Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard

GAO-06-178 February 1, 2006
Highlights Page (PDF)   Full Report (PDF, 60 pages)   Accessible Text   Recommendations (HTML)

Summary

Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President directed the establishment of a governmentwide standard--Federal Information Processing Standard (FIPS) 201--for secure and reliable forms of ID based on "smart cards" that use integrated circuit chips to store and process data with a variety of external systems across government. GAO was asked to determine (1) actions that selected federal agencies have taken to implement the new standard and (2) challenges that federal agencies are facing in implementing the standard.

The six agencies we reviewed--Defense, Interior, Homeland Security, Housing and Urban Development (HUD), Labor, and the National Aeronautics and Space Administration (NASA)--had each taken actions to begin implementing the FIPS 201 standard. Their primary focus has been on actions to address the first part of the standard, which calls for establishing appropriate identity proofing and card issuance policies and procedures and which the Office of Management and Budget (OMB) required agencies to implement by October 27, 2005. Agencies had completed a variety of actions, such as instituting policies to require that at least a successful fingerprint check be completed prior to issuing a credential. Regarding other requirements, however, efforts were still under way. For example, Defense and NASA reported that they were still modifying their background check policies. Based on OMB guidance, agencies have until October 27, 2006, to implement the second part of the standard, which requires them to implement interoperable smart-card based ID systems. Agencies have begun to take actions to address this part of the standard. For example, Defense and Interior conducted assessments of technological gaps between their existing systems and the infrastructure required by FIPS 201 but had not yet developed specific designs for card systems that meet FIPS 201 interoperability requirements. The federal government faces significant challenges in implementing FIPS 201, including (1) testing and acquiring compliant commercial products--such as smart cards and card readers--within required time frames; (2) reconciling divergent implementation specifications; (3) assessing the risks associated with specific vendor implementations of the recently chosen biometric standard; (4) incomplete guidance regarding the applicability of FIPS 201 to facilities, people, and information systems; and (5) planning and budgeting with uncertain knowledge and the potential for substantial cost increases. Until these implementation challenges are addressed, the benefits of FIPS 201 may not be fully realized. Specifically, agencies may not be able to meet implementation deadlines established by OMB, and more importantly, true interoperability among federal government agencies' smart card programs--one of the major goals of FIPS 201--may not be achieved.



Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Director:
Team:
Phone:
Linda D. Koontz
Government Accountability Office: Information Technology
(202) 512-6240


Recommendations for Executive Action


Recommendation: The Director of OMB should take steps to closely monitor agency implementation progress and completion of key activities by, for example, establishing an agency reporting process, to fulfill its role of ensuring that agencies are in compliance with the goals of HSPD-12.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: Implemented

Comments: In response to our recommendation, OMB has developed and implemented a process for monitoring agency progress in issuing HSPD-12 compliant credentials. Beginning on March 1, 2007, agencies were required to post to their federal agency public website quarterly reports on the number of personal identity verification(PIV) credentials issued to their employees, contractors and other individuals. Agencies are also required to provide their quarterly reports to OMB. In addition, in August 2006, OMB required each agency to submit its updated HSPD-12 Implementation Plan to OMB for its evaluation. As a result, OMB has more insight into agencies' implementation progress and is better positioned to make management decisions to help ensure agencies implement HSPD-12.

Recommendation: The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to provide specific deadlines by which agencies implementing transitional smart card systems are to meet the "end-point" specification, thus allowing for interoperability of smart card systems across the federal government.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: In process

Comments: OMB officials stated that it was not clear to them whether there were interoperability problems between the transition cards and the end-state cards. They planned to wait and make a determination at a later date as to whether OMB needs to establish timelines for all agencies to move to the end-state specification. As of August 2007, OMB does not plan to issue timelines to agencies for moving from the transition-state to the end-state specification.

Recommendation: The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to provide guidance to agencies on assessing risks associated with the variation in the reliability and accuracy among biometric products, so that they can select vendors that best meet the needs of their agencies while maintaining interoperability with other agencies.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: In process

Comments: OMB does not see a need to issue any guidance in this area because it has not heard directly from any agencies that such guidance is needed.

Recommendation: The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to clarify the extent to which agencies should make risk-based assessments regarding the applicability of FIPS 201 to specific types of facilities, individuals, and information systems, such as small offices, foreign nationals, and volunteers. The updated guidance should (1) include criteria that agencies can use to determine precisely what circumstances call for risk-based assessments and (2) specify how agencies are to carry out such risk assessments.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: In process

Comments: OMB officials stated they do not intend to issue general guidance as recommended by GAO, stating that Federal Information Security Management Act (FISMA) procedures are adequate guidance to agencies on how to determine risks associated with facilities, personnel, and systems. However, a working group has been convened specifically to address the issue of foreign nationals, and guidance is to be issued on that subject.