of the cards' authentication
capabilities, because card issuance is the measure that OMB is
monitoring and asking agencies to post on their public Web sites.
The PIV card and the services involved in issuing and maintaining the
data on the card, such as the PKI certificates, are costly. For
example, PIV cards and related services offered by GSA through its
shared service offering cost $82 per card for the first year and $36
per card for each of the remaining 4 years of the card's life. In
contrast, traditional ID cards with limited or no electronic
authentication capabilities can cost less than $1 each, and have no
annual maintenance costs. Therefore, agencies that do not implement
electronic authentication techniques are spending a considerable amount
per card for capabilities that they are not able to use. An agency such
as Interior, for example, which plans to issue cards to approximately
90,000 individuals, could potentially spend approximately $20 million
on PIV cards without realizing the benefits of those cards until it
implements their electronic authentication capabilities. A more
economical approach would be to establish detailed plans for
implementing the technical infrastructure necessary to use the
electronic authentication capabilities on the cards and time the
acquisition of PIV cards to coincide with the implementation of this
infrastructure. However, this approach has not been encouraged by OMB,
which instead has been measuring agencies on how many cards they issue.
Without OMB focusing its milestones on the best use of the
authentication capabilities available through PIV cards, agencies are
likely to continue to implement minimum authentication techniques and
not be able to take advantage of advanced authentication capabilities.
OMB Has Not Considered HSPD-12 Implementation to Be a Major New
Investment:
Before implementing major new systems, agencies are generally directed
to conduct thorough planning to ensure that costs and time frames are
well understood and that the new systems meet their needs. OMB
establishes budget justification and reporting requirements for all
major information technology investments. Specifically, for such
investments, agencies are directed to prepare a business case--OMB
Exhibit 300--which is supported by a number of planning documents that
are essential in justifying decisions regarding how, when, and the
extent to which an investment would be implemented. Such planning
documents are essential in helping program officials understand the
costs and benefits of various implementation approaches in order to
determine the most beneficial approach.
However, OMB determined that because agencies had ID management systems
in place prior to HSPD-12 and that the directive only directed agencies
to "standardize" their systems, the implementation effort did not
constitute a new investment. According to an OMB senior policy analyst,
agencies should be able to fund their HSPD-12 implementations through
existing resources and should not need to develop a business case or
request additional funding.
While OMB has not directed agencies to develop business cases for HSPD-
12 implementation efforts, PIV card systems are likely to represent
significant new investments at several agencies. For example, agencies
such as Commerce, HUD, and Labor had not implemented PKI technology
prior to HSPD-12, but they are now directed to do so. In addition, such
agencies' previous ID cards were used for limited purposes and were not
used for logical access. These agencies had no prior need to acquire or
maintain card readers for logical access control or to establish
connectivity with their ID management systems for logical access
control and, consequently, had previously allocated very little money
for the operations and maintenance of these systems. Specifically,
HUD's annual operations and maintenance costs for its pre-HSPD-12
legacy system totaled approximately $127,000, while the agency's
estimated cost for HSPD-12 implementation in fiscal year 2008 is
approximately $1.6 million--about 13 times more expensive. According to
Labor officials, operations and maintenance costs for its pre-HSPD-12
legacy system totaled approximately $169,000, and Labor's fiscal year
2009 budget request for HSPD-12 implementation is approximately $3
million--17 times more expensive.
While these agencies recognize that they are likely to face
substantially greater costs in implementing PIV card systems, they have
not always thoroughly assessed all of the expenses they are likely to
incur. For example, agency estimates may not include the cost of
implementing advanced authentication capabilities where they are
needed. The extent to which agencies need to use such capabilities
could significantly impact an agency's cost for implementation.
While the technical requirements of complying with HSPD-12 dictate that
a major new investment be made, generally, agencies have not been
directed by OMB to take the necessary steps to thoroughly plan for
these investments. For example, six of the eight agencies we reviewed
had not developed detailed plans regarding their use of PIV cards for
physical and logical access controls. In addition, seven of the eight
agencies had not prepared cost-benefit analyses that weighed the costs
and benefits of implementing different authentication capabilities.
Without treating the implementation of HSPD-12 as a major new
investment by requiring agencies to develop detailed plans based on
risk-based assessments of agencies' physical and logical access control
needs that support the extent to which electronic authentication
capabilities are to be implemented, OMB will continue to limit its
ability to ensure that agencies properly plan and implement HSPD-12. As
a result, HSPD-12 implementation may not achieve enhanced access
control, and agencies may make considerable expenditures to acquire
capabilities that they cannot use.
OMB Has Not Provided Guidance for Determining Which PIV Card
Authentication Capabilities to Implement for Physical and Logical
Access Controls:
Another factor contributing to agencies' limited progress is that OMB
has not provided guidance to agencies regarding how to determine which
electronic authentication capabilities to implement for physical and
logical access controls. While the FIPS 201 standard describes three
different assurance levels for physical access (some, high, and very
high confidence) and associates PIV authentication capabilities with
each level, it is difficult for agencies to link these assurance levels
with existing building security assurance standards that are used to
determine access controls for facilities. The Department of Justice
(DOJ) has developed standards for assigning security levels to federal
buildings, ranging from level I (typically, a leased space with 10 or
fewer employees, such as a military recruiting office) to level V
(typically, a building such as the Pentagon or Central Intelligence
Agency headquarters that has a large number of employees and a critical
national security mission). While there are also other guidelines that
agencies could use to conduct assessments of their buildings, several
of the agencies we reviewed use the DOJ guidance to conduct risk
assessments of their facilities. Table 3 compares these disparate sets
of guidance for physical access control.
Table 3: Disparate Guidance for Physical Access Control:
[See PDF for image]
Source: GAO analysis of NIST and DOJ guidance.
[End of table]
Officials from several of the agencies we reviewed indicated that they
were not using the FIPS 201 guidance to determine which PIV
authentication capabilities to use for physical access because they did
not find the guidance to be complete. Specifically, they were unable to
determine which authentication capabilities should be used for the
different security levels. The incomplete guidance has contributed to
several agencies--including Commerce, DHS, and NRC--not reaching
decisions on what authentication capabilities they were going to
implement.
More recently, NIST has begun developing guidelines for applying the
FIPS 201 confidence levels to physical access control systems. However,
this guidance has not yet been completed and was not available to
agency officials when we were conducting our review.
Agencies also lack guidance regarding when to use the enhanced
authentication capabilities for logical access control. Similar to
physical access control, FIPS 201 describes graduated assurance levels
for logical access (some, high, and very high confidence) and
associates PIV authentication capabilities with each level. However, as
we have previously reported, neither FIPS 201 nor supplemental OMB
guidance provides sufficient specificity regarding when and how to
apply the standard to information systems.[Footnote 15] For example,
such guidance does not inform agencies how to consider the risk and
level of confidence needed when different types of individuals require
access to government systems, such as a researcher uploading data
through a secure Web site or a contractor accessing government systems
from an off-site location.
Until complete guidance is available, agencies will likely continue
either to delay in making decisions on their implementations or to make
decisions that may need to be modified later.
Efforts Are Under Way to Address the Limited Progress Made in Achieving
Interoperability to Enable Cross-Agency Authentication of Cardholders:
One of the primary goals of HSPD-12 is to enable interoperability
across federal agencies. As we have previously reported, prior to HSPD-
12, there were wide variations in the quality and security of ID cards
used to gain access to federal facilities.[Footnote 16] To overcome
this limitation, HSPD-12 directed ID cards to have standard features
and means for authentication to enable interoperability among agencies.
While steps have been taken to enable future interoperability, progress
has been limited in implementing such capabilities in current systems,
partly because key procedures and specifications have not yet been
developed. As we have previously stated, NIST has established
conformance testing for the PIV card and interface, and GSA has
established testing for other PIV products and services to help enable
interoperability. In addition, the capability currently exists for
determining the validity and status of a cardholder from another agency
via PKI. However, procedures and specifications to enable cross-agency
interoperability using the CHUID--which is expected to be more widely
used than PKI--have not been established. While PIV cards and FIPS 201-
compliant readers may technically be able to read the information
encoded on any PIV card--including cards from multiple agencies--this
functionality is not adequate to allow one agency to accept another
agency's PIV card, because there is no common interagency framework in
place for agencies to electronically exchange status information on PIV
credentials. For example, the agency that issued a PIV card could
revoke the cardholder's authorization to access facilities or systems
if the card is lost or if there has been a change in the cardholder's
employment status. The agency attempting to process the card would not
be able to access this information because a common framework to
electronically exchange status information does not exist. The
interfaces and protocols that are needed for querying the status of
cardholders have not yet been developed.
In addition, procedures and policies have not been established for
sharing information on contractor personnel who work at multiple
federal agencies. Without such procedures and policies, agencies will
issue PIV cards to their contractor staff for access only to their own
facilities. Contractors who work at multiple agencies may need to
obtain separate PIV cards for each agency.
GSA recognizes the need to address these issues and has actions under
way to do so. According to GSA, the Federal Identity Credentialing
Committee is developing guidance on the issuance and maintenance of PIV
cards to the contractor community. GSA is also developing a standard
specification that will enable interoperability in the exchange of
identity information among agencies. According to GSA officials, they
plan to complete and issue guidance by the end of September 2008. In
addition, NIST is planning to issue an update to a special publication
that focuses on interfaces for PIV systems. Such guidance should help
enable agencies to establish cross-agency interoperability--a primary
goal of HSPD-12.
Conclusions:
While HSPD-12's objective was to eliminate wide variations in the
quality and security of forms of ID used to gain access to federal
facilities, agencies have made limited progress in implementing and
using PIV cards in ways that would achieve this objective. Although
they did not meet OMB's October 2007 milestone for card issuance,
agencies have nevertheless focused on issuing cards to employees and
contractor personnel without developing plans for using the electronic
authentication capabilities of the cards. These agency actions have
been driven by OMB's guidance, which has emphasized the issuance of
cards, rather than the full use of the cards' capabilities. While
setting ambitious goals and objectives can help ensure that an
initiative is given priority, OMB's milestones did not provide a focus
on implementing the electronic capabilities available through the PIV
cards. Furthermore, agencies' milestones for issuing the cards did not
coincide with the implementation of the technical infrastructure.
Despite the cost of the cards and associated infrastructure, OMB has
not treated the implementation of HSPD-12 as a major new investment and
has not ensured that agencies have guidance to ensure consistent and
appropriate implementation of electronic authentication capabilities
across agencies for physical and logical access. Until these issues are
addressed, agencies will likely continue to acquire and issue costly
PIV cards and not be able to use their advanced capabilities.
In addition, much work remains before agencies can take advantage of
the potential for interoperability under HSPD-12. GSA officials have
taken initial steps to develop guidance to help enable the exchange of
identity information across agencies, and they plan to complete and
issue guidance by September 2008. Such guidance should help enable
agencies to establish cross-agency interoperability--a primary goal of
HSPD-12.
Recommendations for Executive Action:
We recommend that the Director, Office of Management and Budget, revise
the agency's approach to overseeing implementation of HSPD-12 by taking
the following four actions:
* Establish realistic milestones for full implementation of the
infrastructure needed to best use the electronic authentication
capabilities of PIV cards in agencies.
* Treat the HSPD-12 implementation as an investment by requiring that
each agency develop a detailed plan, based on a risk-based assessment
of the agency's physical and logical access control needs, that
supports the extent to which electronic authentication capabilities are
to be implemented.
* Require agencies to align the acquisition of PIV cards with plans for
implementing their technical infrastructure to best use the cards'
electronic authentication capabilities.
* Ensure that guidance is developed that maps existing physical
security guidance to FIPS 201 guidance.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from OMB's
Administrator of the Office of E-Government and Information Technology.
The letter is reprinted in appendix IV. In addition to OMB's letter, an
OMB senior policy analyst also provided technical comments via e-mail,
which we have incorporated as appropriate. We also received written
technical comments from the director of the DHS liaison office for GAO
and the Office of the Inspector General, the Associate Deputy Secretary
of the Interior, the Administrator of GSA, a program specialist at
NASA, and the Acting Chief Information Officer for Commerce. The Deputy
Assistant Secretary for Administration and Management from Labor
provided oral technical comments. We have incorporated these comments
as appropriate. In addition, a GAO liaison from NRC indicated via e-
mail, and the Assistant Secretary for Administration of HUD stated in
writing that their respective agency officials had reviewed the draft
report and did not have any comments. USDA officials did not respond to
our request for comments.
OMB provided comments on our recommendations but did not specifically
agree or disagree with any of them. Also, in subsequent discussions,
OMB staff declined to agree or disagree with our recommendations,
indicating that they did not want to characterize their comments in
those terms.
Regarding our recommendation that OMB establish realistic milestones
for full implementation of the infrastructure needed to best use the
electronic authentication capabilities of PIV cards, the agency stated
that it agrees that it is important to set milestones for implementing
the necessary infrastructure, and that its guidance requires agencies
to provide milestones for when they intend to leverage the capabilities
of PIV credentials. However, to ensure consistent governmentwide
implementation of HSPD-12, it is important for OMB to establish such
milestones across agencies, rather than to allow individual agencies to
choose their own milestones. By not setting time frames for agencies to
implement this infrastructure, OMB has left it uncertain when these
capabilities, which are critical to the success of HSPD-12, should be
implemented across the government.
Regarding our recommendation that OMB require each agency to develop a
risk-based, detailed plan for implementing electronic capabilities, the
agency stated that previous guidance required agencies to develop
implementation plans and provide milestones for when they plan to fully
leverage the capabilities of PIV credentials for physical and logical
access controls. However, the implementation plans that OMB refers to
are based on a template that requires agencies to provide only the
dates they plan to complete major activities, such as becoming fully
compliant with HSPD-12 and having a plan for phasing in physical and
logical access controls. This template does not require that agencies
develop detailed, risk-based plans, which would include an assessment
of the cost of implementing advanced authentication capabilities and
the rationale for specific implementation approaches. Without such
detailed plans, agencies may not properly and consistently ensure that
their HSPD-12 implementations make the best use of the cards'
electronic capabilities or ensure that they are properly addressing
high-risk areas.
Regarding our recommendation that OMB require agencies to align the
acquisition of PIV cards with their plans for implementing the cards'
electronic authentication capabilities, the agency stated that HSPD-12
aligns with other information security programs. While OMB's statement
is correct, it would be more economical for agencies to time the
acquisition of PIV cards to coincide with the implementation of the
technical infrastructure necessary for enabling electronic
authentication techniques. This approach has not been encouraged by
OMB, which instead measures agencies primarily on how many cards they
issue.
Regarding our recommendation that OMB ensure guidance is developed that
maps existing physical security guidance to FIPS 201 guidance, the
agency stated that NIST is in the process of developing additional
guidance to clarify the relationship between facility security levels
and PIV authentication levels. Until such guidance is available,
agencies will likely continue either to delay in making decisions on
their implementations or to make decisions that may need to be modified
later.
OMB also provided additional comments, which we address in appendix IV.
Unless you publicly announce the contents of this report earlier, we
plan no further distribution until 30 days from the report date. At
that time, we will send copies to interested congressional committees;
the Secretaries of Homeland Security, Labor, Agriculture, Commerce, the
Interior, and HUD; the Director of OMB; the Executive Director for
Operations at NRC; and the Administrators of NASA and GSA. We will also
make copies available to others upon request. In addition, the report
will be available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staffs have any questions on the matters discussed in
this report, please contact me at (202) 512-6240 or by e-mail at
koontzl@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. Key contributors to this report are listed in appendix V.
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to determine the progress that selected agencies
have made in (1) implementing the capabilities of the personal identity
verification (PIV) cards to enhance security and (2) achieving
interoperability with other agencies. We reviewed Homeland Security
Presidential Directive 12 (HSPD-12), Federal Information Processing
Standards (FIPS) 201, related Department of Commerce's National
Institute of Standards and Technology (NIST) special publications,
Office of Management and Budget (OMB) guidance, General Services
Administration (GSA) guidance, and HSPD-12-related industry guidance.
Using the results from the federal computer security report
cards[Footnote 17]--which include an assessment of physical security--
in conjunction with the results in GAO's most recent reports on federal
agencies' progress in adopting smart card technology[Footnote 18] and
implementation of HSPD-12,[Footnote 19] on a nonprobability basis, we
identified agencies that were in different stages of implementing smart
card programs and were using different strategies for implementing HSPD-
12. For example, we included agencies with no prior experience in
implementing smart card systems as well as agencies with years of
experience in implementing smart card systems. We also included
agencies that were using GSA's shared services offering as well as
agencies that were not. The agencies we selected were the Departments
of Agriculture (USDA), Commerce, Homeland Security (DHS), Housing and
Urban Development (HUD), the Interior, and Labor; the National
Aeronautics and Space Administration (NASA); and the Nuclear Regulatory
Commission (NRC).[Footnote 20]
To determine the progress selected agencies had made in implementing
the capabilities of the HSPD-12-compliant cards, we analyzed
documentation such as agencies' high-level plans for HSPD-12
implementation, system architectures, cost estimates, and documentation
of agencies' implementation activities. We also interviewed officials
from the selected agencies to obtain additional information on the
actions their agencies took to implement PIV cards and the associated
infrastructure. In addition, we compared the functionalities of the PIV
card that each agency had implemented with the key functionalities that
an agency could implement as set forth in FIPS 201.
We also interviewed GSA, NIST, and OMB officials to obtain additional
information on guidance and agencies' efforts. We used the information
provided by agency officials to identify the factors contributing to
agencies' limited progress. We also presented the issues we identified
to industry groups and obtained their feedback and additional
information on the issues.
To determine agencies' progress toward achieving cross-agency
interoperability, we reviewed and analyzed documentation from the
Architecture Working Group, such as existing interface specifications.
We obtained and analyzed briefings with status updates on plans to
enable cross-agency authentication. We also met with GSA officials and
industry experts to discuss the steps that have been taken to establish
cross-agency interoperability. We used this information to identify
what steps have been taken and what steps remain to establish cross-
agency interoperability.
We performed our work at Commerce, DHS, GSA, HUD, Interior, Labor,
NASA, NIST, NRC, OMB, and USDA in the Washington, D.C., metropolitan
area from June 2007 to February 2008. We conducted this audit in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Appendix II: Requirements and Components of PIV-II:
The requirements of PIV-II include the following:
* specifications for the components of the PIV system that employees
and contractors will interact with such as PIV cards, card and
biometric readers, and personal identification number (PIN) input
devices;
* security specifications for the card issuance and management
provisions;
* a suite of authentication mechanisms supported by the PIV card and
requirements for a set of graduated levels of identity assurances;
* specifications for the physical characteristics of PIV cards,
including requirements for both contact and contactless interfaces and
the ability to pass certain durability tests; and:
* mandatory information that is to appear on the front and back of the
cards, such as a photograph, cardholder name, card serial number, and
issuer identification.
There are many components of a PIV-II system, including the following:
* Enrollment stations--used by the issuing agency to obtain the
applicant's information, including digital images of fingerprints and a
digital photograph.
* ID management system--stores and manages cardholder information,
including the status of assigned credentials.
* Card issuance stations--issue PIV cards to applicants. Prior to
releasing a PIV card to the applicant, the issuer first matches the
applicant's fingerprint to the fingerprint on the PIV card. Once a
match has been verified, the applicant is issued the card.
* Card management system--manages life-cycle maintenance tasks
associated with the credentials, such as "unlocking" the PIV cards
during issuance or updating a PIN number or digital certificate on the
card.
* Physical access control system--permits or denies a user access to a
building or room. This system may employ a variety of authentication
mechanisms, ranging from visual inspection by a guard to fingerprint
scanning. Once the user has been authenticated and access has been
authorized, the physical access control system grants entry to the user.
* Logical access control system--permits or denies a user access to
information and systems. This system may employ a variety of
authentication methods, such as requiring users to enter a password or
perform a fingerprint scan.
* Public key infrastructure (PKI)--allows for electronic verification
of the status of a PIV card and its authorizations by consulting an
electronic database to determine whether the digital certificates
contained on the card have been revoked.
[End of section]
Appendix III: Selected NIST Guidance:
NIST has issued several special publications providing supplemental
guidance on various aspects of the FIPS 201 standard. Selected special
publications are summarized in this appendix.
NIST SP 800-73-1, Interfaces for Personal Identity Verification, April
2006:
SP 800-73-1 is a companion document to FIPS 201 that specifies the
technical aspects of retrieving and using the identity credentials
stored in a PIV card's memory. This special publication aims to promote
interoperability among PIV systems across the federal government by
specifying detailed requirements intended to constrain vendors'
interpretation of FIPS 201.[Footnote 21] SP 800-73-1 also outlines two
distinct approaches that agencies may take to become FIPS 201-compliant
and specifies a set of requirements for each approach: one set for
transitional card interfaces that are based on the Government Smart
Card Interoperability Specification (GSC-IS), version 2.1, and another
set for end-point card interfaces that are more fully compliant with
the FIPS 201 PIV-II card specification. Federal agencies that have
implemented smart card systems that are based on the GSC-IS can elect
to adopt the transitional specification as an intermediate step before
moving to the end-point specification. However, agencies with no
existing implementation are directed to implement PIV systems that meet
the end-point specification.
SP 800-73-1 includes requirements for both the transitional and end-
point specifications and is divided into the following three parts:
* Part 1 specifies the requirements for a PIV data model that is
designed to support dual interface (contact and contactless) cards. The
mandatory data elements outlined in the data model are common to both
the transitional and end-point interfaces and include strategic
guidance for agencies that are planning to take the path of moving from
the transitional interfaces to the end-point interfaces.
* Part 2 describes the transitional interface specifications and is for
use by agencies with existing GSC-IS-based smart card systems.
* Part 3 specifies the requirements for the end-point PIV card and
associated software applications.
NIST SP 800-85A, PIV Card Application and Middleware Interface Test
Guidelines, April 2006:
SP 800-85A outlines a suite of tests to validate a software developer's
PIV middleware[Footnote 22] and card applications to determine whether
they conform to the requirements specified in SP 800-73-1. This special
publication also includes detailed test assertions[Footnote 23] that
provide the procedures to guide the tester in executing and managing
the tests. This document is intended to allow (1) software developers
to develop PIV middleware and card applications that can be tested
against the interface requirements specified in SP 800-73-1; (2)
software developers to develop tests that they can perform internally
for their PIV middleware and card applications during the development
phase; and (3) certified and accredited test laboratories to develop
tests that include the test suites specified in this document, and that
can be used to test the PIV middleware and card applications for
conformance to SP 800-73-1.
NIST SP 800-85B, PIV Data Model Test Guidelines, July 2006:
SP 800-85B outlines a suite of tests to validate a developer's PIV data
elements and components to determine whether they conform to the
requirements specified in SP 800-73-1, SP 800-76, and SP 800-78. This
special publication also includes detailed test assertions that provide
the procedures to guide the tester in executing and managing the tests.
This document is intended to allow (1) developers of PIV components to
develop modules that can be tested against the requirements specified
in SP 800-73-1, SP 800-76, and SP 800-78; (2) developers of PIV
components to develop tests that they can perform internally for their
PIV components during the development phase; and (3) accredited test
laboratories to develop tests that include the test suites specified in
this document, and that can be used to test the PIV components for
conformance to SP 800-73-1, SP 800-76, and SP 800-78.
NIST SP 800-76-1, Biometric Data Specification for Personal Identity
Verification, January 2007:
SP 800-76-1 outlines technical acquisition and formatting
specifications for the biometric credentials of the PIV system,
including the PIV card.
[End of section]
Appendix IV: Comments from the Office of Management and Budget:
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
Executive Office Of The President:
Office Of Management And Budget:
Washington, D. C. 20503:
January 25, 2008
Ms. Linda D. Koontz:
Director:
Information Management Issues:
Government Accountability Office:
441 G Street, SW:
Washington, DC 20548:
Dear Ms. Koontz:
Thank you for the opportunity to comment on the draft Government
Accountability Office (GAO) report titled "Electronic Government:
Additional OMB Leadership Needed to Optimize Use of Federal Employee
Identification Cards" (GAO-08-292).
In the draft report, GAO made four recommendations for Office of
Management and Budget (OMB) executive action. The report recommended
the Director of OMB revise the agency's approach to overseeing
implementation of Homeland Security Presidential Directive (HSPD-12) by
taking the following four actions: (1) Establish realistic milestones
for the full implementation of the infrastructure needed to best use
the electronic authentication capabilities of Personal Identity
Verification (PIV) cards in agencies; (2) Treat the HSPD-12
implementation as an investment by requiring each agency develop a
detailed plan based on a risk-based assessment of the agency's physical
and logical access control needs that supports the extent to which
electronic authentication capabilities are to be implemented; (3)
Require agencies to align the acquisition of PIV cards with plans for
implementing their technical infrastructure to best use the card's
electronic authentication capabilities; and (4) Ensure guidance is
developed mapping existing physical security guidance to FIPS 201
guidance.
OMB has taken GAO's recommendations under advisement. These comments
are in addition to the staff level comments previously provided to you.
We offer the following comments to your recommendations in the draft
report:
Recommendations 1 and 2: OMB agrees with GAO it is important to set
milestones for implementing the necessary infrastructure to best use
the electronic capabilities of the PIV cards. OMB also agrees agency
investments supporting HSPD-12 implementation should be risk-based.
However, OMB does not believe additional guidance on these issues is
necessary at this time. OMB's previous guidance regarding HSPD-12
implementation required agencies to develop implementation
plans[Footnote 24] and provide milestones identifying when they intend
to fully leverage the capabilities of PIV credentials for physical and
logical access control.[Footnote 25] In addition, OMB's previous
guidance regarding E-Authentication[Footnote 26] required agencies to
take a risk-based approach in developing their electronic
authentication systems. It is important to note prior to the issuance
of HSPD-12, agencies were verifying the identities of their employees
and contractors, and issuing IDs. HSPD-12 is an additional identity
authentication requirement. In addition, since agencies are beginning
to implement plans for using the electronic capabilities of the
credentials and are publicly updating the status of their efforts to
complete background investigations and issue those credentials – two
key components of their implementation plans, we feel additional
guidance for agencies on the content of these plans is not necessary at
this time.
Recommendation 3: With respect to the recommendation to align the
acquisition of PIV cards with plans for implementing technical
infrastructure, we recommend the report include recognition of the
relationship between the HSPD-12 goals and objectives and agency
information security programs. For example, HSPD-12 aligns with other
security activities such as the requirement for agencies to develop
plans for implementing two-factor authentication for remote access to
federal information systems[Footnote 27] As noted above, we are
currently monitoring agencies' progress by the number of credentials
issued and we understand some of the agencies are already beginning to
implement plans for using the electronic capabilities of the
credentials.
Recommendation 4: This recommendation requests guidance be developed
mapping existing physical security guidance to FIPS 201 guidance. The
FIPS 201-1 Section 6[Footnote 28], dated March 2006, already defines a
mapping between authentication assurance levels and PIV authentication
methods, for both logical and physical access control systems. In
addition, National Institute of Standards and Technology (NIST) is
developing Special Publication 800-116, "A Strategy for the Use of PIV
Credentials in Physical Access Control Systems (PACS)," which provides
the relationship between Facility Security Levels and PIV
authentication use case assurance levels.
In addition to our comments on the recommendations, we offer the
following additional comments:
1) The standards and majority of guidance to support interoperability
has been developed and multi jurisdictional interoperability has
already been demonstrated. NIST developed the FIPS 201 which defines
the standard for PIV credentials, and they also developed special
publications which provide additional technical requirements.
Additionally, GSA developed several interface specifications, along
with use cases. The following additional guidance is planned for
FY2008: (1) NIST Special Publication 800-116; (2) NIST Special
Publication 73-2, "Interfaces for Personal Identity Verification," and;
(3) the interface specification for exchanging Identity Management
System (IDMS) data. Additionally, we believe there is sufficient FISMA
guidance, including guidance regarding E-authentication[Footnote 29],
already available to assist agencies in determining the types of
authentication capabilities to implement for logical access.
(See comment 1.):
2) OMB disagrees with statements there is no framework in place for
agencies to electronically exchange status information on PIV
credentials. There is existing capability to determine the validity of
another agency user's credential. This capability is currently
available via Certificate Revocation List, On-line Certificate Status
Protocol, and Federal Bridge path validation services. For those
agencies wanting to exchange richer identity content, the IDMS
specification will be issued by GSA in FY2008.
(See comment 2.):
3) While we do not disagree some vendors may take several years to
develop systems capable of reading the full Cardholder Unique
Identifier (CHUID), the capability to read the full CHUID exists now.
For example, readers are currently available that read the full CHUID
but some system components (e.g., controllers) may need to be upgraded
so they may use the full CHUID as the identifier in determining whether
to grant access for an individual. Additionally, NIST is examining
alternative approaches for the CHUID with the objective of maximizing
operational efficiency without degrading security. Any alternative
approach will be backward compatible with currently compliant cards.
(See comment 3.):
4) Statements that OMB does not consider HSPD-12 to be a major
investment are inaccurate. OMB does not consider the process of
verifying the identity of employees and contractors and issuing
credentials to be a new investment.[Footnote 30] OMB has asked agencies
to utilize existing resources for existing and planned investments as
appropriate.
(See comment 4.):
5) In addition, we believe that the draft report does not adequately
identify the extensive guidance already available for agencies. Several
NIST publications are referenced in the draft, but OMB guidance is not
adequately addressed. This guidance includes:
* OMB Memorandum M-04-04, E-Authentication Guidance for Federal
Agencies, of December 16, 2003, which can be found at: [hyperlink,
http://www.whitebouse.gov/omb/memoranda/fyO4/mO4-04.pdf].
* OMB Memorandum M-05-24, Implementation of Homeland Security
Presidential Directive (HSPD) 12 ” Policy for a Common Identification
Standard for Federal Employees and Contractors, of August 5, 2005,
which can be found at: [hyperlink,
http://www.whitehouse.gov/omb/memoranda/fy2005/mO5-24.pdf]
* OMB Memorandum M-06-06, Sample Privacy Documents for Agency
Implementation of Homeland Security Presidential Directive (HSPD) 12,
of February 17, 2006, which can be found at: [hyperlink,
http://www.whitehouse.gov/omb/memoranda/fv2006/m06-06.pdf].
* OMB Memorandum M-06-16, Protection of Sensitive Agency Information,
of June 23, 2006, which can be found at:
[hyperlink, http://www.whitehouse.gov/omb/memoranda/fy2006/mO6-16.pdf]
* OMB Memorandum of August 29, 2006, Homeland Security Presidential
Directive (HSPD) 12 Implementation Plan Update, which can be found at:
[hyperlink, http://www.whitehouse.gov/omb/inforeg/hspdl2/hspdl2id08-
2006.pdf].
* OMB Memorandum M-07-06, Validating and Monitoring Agency Issuance of
Personal Identity Verification Credentials, of January 11, 2007, which
can be found at: [hyperlink,
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-06.pdf].
* OMB Memorandum M-07-16, Safeguarding Against and Responding to the
Breach of Personally Identifiable Information, of May 22, 2007, which
can be found at: [hyperlink,
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf].
* OMB Memorandum M-08-01, HSPD-12 Implementation Status, of October 23,
2007, which can be found at:
[hyperlink, http://vvvvw.whitehouse.gov/omb/memoranda/fy2008/mO8-
01.pdf].
* OMB Memorandum of October 26, 2007, Updated Instructions for Public
Reporting of Homeland Security Presidential Directive 12 (HSPD-12)
Implementation Status, which can be found at:
[hyperlink, http://www.whitehouse.gov/omb/inforeg/hspd12/hspd-
1ciomemo102607.pdf].
(See comment 5.):
6) Lastly, we would like to clarify all agencies were required to meet
the October 27, 2007 deadline for completion of background
investigations for employees with 15 years or less service and all
contractors. As of October 27, 2008, agencies are expected to complete
background investigations for existing employees and contractors and
have the capability in place to issue credentials to all new employees
and contractors as part of their routine business process. Dates for
completing issuance of PIV credentials to existing employees and
contractors are indicated in agency/OMB mutually agreed-upon
implementation plans.
(See comment 6.):
We hope our comments will be reflected in GAO's final report. OMB will
continue to work with departments and agencies to promote the
successful implementation of the HSPD-12. As always, OMB is available
to discuss its comments on GAO's draft report and to respond to
questions on the Federal employee identification standard. If your
staff has any questions regarding OMB's comments, please call me at 202-
395-1181.
Sincerely,
Signed by:
Karen S. Evans:
GAO Comments:
The following is GAO's response to the Office of Management and
Budget's (OMB) additional comments.
1. We updated the report to include the additional work under way to
enable interoperability.
2. We updated the report to discuss the capability of using PKI to
validate credentials from other agencies. However, as we discuss in the
report, procedures and specifications to enable cross-agency
interoperability using the cardholder unique identifier (CHUID) have
not been established. The CHUID is expected to be much more commonly
used than PKI. While PIV cards and FIPS 201-compliant readers may
technically be able to read the information encoded on any PIV card--
including cards from multiple agencies--this functionality is not
adequate to allow one agency to accept another agency's PIV card, based
on reading the card's CHUID. This is because there is no common
interagency framework in place for agencies to electronically exchange
critical information about the card's validity, based on reading the
CHUID.
3. We agree that PIV card readers currently exist that read the full
CHUID. However, existing physical access control panels--which must
receive and process information from the card readers--are unable to
process a full CHUID. While the full CHUID is up to 27,016 bits long,
most existing control panels for physical access control systems were
built to process only a 26-bit identification number, and even the
newest control panels are only able to process 256 bits at best.
We clarified the report to reflect that OMB does not consider the
implementation of HSPD-12 to be a major new investment.
We added references to additional OMB guidance in our report.
Regarding OMB's comment on the implementation dates, the report notes
both OMB's original deadlines and the fact that on October 23, 2007,
OMB modified its guidance to indicate that agencies not meeting OMB's
milestones would be directed instead to meet alternate milestones that
had been mutually agreed upon by the agency and OMB.
Appendix V: GAO Contact and Staff Acknowledgments:
GAO Contact:
Linda Koontz, (202) 512-6240, koontzl@gao.gov:
Staff Acknowledgments:
In addition to the individual named above, John de Ferrari (Assistant
Director), Neil Doherty, Nancy Glover, Emily Longcore, James MacAulay,
Shannin O'Neill, James Rosen, and Glenn Spiegel made key contributions
to this report.
[End of section]
Glossary:
Access Control:
Process of determining the permissible activities of users and
authorizing or prohibiting activities by each user.
Application Programming Interface:
The interface between the application software and the application
platform (i.e., operating system), across which all services are
provided.
Authentication:
Process of confirming an asserted identity with a specified or
understood level of confidence.
Authorization:
Granting the appropriate access privileges to authenticated users.
Biometric Template:
A digital record of an individual's biometric features. Typically, a
livescan of an individual's biometric attributes is translated through
a specific algorithm into a digital record that can be stored in a
database or on an integrated circuit chip.
Biometrics:
Measures of an individual's unique physical characteristics or the
unique ways that an individual performs an activity. Physical
biometrics include fingerprints, hand geometry, facial patterns, and
iris and retinal scans. Behavioral biometrics include voice patterns,
written signatures, and keyboard typing techniques.
Card Management System:
A system that manages life-cycle maintenance tasks associated with the
credentials, such as unlocking the PIV cards during issuance or
updating a PIN number or digital certificate on the card.
Cardholder Unique Identifier:
An element on the PIV card that provides for unique identification of
each cardholder, specifies when the PIV card expires, and includes a
digital signature capable of authenticating the card and verifying that
it has not been altered.
Certificate:
A digital representation of information that (1) identifies the
authority issuing the certificate; (2) names or identifies the person,
process, or equipment using the certificate; (3) contains the user's
public key; (4) identifies the certificate's operational period; and
(5) is digitally signed by the certificate authority issuing it. A
certificate is the means by which a user is linked--or bound--to a
public key.
Confidentiality:
The assurance that information is not disclosed to unauthorized
entities or computer processes.
Contactless Smart Card:
A smart card that can exchange information with a card reader without
coming in physical contact with the reader. Contactless smart cards use
13.56 megahertz radio frequency transmissions to exchange information
with card readers.
Credential:
An object, such as a smart card, that identifies an individual as an
official representative of a government agency.
Digital Signature:
The result of a transformation of a message by means of a cryptographic
system using digital keys, such that a relying party can determine (1)
whether the transformation was created using the private key that
corresponds to the public key in the signer's digital certificate and
(2) whether the message had been altered since the transformation was
made. Digital signatures may also be attached to other electronic
information and programs so that the integrity of the information and
programs may be verified at a later time.
Electronic Credentials:
The electronic equivalent of a traditional paper-based credential--a
document that vouches for an individual's identity.
Enrollment Station:
The location where an issuing agency obtains an applicant's
information, including digital images of fingerprints and a digital
photograph.
Identification:
The process of determining to what identity a particular individual
corresponds.
Identity:
The set of physical and behavioral characteristics by which an
individual is uniquely recognized.
Identity Management System:
A system that stores and manages cardholder information, including the
status of assigned credentials.
Identity Proofing:
The process of providing sufficient information, such as identity
history, credentials, and documents, to facilitate the establishment of
an identity.
Interoperability:
The ability of two or more systems or components to exchange
information and to use the information that has been exchanged.
Logical Access Control:
A mechanism for permitting or denying a user access to information and
systems.
Online Certificate Status Protocol:
A communications protocol that is used to determine whether a public
key certificate is still valid or has been revoked or suspended.
Personal Identity Verification Card:
A smart card that contains stored identity credentials--such as a
photograph, digital certificate and cryptographic keys, or digitized
fingerprint representations--that is issued to an individual so that
the claimed identity of the cardholder can be verified against the
stored credentials by another person or through an automated process.
Personal Identity Verification Card Issuer:
An accredited and certified organization that procures FIPS 201-
compliant blank smart cards; initializes them with the appropriate
software and data elements for the requested identity verification and
access control application; personalizes the cards with the identity
credentials of the authorized cardholders; and delivers the
personalized cards to the authorized cardholders, along with the
appropriate instructions for protection and use.
Personal Identity Verification Card Registrar:
An entity that authenticates an individual's identity applying for a
PIV card by checking the applicant's identity source documents through
an identity proofing process, and ensures that a proper background
check is completed before the credential and the PIV card is issued to
the individual.
Physical Access Control:
A method of permitting or denying a user access to a building or room.
Privacy:
The ability of an individual to control when and on what terms his or
her personal information is collected, used, or disclosed.
Public Key Infrastructure:
A system of hardware, software, policies, and people that, when fully
and properly implemented, can provide a suite of information security
assurances--including confidentiality, data integrity, authentication,
and nonrepudiation--that are important in protecting sensitive
communications and transactions.
Risk:
The expectation of loss expressed as the probability that a particular
threat will exploit a particular vulnerability with a particular
harmful result.
Smart Card:
A tamper-resistant security device--about the size of a credit card--
that relies on an integrated circuit chip for information storage and
processing.
Standard:
A statement published by organizations, such as NIST, the Institute of
Electrical and Electronics Engineers, the International Organization
for Standardization, and others, on a given topic--specifying the
characteristics that are usually measurable and must be satisfied to
comply with the standard.
[End of section]
Footnotes:
[1] Interoperability is the ability of two or more systems or
components to exchange information and to use the information exchanged.
[2] Smart cards are plastic devices--about the size of a credit card--
that use integrated circuit chips to store and process data, much like
a computer. This processing capability distinguishes these cards from
traditional magnetic strip cards, which store information but cannot
process or exchange data with automated information systems.
[3] GAO, Electronic Government: Agencies Face Challenges in
Implementing New Federal Employee Identification Standard, GAO-06-178
(Washington, D.C.: Feb. 1, 2006).
[4] The term "smart card" may also be used to refer to cards with a
computer chip that store information but do not provide any processing
capability. Such cards, known as "stored value cards," are typically
used for services such as prepaid telephone service or satellite
television reception.
[5] For more information about biometrics, see GAO, Technology
Assessment: Using Biometrics for Border Security, GAO-03-174
(Washington, D.C.: Nov. 15, 2002).
[6] For more information about PKI, see GAO, Information Security:
Advances and Remaining Challenges to Adoption of Public Key
Infrastructure Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001).
[7] In August 2005, OMB issued additional guidance to agencies
clarifying which elements of the standard for secure and reliable IDs
needed to be implemented by October 27, 2005.
[8] NIST's SP 800-79, Guidelines for the Certification and
Accreditation of PIV Card Issuing Organizations, describes a set of
attributes that should be exhibited by a PIV card issuer in order to be
accredited. The guidelines should be used by each agency for assessing
the reliability of any potential contractor for PIV card-issuing
services.
[9] Prior to HSPD-12, agencies were generally conducting some form of a
background check on their employees; however, the quality and
consistency of the background checks varied among agencies. FIPS 201
established a minimum standard that all agencies must meet for
conducting background checks on employees and contractors.
[10] In January 2007, OMB issued another memorandum to the chief
information officers that further clarifies that employees with more
than 15 years of service had to have PIV cards by October 27, 2008. In
addition, on October 23, 2007, OMB issued a memorandum indicating that
agencies not meeting OMB's milestones would be directed instead to meet
alternate milestones that had been mutually agreed to by the agency and
OMB.
[11] The Federal Identity Credentialing Committee is composed of
representatives from federal agencies and departments and is intended
to assist agencies in implementing governmentwide credentialing
capabilities.
[12] The Federal Public Key Infrastructure Policy Authority is an
interagency body that is under the Chief Information Officers Council.
It enforces digital certificate standards for trusted identity
authentication across the federal government.
[13] The Smart Card Interagency Advisory Board is composed of
representatives from federal agencies and is intended to share
information with federal agency and private sector representatives
regarding HSPD-12 implementation activities.
[14] GAO-06-178.
[15] GAO-06-178.
[16] GAO-06-178.
[17] The federal computer security report cards are prepared annually
by the House Committee on Oversight and Government Reform, based on
agencies' information security reports directed by the Federal
Information Security Management Act of 2002.
[18] GAO, Electronic Government: Agencies Face Challenges in
Implementing New Federal Employee Identification Standard, GAO-06-178
(Washington, D.C.: Feb. 1, 2006).
[19] We did not include the Department of Defense in this review
because the department is taking an alternative approach to
implementing HSPD-12 and, therefore, is not typical of federal
agencies' experiences.
[20] "Interoperability" is defined as the use of PIV identity
credentials, so that client-application programs, compliant card
applications, and compliant integrated circuit cards can be used
interchangeably by all information processing systems across the
federal government.
[21] Middleware is software that allows software applications running
on separate computer systems to communicate and exchange data. In this
case, middleware allows external software applications to interact with
applications on a smart card.
[22] Test assertions are statements of behavior, action, or condition
that can be measured or tested.
[23] GAO, Electronic Government: Progress in Promoting Adoption of
Smart Card Technology, GAO-03-144 (Washington, D.C.: Jan. 3, 2003); and
Electronic Government: Federal Agencies Continue to Invest in Smart
Card Technology, GAO-04-948 (Washington, D.C.: Sept. 8, 2004).
24] OMB Memorandum M-05-24, Implementation of Homeland Security
Presidential Directive (HSPD) 12 – Policy for a Common Identification
Standard for Federal Employees and Contractors, of August 5, 2005,
which can be found at: [hyperlink,
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf].
[25] OMB Memorandum of August 29, 2006, Homeland Security Presidential
Directive (HSPD) 12 Implementation Plan Update, which can be found at:
[hyperlink, http://www.whitehouse.gov/omb/inforeg/hspol2/hspd12_id_08-
2006.pdf].
[26] OMB Memorandum M-04-04, E-Authentication Guidance for Federal
Agencies, of December 16, 2003, which can be found at: [hyperlink,
http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf].
[27] OMB Memorandum M-06-16, Protection of Sensitive Agency
Information, of June 23, 2006, which can be found at [hyperlink,
http://www.whitehouse.gov/omb/memoranda/fy2006/mO6-16.pdf].
[28] FIPS 201-1, Personal Identity Verification (PIV) of Federal
Employees and Contractors, of March 2006, which can be found at
[hyperlink, http://csrc.nist.gov/publications/PubsFIPS.html].
[29] NIST Special Publication 800-63, Electronic Authentication
Guidance, of April 2006, which can be found at: [hyperlink,
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf].
[30] Executive Order 10450, Security Requirements for Government
Employment, of April 27, 1953, which can be found at: [hyperlink,
http://www.archives.gov/federal-register/codification/executive-
order/10450.html].
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
