Dec 31 2009

Three of a Kind

Agencies rely on one of three HSPD-12 approaches to meet difficult compliance requirements.

Agencies may be under a single mandate to develop a secure, common identification card that lets employees verify their identities and enter federal buildings and access systems, but there’s certainly no one perfect way to successfully work through and solve the difficult process and technology issues involved.

As the milestone to begin issuing cards for Homeland Security Presidential Directive 12 loomed large late last summer, agencies each lined up behind one of three approaches that fit their particular needs. Nine agencies decided they had enough dollars and in-house technical expertise to tackle the challenge alone. Some agencies decided to team up with like-minded agencies and come up with a common solution. But the majority recognized that the mandate was too daunting to face without help and turned to the HSPD-12 shared-services expertise offered at the Interior Department’s National Business Center (NBC) and the General Services Administration.

No approach is easy or perfect, and each presents its own unique challenges and lessons learned. Here is a close look at each of the different strategies in action, detailing what works and what doesn’t. Feds working on HSPD-12 programs identify potential pitfalls and how to avoid them as agencies move forward creating a governmentwide approach to credentialing and using new ID cards for physical and logical access to federal buildings and systems.

The October 2006 deadline to begin issuing cards was just the launch for HSPD-12. For most agencies, the work of building out back-end identity management systems, setting access controls and making the new cards more than fancy flash passes lies ahead. Meanwhile, agencies also are preparing for this fall’s deadline, when they must complete background checks for all cardholders who have fewer than 15 years of government service. The three models established for issuing cards will form the basis for all the work that still lies ahead.

Going It Alone

For the Homeland Security Department, the decision to take a standalone approach to its HSPD-12 implementation was a no-brainer.

“We can do it cheaper on our own than we ever could by outsourcing it, but just our immense size and the fact that we have people in various places was justification enough to do it in-house,” says Cynthia Sjoberg, program manager for the HSPD-12 Program at Homeland Security. “We really needed to be able to cater the solution to our own needs.”

Photo: Randall Scott
Be willing to ask for help because “there are so many moving parts to this process that you really can’t anticipate what issues you might be coming up against,” Homeland Security’s Cynthia Sjoberg says.

In fact, DHS’ environment is so complex that officials decided to take a phased approach to the implementation, which meant rolling out the system first at headquarters, then to department components such as the Transportation Security Administration and then to legacy systems users. “It’s much more manageable for us to be on our own with the way we’re implementing this,” Sjoberg says.

But it’s not easy. Like any other agency, DHS initially faced numerous challenges, not the least of which was managing progress while waiting for officially selected technologies to be certified — many of which did not receive the designation until just a few months before the most recent Oct. 27, 2006, milestone.

DHS has managed the challenges by recognizing and implementing a series of lessons learned and best practices that will be published soon. Among them: Limit the scope of your implementation to what is necessary to meet Office of Management and Budget requirements, but prepare to take advantage of any opportunities to piggyback additional technologies, processes or programs that will improve security operations in the future. Also, Sjoberg suggests, agencies should set tighter milestones than OMB dictates.

“There are so many moving parts to this process that you really can’t anticipate what issues you might be coming up against,” Sjoberg says, noting that the strategy helped DHS beat the recent milestone by a week. “So build in that extra cushion as a way to guard against that unexpected problem that will suddenly throw you off track.”

Finally, Sjoberg says, be willing to ask for help. Even though DHS is taking a standalone approach, its representatives sit in on several multiagency HSPD-12 committees. “Just to see where other agencies stand, what challenges they’re facing and how they’re dealing with them, that is extremely valuable to us,” she says. “Everyone can use a little advice now and then.”

Lean on Me

The State Department had planned and was on course to tackle HSPD-12 on its own. But when officials from the U.S. Agency for International Development (USAID) and the Peace Corps asked if they wanted to work together as a team, the larger and better-equipped State decided to accept their offer.

“When you’re trying to come up with a brand-new recipe, I think it’s better to have more cooks in the kitchen working together,” says Tony Mosley, branch chief for Domestic Management and Engineering within the Office of Diplomatic Security at the State Department.

Photo: Randall Scott
“When you’re trying to come up with a brand-new recipe,
I think it’s better
to have more cooks in the kitchen working together,” says State’s Tony Mosley.

Clearly, though, the two smaller agencies stood to benefit the most from the arrangement, says Steve Stasiowski, chief of the Emergency Preparedness, Plans, Training, Exercise and Physical Security Division at Peace Corps.

“For an agency our size, the technology we needed to implement and the problems we had to solve just really cried out for expertise that nobody here could really provide,” Stasiowski says.

State had developed smart-card technology for physical and logical access in 1997 and, because of its highly sensitive mission, had plenty of experience vetting personnel, capturing fingerprints and utilizing ID cards. But, Mosley acknowledges, HSPD-12 presented new, difficult challenges, such as meeting stringent requirements for storing fingerprints and ensuring privacy, juggling short timelines and incorporating approved technology from the General Services Administration and the National Institute of Standards and Technology.

Once USAID and Peace Corps came on board, they were brought into State’s established working group for weekly meetings to work on solutions. And the newcomers added value almost instantly, Mosley says. In figuring out how to implement enrollment and clearance processes in field locations around the country, for example, the group used Peace Corps as a model, he says. “That allowed us to put a straw man together on how we would implement this in a wide-area network configuration at a later date, and that helped us figure out things like how to push and pull data, how to capture fingerprints, how to protect the data in transmission from Point A to Point B.”

Besides allowing Peace Corps and USAID to meet their HSPD-12 milestone on time and providing “a huge stress reliever,” according to Stasiowski, the teaming arrangement has offered other tangible benefits.

For instance, the two smaller agencies were able to use State’s systems integrator and leverage the already developed design implementation plan, which saved months of time and effort. The multiagency approach also meant all three agencies could enjoy economies of scale in buying equipment.

Most important, though, the arrangement has resulted in State acting as a kind of HSPD-12 application services provider (ASP) for Peace Corps and USAID. The two agencies’ card programs will ride on State’s networks, and State personnel are managing all the servers, back-end applications and security. “All we have on our end are enrollment and issuance terminals, and all the data goes directly to State,” Stasiowski says. “Our security guys are really happy that they don’t have to be involved. It just makes our lives incredibly easier.”

Stasiowski highly recommends that smaller agencies find more technically inclined partners but adds a caveat: A key element to an effective team approach, he says, is a meshing of mission and culture. “Our operations just tie in so well with State’s operations that it just made eminent sense for us to work together,” he says. “The closer you can find that alignment in a partner, I think the more successful you’ll end up being.”

One Size Fits All

Outsourcing HSPD-12 requirements is an option. For agencies either tiny or large with a dearth of technical resources, or those that would rather focus attention on mission-related tasks, it is probably the appropriate option. The staff at the National Business Center can certainly testify to that: With their administrative expertise and the technical help of contractor Lockheed Martin, NBC helped all 20 of its HSPD-12 clients — including the Interior Department — meet the Oct. 27 milestone to begin issuing cards.

“Bottom line: The cost efficiencies and expertise that result from relying on economies of scale and partnering makes it a lot easier on everyone,” says Donald Swain, NBC’s chief of staff.

This is not to say that agencies can simply drive up and drop their HSPD-12 problems at the door, Swain says. Agencies still have plenty of responsibility in a shared-services approach, including coordinating agency efforts on business plans, security and roles; providing demographic and statistical information to determine the best location for employee enrollment and card issuance offices; participating in user group meetings; detailing unique requirements; and providing any information needed to assess their current facility and information security infrastructure for upgrades. And of course, they need to bring their checkbooks.

By relying on shared services instead of their own in-house personnel, agencies can clearly save money, time and headaches — and ensure that the job gets done. NBC provides a centralized infrastructure and network connections for the identity management system and card management, as well as digital certificates and all equipment necessary for sponsorship, enrollment, adjudication, card issuance and card lifecycle management. It also offers enrollment and issuance services, does all work on the Exhibit 300 business cases, ensures that effective cybersecurity controls are in place and provides overall program management.

Swain notes that many agencies are piling on the potential benefits by coupling their HSPD-12 implementation with NBC’s Human Resources Line of Business offering. “It just adds to the efficiency that you can create because we can then help with onboarding and offboarding of employees and all the issues around position classification, employee relations, equal employment opportunity rules and the like,” he says. “It becomes sort of a package deal.”

Although NBC and GSA compete for agency business, Swain and his colleagues recognize that HSPD-12 collaboration on an even greater scale would be a boon for everyone. “We are actually looking for ways to partner with our fellow shared-services centers to make it even easier for agencies,” he says. “Anything that we can do to provide the lowest possible cost to meet this requirement is a good thing.”