The beginning of a HSPD-12 rewrite?

I ‘ve heard rumors over the last few months about a possible reconsideration of the identity management technologies agencies are implementing under Homeland Security Presidential Directive-12 (HSPD-12). It’s not so much about how the National Institute of Standards and Technology has been updating its Personal Identity Verification (PIV) standard over the years, but more about the fact that HSPD- 12 is 10 years old and the thinking about how to securely access networks and verify identities has made several leaps forward since 2004.

The latest sign that change is coming are the new co-chairmen of the Identity, Credential and Access Management Subcommittee of the CIO Council’s Information Security and Identity Management Committee (ISIMC).

In an email obtained by Federal News Radio, the ISIMC named Grant Schneider, a senior advisor for cybersecurity in the Office of Management and Budget, and Jim Sheire, who will be on detail to GSA’s Office of Governmentwide Policy from NIST in the coming weeks, as the new leaders of the subcommittee.

The two, who officially take over Nov. 5, will replace Deb Gallagher, GSA’s director of the identity assurance and trusted access division, and Paul Grant, the Defense Department’s strategy advisor for cybersecurity in the CIO’s office, and Mike Maraya, the Commerce Department’s acting chief information security officer, all of whom have led the subcommittee for the last few years.

“Their leadership has been key to coordinating government-wide identity credential and access management efforts. We thank them for their dedication and tremendous contributions to the ICAMSC and look forward to their continued involvement in this area,” said the email from Kevin Deeley, the Justice Department’s CIO, David De Vries, acting principle deputy CIO for DoD, and Leo Scanlon, CISO for the National Archives and Records Administration, the co-chairman of the CIO Council’s ISIMC.

The potential decision to reconsider how agencies should best verify and authenticate employee and contractor identities comes at a time when agencies still have not fully issued the technology to protect their computer networks. The Homeland Security Department issued a memo in 2011 requiring an implementation plan. OMB said starting in fiscal 2012 agencies had to update existing systems to fully implement HSPD-12 and strong authentication. OMB reported in the third quarter of fiscal 2014 on Performance.gov that the use of HSPD-12 increased governmentwide by 3.7 percent for a total of 64.6 percent of all agencies having met the White House’s goal of 75 percent implementation across all CFO Act agencies. But eight agencies have not even started implementation yet, including the departments of Interior and Labor.

And with President Barack Obama’s recent executive order to implement more secure PIN and chip technology on government credit cards and other transactions, there is a growing shift in the thinking about how best to secure online transactions and access.

So the continued agency struggles, the rise of cyber threats and attacks and the new technology all point to new thinking behind strong authentication.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Comments