GAO: HSPD-12 progress made, but still a ways to go
10 April, 2008
category:
The Government Accountability Office says the White House Office of Management and Budget needs to make some changes to how interoperable identification credentials are being deployed throughout the federal government.
Linda Koontz, director of Information Management Issues at the GAO, gave the recommendation during a hearing Wednesday on HSPD-12 in front of the U.S. House of Representative Subcommittee on Government Management, Organization, and Procurement. The complete list of witnesses can be found here. The GAO says progress has been made with issuing ID cards to federal employees and contractors but there are still issues that need to be addressed.
“The eight agencies we reviewed—the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the Nuclear Regulatory Commission; and the National Aeronautics and Space Administration—had generally completed background checks on most of their employees and contractors and established basic infrastructure, such as purchasing card readers. However, none of the agencies met OMB’s goal of issuing PIV cards by October 27, 2007, to all employees and contractor personnel who had been with the agency for 15 years or less. In addition, for the limited number of cards that had been issued, agencies generally had not been using the electronic authentication capabilities on the cards and had not developed implementation plans for those authentication mechanisms.”
The GAO recommends:
- “OMB establish realistic milestones for full implementation of the infrastructure needed to best use the electronic authentication capabilities of PIV cards in agencies.
- “OMB require each agency to develop a risk-based, detailed plan for implementing electronic capabilities.
- “OMB require agencies to align the acquisition of PIV cards with plans for implementing the cards’ electronic authentication capabilities. In response, OMB stated that HSPD-12 aligns with other information security programs. While OMB’s statement is correct, it would be more economical for agencies to time the acquisition of PIV cards to coincide with the implementation of the technical infrastructure necessary for enabling electronic authentication techniques. This approach has not been encouraged by OMB, which instead measures agencies primarily on how many cards they issue.”
Check back later for more information on the hearing.