Agencies must develop plans by March 31 to fully implement the use of secure identity cards under Homeland Security Presidential Directive-12.
Federal News Radio obtained a draft copy of the memo that sources say the Homeland Security Department could issue as early as Friday. The final memo details five steps agencies must take to make secure ID cards work on their computer networks and physical access control systems.
The Office of Management and Budget also is expected to issue a memo in the near future as part of this effort to publicly give some momentum to the six-year-old mandate. The two agencies have been working on these memos for more than a year to push forward the use of secure ID cards.
“As of September 2010, agencies reported that approximately 4.9 million out of 5.8 million federal employees and contractors have completed background investigations, and 4.3 million have [HSPD-12] credentials,” wrote Greg Schaffer, DHS’s assistant secretary for cybersecurity and communications in the draft memo. “With the majority of the federal workforce now in possession of the credentials, agencies are in a position to aggressively step up their efforts to use the electronic capabilities of the credentials.”
The memo also would give a much-needed kick-start to help agencies implement physical access control using the secure ID cards.
DHS and the General Services Administration will partner to implement the governmentwide architecture, the Federal Identity, Credential and Access Roadmap and Implementation Guidance (ICAM).
“This includes a DHS partnership with the GSA Public Building Service to ensure implementation of physical access requirements for federal buildings, under PBS’s purview, are implemented in accordance with the Federal Security Level Determinations for Federal Facilities – an Interagency Security Committee Standard and NIST guidelines,” Schaffer wrote.
Agencies have made the least amount of progress using HSPD-12 cards for physical access control. Only a handful of agencies have started to change over their systems.
GSA also issued a memo in October requiring agencies to better protect their building control systems from cyber attacks.
The DHS memo also requires agencies by Feb. 25 to name a senior official in charge of HSPD-12 implementation plan development.
Over the next two months, agency plans must include a strategy to ensure:
All new systems under development must use HSPD-12 cards prior to being made operational.
Starting in fiscal 2012, existing physical and logical access control systems must be upgraded to use the secure ID cards prior to the agency using funding for further development or technology refresh.
All procurements for products and services for facility and system access control must meet HSPD-12 standards and the Federal Acquisition Regulations to ensure interoperability.
Agencies will accept and electronically verify secure ID cards issued by other agencies.