Only 5,567 of 250,000 employees had PIV cards as of Sept. 2009
The Department of Homeland Security (DHS) is far behind in its effort to fulfill a federal mandate to issue tamperproof identification cards to its employees to provide them with secure physical and logistical access to department resources, the DHS inspector general (IG) reported Tuesday.
The White House ordered the adoption of secure identification cards across the federal government in Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, on August 12, 2007. Under the mandate, federal agencies were free to pursue their own strategies and plans for producing identification cards that met the requirements of the order, which aimed to boost security, increase efficiency, discourage identity fraud, and protect privacy.
DHS has set up credentialing and issuing procedures for the HSPD-12 identification cards, but it has lagged far behind in getting them into the hands of its employees, said the IG report, Resource and Security Issues Hinder DHS' Implementation of Homeland Security Presidential Directive 12.
The deadline for issuing credentials to all federal employees under HSPD-12 was Oct. 27, 2008. But as of Sept. 22, 2009, DHS had issued only 15,567 credentials to its roughly 250,000 full-time employees and contractors.
"Due to weak program management, including insufficient funding and resources, and a change in its implementation strategy, the department is well behind the deadline for fully implementing an effective HSPD-12 program," the IG report stated.
Not only has the department missed the deadline by a wide margin but its strategy is not fully meeting the requirements of HSPD-12, the IG report concluded.
"In addition, the department faces significant challenges in meeting HSPD-12 directive requirements for logical access to its information systems," the report read. "Furthermore, system security and account management controls are not effective in protecting personally identifiable information collected and stored from unauthorized access. Existing security issues must be addressed to allow for the deployment of a robust, efficient, and secure interoperable identity card and issuance system department-wide."
To correct these problems, the IG office made a number of recommendations to the DHS chief security officer (CSO) and chief information officer (CIO), who have begun implementing many of them already.
The IG report urged the officials to ensure the HSPD-12 program management office have the appropriate staffing and funding to manage the DHS HSPD-12 program. They also should develop a regional implementation plan with specific milestones to track the progress of HSPD-12 implementation.
The CSO has drawn up a satisfactory implementation plan, scheduled to be complete by Jan. 30. The CSO office intends to issue personal identity verification (PIV) cards to DHS employees in New York City; Los Angeles; and Dallas, Texas, in the second quarter of fiscal 2010.
DHS should include cost estimates for compliance with HSPD-12 over a period of no less than five years and set priorities for meeting physical and logical access interoperability requirements in its plans, the report said. DHS also must produce a comprehensive list of facility access points and information systems that would require use of the HSPD-12 PIV cards.
The CSO has developed a cost estimate that projects about $24 million in funding for HSPD-12 in fiscal 2010. The office is completing a consolidated physical security cost estimate, which it plans to complete in April. DHS plans to complete a separate cost estimate for computer network access by Sept. 30. Further, the CSO plans to complete a physical access roadmap for facilities by March 2010 and the CIO, an information systems roadmap by Sept. 30.
The IG office also discovered it could access personally identifiable information from contractor databases, so it recommended the CSO take steps to address that problem.
Specifically, the CSO should work with the CIO to address configuration, card management, and user account issues; to develop a management policies and procedures for safeguarding data; and to ensure the certification and accreditation of its physical access control system, the IG report recommended.
DHS also must define auditable policies and procedures for granting and disabling access controls with measures for PIV card revocation, suspension, and destruction.
The CSO vowed to develop guidelines for many of these needs by Jan. 30.
|
Columns 
