Electronic Government:

Agencies Face Challenges in Implementing New Federal Employee Identification Standard

GAO-06-178: Published: Feb 1, 2006. Publicly Released: Mar 3, 2006.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6240
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Many forms of identification (ID) that federal employees and contractors use to access government-controlled buildings and information systems can be easily forged, stolen, or altered to allow unauthorized access. In an effort to increase the quality and security of federal ID and credentialing practices, the President directed the establishment of a governmentwide standard--Federal Information Processing Standard (FIPS) 201--for secure and reliable forms of ID based on "smart cards" that use integrated circuit chips to store and process data with a variety of external systems across government. GAO was asked to determine (1) actions that selected federal agencies have taken to implement the new standard and (2) challenges that federal agencies are facing in implementing the standard.

The six agencies we reviewed--Defense, Interior, Homeland Security, Housing and Urban Development (HUD), Labor, and the National Aeronautics and Space Administration (NASA)--had each taken actions to begin implementing the FIPS 201 standard. Their primary focus has been on actions to address the first part of the standard, which calls for establishing appropriate identity proofing and card issuance policies and procedures and which the Office of Management and Budget (OMB) required agencies to implement by October 27, 2005. Agencies had completed a variety of actions, such as instituting policies to require that at least a successful fingerprint check be completed prior to issuing a credential. Regarding other requirements, however, efforts were still under way. For example, Defense and NASA reported that they were still modifying their background check policies. Based on OMB guidance, agencies have until October 27, 2006, to implement the second part of the standard, which requires them to implement interoperable smart-card based ID systems. Agencies have begun to take actions to address this part of the standard. For example, Defense and Interior conducted assessments of technological gaps between their existing systems and the infrastructure required by FIPS 201 but had not yet developed specific designs for card systems that meet FIPS 201 interoperability requirements. The federal government faces significant challenges in implementing FIPS 201, including (1) testing and acquiring compliant commercial products--such as smart cards and card readers--within required time frames; (2) reconciling divergent implementation specifications; (3) assessing the risks associated with specific vendor implementations of the recently chosen biometric standard; (4) incomplete guidance regarding the applicability of FIPS 201 to facilities, people, and information systems; and (5) planning and budgeting with uncertain knowledge and the potential for substantial cost increases. Until these implementation challenges are addressed, the benefits of FIPS 201 may not be fully realized. Specifically, agencies may not be able to meet implementation deadlines established by OMB, and more importantly, true interoperability among federal government agencies' smart card programs--one of the major goals of FIPS 201--may not be achieved.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: OMB officials told GAO that they did not see a need to issue any guidance in this area because they had not heard directly from any agencies that such guidance was needed.

    Recommendation: The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to provide guidance to agencies on assessing risks associated with the variation in the reliability and accuracy among biometric products, so that they can select vendors that best meet the needs of their agencies while maintaining interoperability with other agencies.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Not Implemented

    Comments: OMB officials reported that they did not plan to issue timelines to agencies for moving from the transition-state to the end-state specification because they did not agree that any interoperability problems existed between the transition cards and the end-state cards.

    Recommendation: The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to provide specific deadlines by which agencies implementing transitional smart card systems are to meet the "end-point" specification, thus allowing for interoperability of smart card systems across the federal government.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: In response to our recommendation, OMB has developed and implemented a process for monitoring agency progress in issuing HSPD-12 compliant credentials. Beginning on March 1, 2007, agencies were required to post to their federal agency public website quarterly reports on the number of personal identity verification(PIV) credentials issued to their employees, contractors and other individuals. Agencies are also required to provide their quarterly reports to OMB. In addition, in August 2006, OMB required each agency to submit its updated HSPD-12 Implementation Plan to OMB for its evaluation. As a result, OMB has more insight into agencies' implementation progress and is better positioned to make management decisions to help ensure agencies implement HSPD-12.

    Recommendation: The Director of OMB should take steps to closely monitor agency implementation progress and completion of key activities by, for example, establishing an agency reporting process, to fulfill its role of ensuring that agencies are in compliance with the goals of HSPD-12.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Not Implemented

    Comments: OMB officials informed GAO that they did not intend to issue general guidance as recommended by GAO, stating that Federal Information Security Management Act (FISMA) procedures were adequate guidance to agencies on how to determine risks associated with facilities, personnel, and systems.

    Recommendation: The Director of OMB should amend or supplement governmentwide policy guidance regarding compliance with the FIPS 201 standard to clarify the extent to which agencies should make risk-based assessments regarding the applicability of FIPS 201 to specific types of facilities, individuals, and information systems, such as small offices, foreign nationals, and volunteers. The updated guidance should (1) include criteria that agencies can use to determine precisely what circumstances call for risk-based assessments and (2) specify how agencies are to carry out such risk assessments.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Dec 10, 2014

Sep 25, 2014

Sep 23, 2014

Jun 10, 2014

May 22, 2014

May 12, 2014

May 8, 2014

Looking for more? Browse all our products here