Personal ID VerificationAgencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards Gao ID: GAO-11-751 September 20, 2011
To increase the security of federal facilities and information systems, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in 2004. This directive ordered the establishment of a governmentwide standard for secure and reliable forms of ID for employees and contractors who access government-controlled facilities and information systems. The National Institute of Standards and Technology (NIST) defined requirements for such personal identity verification (PIV) credentials based on "smart cards"--plastic cards with integrated circuit chips to store and process data. The Office of Management and Budget (OMB) directed federal agencies to issue and use PIV credentials to control access to federal facilities and systems. GAO was asked to determine the progress that selected agencies have made in implementing the requirements of HSPD-12 and identify obstacles agencies face in implementing those requirements. To perform the work, GAO reviewed plans and other documentation and interviewed officials at the General Services Administration, OMB, and eight other agencies.
Overall, OMB and federal agencies have made progress but have not fully implemented HSPD-12 requirements aimed at establishing a common identification standard for federal employees and contractors. OMB, the federal Chief Information Officers Council, and NIST have all taken steps to promote full implementation of HSPD-12. For example, in February 2011, OMB issued guidance emphasizing the importance of agencies using the electronic capabilities of PIV cards they issue to their employees, contractor personnel, and others who require access to federal facilities and information systems. The agencies in GAO's review--the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the National Aeronautics and Space Administration; and the Nuclear Regulatory Commission--have made mixed progress in implementing HSPD-12 requirements. Specifically, they have made substantial progress in conducting background investigations on employees and others and in issuing PIV cards, fair progress in using the electronic capabilities of the cards for access to federal facilities, and limited progress in using the electronic capabilities of the cards for access to federal information systems. In addition, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies. The mixed progress can be attributed to a number of obstacles agencies have faced in fully implementing HSPD-12 requirements. Specifically, several agencies reported logistical problems in issuing credentials to employees in remote locations, which can require costly and time-consuming travel. In addition, agencies have not always established effective mechanisms for tracking the issuance of credentials to federal contractor personnel--or for revoking those credentials and the access they provide when a contract ends. The mixed progress in using the electronic capabilities of PIV credentials for physical access to major facilities is a result, in part, of agencies not making it a priority to implement PIV-enabled physical access control systems at all of their major facilities. Similarly, a lack of prioritization has kept agencies from being able to require the use of PIV credentials to obtain access to federal computer systems (known as logical access), as has the lack of procedures for accommodating personnel who lack PIV credentials. According to agency officials, a lack of funding has also slowed the use of PIV credentials for both physical and logical access. Finally, the minimal progress in achieving interoperability among agencies is due in part to insufficient assurance that agencies can trust the credentials issued by other agencies. Without greater agency management commitment to achieving the objectives of HSPD-12, agencies are likely to continue to make mixed progress in using the full capabilities of the credentials. GAO is making recommendations to nine agencies, including OMB, to achieve greater implementation of PIV card capabilities. Seven of the nine agencies agreed with GAO's recommendations or discussed actions they were taking to address them; two agencies did not comment.Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.Director: Gregory C. Wilshusen Team: Government Accountability Office: Information Technology Phone: (202) 512-6244