Buried in an Aug. 27 blog post on identity management by Bill Zielinski, the General Services Administration’s assistant commissioner for the Office of Information Technology Category (ITC) in the Federal Acquisition Service, is a nugget of important news.
GSA announced that the Veterans Affairs Department is moving its smart card identity management program to its USAccess shared service.
By finally convincing VA to be a customer, GSA is almost doubling the number of customers using its identity credentialing service. Nearly 14 years after GSA launched the managed service, USAccess finally snagged its white whale, so to speak.
“This was a decision I wish I had made when I was there,” said Roger Baker, the former VA chief information officer during the Obama administration. “This was an ongoing project that never caused as much pain that the decision had to be made. VA decided to do its own PIV card system and that was a very complex and massive program. Anything at VA is like that because of the scale.”
And it’s that scale that makes this newsworthy, especially at a time when the Trump administration is strongly encouraging shared services and some agencies such as the Department of Health and Human Services are pulling back their shared services offerings, and the Interior Department is considering a similar move.
Historically, GSA provided managed services for smart identity cards for most small and micro agencies and several larger ones including USDA, Interior and Commerce.
But getting VA to join is a huge, long-time-in-coming win for the program.
“If you think about the system and the requirement to keep it modernized, the decision to move to GSA may have just come back to the modernization challenge and the fact that VA is better off just letting GSA deal with it,” Baker said. “These cards are more critical today than they were seven years ago because now they are required to access the network, to provide medical care and so much more. It’s not ‘just an access card,’ it does a lot of things.”
Move to new provider done by January
Since 2005 when President George W. Bush signed Homeland Security Presidential Directive-12 establishing the requirement to issue and use smart identity cards, VA provided the services to its employees. It operates and maintains its own personal identity verification (PIV) card management program. VA created an Office of Identity, Credential and Access Management (OICAM) to provide program management and oversight for the system, and the VA’s Office of Information and Technology (OIT) maintains it.
Baker said at one time during the mid-2010s the agency considered adopting the Defense Department’s Common Access Card, but decided against it in the end.
A VA spokeswoman said the decision to move to GSA came down to ensuring IT resources are more focused on serving veterans and their families.
“While the current VA card management system is hosted at a VA data center, USAccess will be hosted outside of VA’s infrastructure. By outsourcing this system to GSA, VA leadership will be able to focus VA IT resources to improve the Veteran Benefits and Health systems,” the spokeswoman said. “Veterans, taxpayers and VA employees will benefit from this move in numerous ways, including strengthened security at VA facilities, and reduced VA IT resources — both personnel and IT infrastructure. The new GSA equipment and the option to use GSA PIV card issuing facilities (PCIFs) will enable VA to focus on providing support to our Veterans instead of producing PIV badges. It also enhances VA’s capabilities to interoperate with other federal agencies by using the same PIV card that over 100 other agencies are using. Lastly, it stabilizes PIV badge costs for the VA, while eliminating the requirements to manage acquisition and maintenance contracts, freeing up resources across VA funding, acquisition, and contracting to focus on delivering support to our veterans.”
The spokeswoman said the move to GSA should take about four months starting in October to install new smart card facilities through USAccess. By January 2020, VA employees who need new or need to renew their PIV cards will go through the shared service.
Another reason for VA’s move is the Office of Management and Budget’s new identity management policy makes it easier for agencies to adopt current and emerging technologies for authentication and verification of users. While the requirements under HSPD-12 are not going away, per se, agencies now have a lot more flexibility for how to meet them. By getting out of the issuance and management of cards, VA OIT could focus its time and resources making identity access and verification more convenient.