OMB, DHS working on new HSPD-12 guidance

Friday - 11/5/2010, 7:14am EDT

WFED's Jason Miller

Click below to hear the report on the Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Office of Management and Budget and the Homeland Security Department are working on two memos giving agencies new instructions around using their secure identity management cards.

Sources confirm that OMB will write one memo and DHS's National Protection and Programs Directorate will issue the other around agency use of credentials under Homeland Security Presidential Directive-12 (HSPD-12).

Phil Reitinger, NPPD's under secretary, would not comment on the memo or its status.

"What I can say, we are working broadly across government," Reitinger said after his speech Thursday at the IdentEvent 2010 event sponsored by TechAmerica in Washington. "The genius of HSPD-12 unites the notion that we need to address both logical access controls and physical access controls. In the logical space, we operate, more recently, under a more specific delegation of Federal Information Security Management Act (FISMA) authorities, operational FISMA authorities, from the Office of Management and Budget, so we are moving forward aggressively in that space."

Reitinger added that the General Services Administration is in charge, for the most part, of federal buildings for the physical security piece, and DHS is partnering with them and others to implement controls using HSPD-12 cards.

"We understand that moving forward on broad, interoperable authentication for government and government contractors is absolutely essential, and we are focused on that," he said.

In the 2010 budget passback document Federal News Radio obtained last winter, OMB told agencies that in 2011 they should use development, modernization and enhancement (DME) funding or operations and maintenance (O&M) funding to upgrade physical and logical access control using the secure ID cards in 2011.

In the two years in office, OMB and the White House cybersecurity coordinator Howard Schmidt have issued only one memo referring to HSPD-12: the April 2010 FISMA reporting guidance.

At the same time, the administration is putting a lot of focus on the broader issue of identity management and authentication.

Reitinger said it is key to everything the White House wants to do to improve cybersecurity within government and across the country.

"There is nothing that is more important than deployment of broadly interoperable authentication," he said. "It is a priority for me; it is a priority for DHS; and it is a priority for the administration."

To that end, President Obama is expected to sign the final version of the National Strategy for Trusted Identities in Cyberspace (NSTIC) this winter.

The White House issued the draft strategy in June.

Ari Schwartz, a senior Internet policy advisor for the National Institute of Standards and Technology, said his agency and others are reviewing comments from industry and others about the draft.

"There were a lot of areas where it was important to clarify the vision of the strategy," he said. "We are finally at the point where it's working the way through the interagency process. We want to make sure we are in sync with all of the agencies, and that is part of why you hear a very similar message from DHS and Commerce on this. We are at the point of vetting the strategy at all the different agencies."

The one area that needed to be addressed through the final document is the role the private sector must play.

Schwartz said the final version of the NSTIC likely will make it clearer that contractors and other private sector organizations must be a full partner in meeting the four goals of the strategy:

  • Identity solutions must be privacy enhancing and voluntary,

  • Identity solutions must be secure and resilient

  • Identity solutions must be interoperable

  • Identity solutions must be cost effective and easy to use.

"One of the key points is this idea of this identity ecosystem must be voluntary," Schwartz said. "The government will neither mandate that individuals obtain certain online credentials nor will companies require specific kinds of online credentials as the only means to interact with them. That means we will need the private sector to implement different levels of authentication, different levels of assurance and to engage, design, build, promote, operation and maintain this new identity ecosystem."

Reitinger said the strategy will help establish a community approach to security where identity management and authentication is the most important piece.

"Our mantra should be 'we are mad as heck and we aren't going to use passwords anymore,'" he said borrowing the famous line from the movie Network. "We have to get out of the game of usernames and passwords."