by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : September 2014
CYBEREYE BY WILLIAM JACKSON LAST MONTH MARKED the 10th anniversary of Home- land Security Presidential Di- rective-12, mandating the use of an interoperable smart ID card for civilian government employees and contractors. The results of the program so far range from the impressive to the disappointing. "I would call the program- matic platform a huge suc- cess," said Ken Ammon, chief strategy o cer for Xceedium, an ID management software vendor. As of the first quarter of this year, 5.4 million Per- sonal Identity Verification (PIV) cards have been issued to civilian employees and contractors, accounting for 96 percent of those who need the cards. Given employee turnover and the need to peri- odically reissue the cards, the coverage is quite good. The challenge now is hav- ing them used as they were intended, as strong, two- factor authentication for both logical and physical access across agencies. This is a multifaceted challenge that is proving to be a much tougher nut to crack than designing and issuing the cards. HSPD-12 was issued Aug. 27, 2004, by then-President George W. Bush. The heart of the mandate was simple. Inconsistencies in govern- ment IDs left the government vulnerable to terrorist attack. "Therefore, it is the policy of the United States to enhance security, increase government e ciency, reduce identity fraud and protect personal privacy by establishing a mandatory, governmentwide standard for secure and reliable forms of identifica- tion issued by the federal government to its employees and contractors (including contractor employees)." The National Institute of Standards and Technol- ogy was given six months to produce the standards, which included identity vetting and secure, interoperable digital technology. Eight months after that, agencies would have to require use of the cards, "to the maximum extent practicable," for access both to physical facilities and IT systems. The first part of this e ort, developing the standard and technical specifications and designing, producing and issuing the PIV cards, is the programmatic success Am- mon cited. But the second part, the qualification "to the maximum extent practicable," has proved to be a speed bump. Seven years after the directive, the Government Accountability O ce con- cluded in 2011 that although substantial progress had been made in issuing PIV cards and fair progress in using them for physical access to government facilities, only limited prog- ress had been made in using them for access to govern- ment networks and minimal progress in cross-agency acceptance. A year later, increasing the use of PIV and the mili- tary s Common Access Card credentials was identified by the White House as a priority area for improvement. Agen- cies were given until March 31, 2012, to develop policies for the use of these creden- tials. Reasons for the lack of widespread use cited by GAO were not technical, but ad- ministrative: Logistics, agency priorities and of course budgets. "According to agency o cials, a lack of funding has ...slowed the use of PIV cre- dentials," the report stated. But technology also is an issue, as the card is only one element in any authentication system. Use of the electronic credentials in the cards has to be incorporated into systems already in place, or those sys- tems must be replaced. Under a 2011 White House direc- tive, all new systems under development at agencies must be enabled for PIV credentials and existing systems were to be upgraded by fiscal 2012. Like many unfunded mandates, this has been a tough one to meet. And in the meantime, technology keeps changing. Mobile computing, for instance, means that many government workers are us- ing tablets and cell phones for work. Technically these should require PIV authenti- cation for government work, but many are not equipped to accommodate that. HSPD-12 is not a failure, but it could be doing a lot better if strong, two-factor au- thentication was a higher pri- ority within agencies. How- ever, the the rapid pace of technological change makes it unlikely that any government- mandated technology will ever be completely successful. Even so, much more could be done. • Happy birthday, HSPD-12 Ten years on, the use of the smart card as a strong, two-factor authentication system for logical and physical access across agencies is proving a much tougher nut to crack than designing and issuing the cards. GCN SEPTEMBER 2014 • GCN.COM 11