Federal agencies and contractors have until Oct. 27 to define a new standard of personal identification. Thats the deadline for compliance with the first phase of Homeland Security Presidential Directive HSPD-12, which called in August of last year for the creation of a federal standard that was issued this past February as FIPS 201.
That standard requires "secure and reliable identification ... based on sound criteria for verifying an individual employees identity ... strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation" -- with the further capability of being "rapidly authenticated electronically" based on "an official accreditation process," with "graduated criteria" to meet varying levels of security needed for different situations.
Sure, we can do that by Thursday. Or maybe not.
I spoke last week with Jim Ganthier, Hewlett-Packards director of Worldwide Defense Intelligence and Public Safety Solutions, about a study that HP is releasing today of agencies readiness for HSPD-12 compliance. The September studys findings challenge the optimistic assessment of Karen Evans, Office of Management and Budgets administrator for e-government and IT, who said earlier this month that she expects broad achievement of compliance goals. "We have no choice but to meet the dates," shes quoted as having said in a conference appearance. Sorry, but thats like saying that a driver has "no choice" but to stop at a red light -- a choice that people fail to make for any number of reasons, including "but I didnt see it."
Not seeing the HSPD-12 deadline appears to be a common problem, according to the Hewlett-Packard data. Half of federal IT professionals have not heard of it; almost three out of five cannot state the identification programs main objectives, according to the study summary that I had a chance to review before general release. A third of the respondents said the main problem with compliance is lack of budget; another third tagged technical issues or shortage of staff as the principal problem; but as the study report observes, when half the respondents dont even know about a requirement, awareness probably deserves to be ranked as Problem # 1.
And only a fifth of the respondents expected to meet the Oct. 27 deadline.
I earlier compared missing this deadline to running a red light, and I made that comparison deliberately because there are times when one does that by choice. If an 18-wheeler is coming up behind you, blowing its horn and showing no sign of slowing down, and you see no cross traffic that poses a threat, you might decide that being actually safe is more important than following a well-intentioned safety rule. Implementing identification technology that isnt actually ready to meet its goals, but that radiates a misleading aura of next-generation reliability, could actually weaken security.
If we miss any part of the FIPS 201 standard, we make the problem worse. If we dont have a sound accreditation process, we may see unauthorized issuance of genuine credentials by insiders looking to supplement their income; if we dont achieve appropriately graduated criteria, well have too much identifying information available to too many people, and may make identify theft much easier than it is today.
I dont want to minimize the hardware issues of smart cards, biometrics and other key elements of this program. To a great extent, though, its up to application developers to make it happen by turning the rules into specifications, turning the specifications into code, and getting the code and the associated databases to play nicely with each other while shunning any would-be abusers.
Awareness doesnt just mean knowing the rules and following them; it also means having a professionals role in knowing, and communicating, the right thing to do about the rules and the problems that they purport to solve.
Tell me what rules you sometimes choose to break at firstname.lastname@example.org