Government still faces HSPD-12 implementation challenges
Although the government is making progress in meeting personal identification verification standards under Federal Information Processing Standard 201, the Government Accountability Office says agencies still need to clear several hurdles in implementing many of the requirements.
The GAO has recommended that the Office of Management and Budget (OMB) better monitor how agencies are meeting FIPS-201 under Homeland Security Presidential Directive-12 deadlines by requiring them to report on their progress.
GAO says the challenges to full implementation include: testing and acquiring compliant commercial products (such as smart cards and readers); reconciling divergent implementation specifications; assessing risk associated with specific implementations of the new biometric standard; incomplete guidance on the applicability of FIPS to facilities, people and information systems; and planning and budgeting with uncertain knowledge and the potential for cost increases.
“Until these implementation challenges are addressed, the benefits of FIPS-201 may not be fully realized,” the report says. “Specifically, agencies may not be able to meet implementation deadlines established by OMB, and more importantly, true interoperability among federal government agencies’ smart card programs, one of the major goals of FIPS 201, may not be achieved.”
Agencies have until Oct. 26 this year to begin to comply with PIV II, which calls for them to start issuing interoperable smart cards and using common back-end systems. GAO says the government will likely struggle to meet the deadline.
In a survey of NASA and the departments of Defense, Interior, Homeland Security, Housing and Urban Development, and Labor, GAO found that although the agencies were making some progress, several challenges exist that could keep the government from meeting the requirements on time.
In particular, the products needed to implement FIPS-201 may not be available in time to meet OMB’s deadlines, GAO said, as NIST and the General Services Administration must test and verify the products.