Both of these documents signal how the White House wants to move services online for both federal employees and citizens. And to do this, the government must authenticate and verify identity, which would, in turn, improve cybersecurity and prevent identity theft.
These two documents would be among the first significant public statements the administration has made in the year it’s been in office. The White House mentioned the need for strong identity in the President’s cyberspace review and again in the fiscal 2011 budget request and guidance to agencies.
But it hasn’t said much else about the path forward.
“Some departments got extra passback language because they needed a little more push to get to where OMB wished them to be,” says Paul Grant, special assistant for Federated Identity Management and External Partnering in the Defense Department’s chief information officer’s office, and the co-chairman of the CIO Council’s Federal Identity, Credential and Access Management Subcommittee.
Grant spoke Thursday at the Interagency Smart Card Advisory Board meeting in Washington.
He says the upcoming memo on using secure identity cards under Homeland Security Presidential Directive 12 follows the more general passback language that every agency received.
“In my case, DoD will write an identity, credential and access management transition plan documenting efforts to identify ICAM management activities and submit it back to OMB,” Grant says. “They are pretty serious. The guidance is in draft and we’ve seen a draft of the template OMB wishes to use to track agency progress.”
The memo is expected to be finalized in the next few weeks.
Sources say the memo also will address HSPD-12, similar to the requirements in the budget passback guidance.
This memo comes on the heels of OMB increasing pressure on agencies to meet HSPD-12 requirements.
One source, who requested anonymity because they were not approved to talk about this issue, says federal CIO Vivek Kundra held TechStat sessions with the Transportation and Veterans Affairs Departments and the Small Business Administration about their poor progress in issuing secure identity cards to employees and contractors.
As of the latest numbers from OMB from January, DOT has issued cards to only 31 percent of all contractors and employees who need them, SBA is at 23 percent and VA is at 6 percent.
The source says other sessions are expected for agencies who also are not meeting OMB’s HSPD-12 requirements, such as the Homeland Security Department (7 percent), Justice (19 percent) and Interior (50 percent).
Meanwhile, the White House’s cybersecurity coordinator’s office is circulating a partial draft of the Strategy to Secure Online Transactions.
Sources say Mike Butler has been on detail from the National Institute of Standards and Technology for the past few months to help lead this effort with Tom Lockwood from DHS.
Grant says the White House hopes to finalize the drafts strategy by April 23.
“Most of the things in there are dealing with pre-supposed strong credentialing, strong identity proofing and vetting,” he says. “It’s going to be a very high level document because it is 25 pages of national strategy. It’s hinged strongly upon the ICAM strategy.”
Aside from these two documents, there are several other identity management initiatives that agencies are teeing up.
Federal PKI Certificate Policy Working Group is reviewing a new set of criteria for non-federal entities to provide secure credentials or certificates as part of the Personnel Identity Verification-Interoperable (PIV-I) standard.
Grant says these companies, such as VeriSign, Entrust, ORC and even Citibank, would need to pick up the extra requirements of the PIV-I, which requires strong identity proofing and vetting of an individual.
“This would be another cross-certification for the Federal PKI bridge,” he says. “We expect the citizenry initially to be at the lower assurance levels because they do not have high assurance credentials and many of the smaller companies. But the people who have large volumes of either privacy or sensitive information to do business with us or among themselves must have the stronger credentials not to violate law or federal regulations.”
The Defense Department, the Committee on National Security Systems (CNSS) and the CIO Council also are working on strong identity credentials for classified systems.
Grant says DoD once considered using the HSPD-12 card to access secret networks, but decided on a different approach.
Now CNSS and the CIO Council are developing a new standard based on the ICAM work. Grant says CNSS wants to just fill in the gaps between the ICAM standard and the needs of the national security audience.
Grant says DoD expects to begin a proof of concept with a new card for logical secret network access later this year, and eventually the card could be used for top secret and beyond.
“The idea is this would be a separate card with DoD taking the leading initially, but to become the CNSS card for all classified systems across the executive branch under the authority of the CNSS,” he says. “It would be a different card than the PIV. All employees would have a PIV, but not all employees would have this second card.”
Grant also says the legislative and judicial branches have voluntarily agreed to follow the HSPD-12 standards for physical and computer network access.
(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)