Skip Links

Lessons of HSPD-12

By Bob Violino, CSO
December 19, 2012 10:35 AM ET

CSO - Many federal government agencies are well into their efforts to comply with Homeland Security Presidential Directive 12 (HSPD-12), designed to improve identity management among the government entities and their main suppliers.

Small-time ID fraud goes big time

But like the regulatory pain private enterprise continues to experience with the likes of HIPAA and Sarbanes-Oxley, efforts to comply with the directive have gone slowly for government agencies, showing just how difficult it can be to implement a broad security initiative across a multitude of organizations.

HSPD-12, issued in 2004 by President George W. Bush, requires agencies to implement a common identity management system for employees and contractors. It's aimed at enhancing security, reducing identity fraud and protecting personal privacy by means of secure and reliable identification.

The U.S. Office of Management and Budget (OMB), in providing instructions and deadlines to federal departments and agencies to comply with HSPD-12, noted that approaches to physical and information security have been inefficient and costly, and increase risks to the federal government. OMB says successful implementation of HDPS-12 will increase the security of federal facilities and information systems.

Also see "The security laws, regulations and guidelines directory"

From NIST to FIPS-PIV

The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) -- working in conjunction with private industry and other federal agencies including OMB, the Office of Science and Technology Policy and the Departments of Defense, State, Justice and Homeland Security -- developed a standard for a common government-wide identification system in 2005.

The standard, Federal Information Processing Standard (FIPS) for a personal identity verification (PIV) system, is based on the use of smart cards, to be issued by all federal departments and agencies to their employees and contractors who require access to federal facilities and information systems.

HSPD-12 requires that identification mechanisms be based on sound criteria for verifying an individual's identity. They must be strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation; rapidly authenticated electronically; and issued only by providers whose reliability has been established by an official accreditation process.

"PIV is intended as the single credential to be used by employees and contractors of the executive branch to electronically verify identity and be trusted prior to gaining authorization for access to logical systems and federal facilities," says a spokesperson for OMB. It's designed to be interoperable across the breadth of the executive branches, so agencies can attain a high level of assurance in a single credential that's electronically verified without the need to issue other credentials when working across agency domains, he says.

Use of PIV credentials isn't required for access to federal applications where identity assurance is not needed (for example, low-risk, public-facing websites, blogs, etc.).

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News