Government and industry leaders hard at work implementing HSPD-12 answered that question and more during a special broadcast of the Federal Executive Forum during the recent Federal Information Assurance Conference (FIAC) in College Park, Maryland.



The panel:

·         Judy Spencer, Chair, Federal Identity Credentialing Committee (FICC), General Services Administration (GSA)

·         Mike Butler, Director, DOD Access Card Office, Defense Manpower Data Center, Office of the Secretary of Defense (OSD)

·         Carol Bales, Senior Policy Analyst, Office of Management and Budget (OMB)

·         Barbara Symonds, Director, Office of Privacy and Information Protection, Internal Revenue Service (IRS)

·         Venkatapathi (PV) Puvvada, Vice President and CTO, Federal Systems, Unisys

·         Gordon Hannah, Managing Director, Public Sector Security and Identity Management Group, BearingPoint

Hosted by Jim Flyzik of The Flyzik Group, the panel talked about their roles in implementing HSPD-12 and addressed present and future Identity Management issues.

JIM FLYZIK, THE FLYZIK GROUP

Let’s get right into the issues with each of our panelists. Let’s first go to Judy Spencer at GSA. Judy, can you, to level set the audience, let us know what is your responsibility at GSA with respect to identity management and HSPD-12?

JUDY SPENCER, GSA

Thank you, Jim. Yes, as a member of the Office of Government-Wide Policy at GSA, our job is to support OMB in helping agencies implement policy. And as Chair of the Federal Identity Credentialing Committee, I chair a committee under the CIO Council that includes the HSPD-12 leads from the 25 CIO agencies and also participating members from the small agencies. Our job is to bring together these minds in bringing this government-wide solution to reality. As you know October 27 was the date and we believe that we got there.

JIM FLYZIK, THE FLYZIK GROUP

Terrific! Mike Butler, I know you are from the Office of the Secretary of Defense, but I believe that you are also doing a detail to help with the government-wide implementation. Can you give us your role in this issue?

MIKE BUTLER, DOD

My normal job is I’m in charge of the office that issues all credentials to all Department of Defense employees; so military IDs, civilian IDs and also all the dependents and retirees across the Department of Defense. We do about 20,000 credentials a day all around the world.

In July, I was detailed to GSA. I’ve been honored to work with the really interesting groups of folks at GSA, but also I have to give a lot of credit to the technical team at the U.S. Department of Agriculture, who has been on-point for getting this project done. They’ve been an awesome group. I’ve been working with them to get through the flaming hoop of fire tomorrow, on October 27.

JIM FLYZIK, THE FLYZIK GROUP

That team work is so important. We’ll explore that a little bit more when we talk about the challenges and culture in getting people to work together. PV Puvvada, over at Unisys, from an industry perspective as one who supports government, how do you view this issue and progress on this issue?

PV PUVVADA, UNISYS

Good afternoon, Jim. From an industry perspective, what we are looking at is a significant challenge bringing best practices in terms of implementing our solutions for a broader identity management perspective. For example, I am responsible for our strategic portfolio, including the ID management solutions. So, we are working with GSA and other agencies in addressing the planning as well as the implementation of HSPD-12.

In the context of broader IT management, we want to do things right at the get-go, so that we lay the framework for integrating the other aspects of identity management, as well as asset management in the future.

So a couple of significant things that we’ve been working for the past few years, the past half a dozen years, is that in Malaysia we’ve implemented a general purpose biometric based card for about 20 million citizens doing things that we are talking about doing here in terms of how we want to leverage HSPD-12 technology.

JIM FLYZIK, THE FLYZIK GROUP

Terrific! Barbara Symonds I know from my years as CIO at Treasury, I know just how important issues of identity management is within the IRS, I’m sure it’s a major priority and I understand that you are not only heading up the IRS program but are also stepping up and playing a role for the entire Treasury Department. Perhaps you could share with the audience some of the things that you are doing in that regard.

BARBARA SYMONDS, IRS

Sure, thank you Jim. Although I work for the IRS as the director of Privacy and Protection under the Office of Mission Assurance, because IRS is the largest bureau within Treasury with over 1000 employees, the IRS saw this as an enterprise issue and volunteered to take on the effort to do the solution for the whole country.

We have a strong governance model of having significant participation and commitment across all of the other bureaus, including the headquarters level. We are taking an enterprise approach to the solution since we have a common problem to solve. We thought it would make more sense to leverage our buying power and streamline the processes, as well as the technology, to come up with a good solution. And since we all know that this was an unfunded mandate, we are looking to gain efficiencies everywhere that we can and I think that the Treasury model is going a long way to do that.

JIM FLYZIK, THE FLYZIK GROUP

I think that’s terrific and I think the long term hope is that with some good identity management practices there will be some savings and it will generate a lot of efficiencies in operations.

Gordon Hannah at BearingPoint, I know that BearingPoint has won a lot of competitive contracts to support the government in this area. Can you give us a little overview of how you guys are approaching this?

GORDON HANNAH, BEARINGPOINT

Sure Jim. I’ve been fortunate to learn a lot of lessons over the past 8 years from Mike Butler here and his implementation of the Department of Defense’s Common Access Card, rolled out to 3.5 million active members of the military, civil service and contractors.

They just celebrated their 10 millionth card issued. I think a lot of the agencies have learned significantly, including industry like myself, from that program. We’ve been able to take that and apply it to programs like the Transportation Worker Identification Credential.

I often refer to that prototype as a leading edge of HSPD-12 implementation because they were basically trying to issue credentials to a new population of Transportation workers that nobody really had their arms around. And they had to approve the identity, perform background checks, and issue credentials to that validated identity, so it is very close in line with HSPD-12.

We have been able to leverage that experience now in our support of GSA and their HSPD-12 shared services solution and, as Judy mentioned, the hope is that we have a number of agencies who will join GSA in the shared services model and continue to be successful in their implementation in compliance with the HSPD-12 mandates.

JIM FLYZIK, THE FLYZIK GROUP

Terrific Gordon! Carol, we actually had Karen Evans on about 10 months ago on the same subject when she was talking about the program, the time frames and the OMB guidance and the fact that a determination to keep the program moving and meet the time frames. Can you give us a little background on your involvement at OMB and your role in implementation?

CAROL BALES, OMB

Yes, and thank you Jim for inviting me to participate in today’s program. Good afternoon everyone, I am Carol Bales from the Office of Management and Budget and I am the government lead for the HSPD-12 and the Authentication and Identity Management Initiatives. OMB’s role includes issuing policy and guidance to the Federal agencies as well as providing oversight.

In support of the two initiatives I’ve just mentioned, we have issued 2 major policies: the authentication guidance for Federal agencies which uses four levels of authentication with associated technology requirements is standardizing how agencies implement identity management in their on-line government applications; and our guidance to the agencies on the implementation of HSPD-12 sets out the requirements for what agencies have to do and by when in implementing the directive.

October 2006 marks a very important milestone in that the agencies began issuing HSPD-12-compliant identity credentials in accordance with the president’s directive.

JIM FLYZIK, THE FLYZIK GROUP

Thank you Carol! Panelists, let’s get into talking about some of the challenges and benefits. What are the key benefits that we expect to come out of HSPD-12?

There’s a lot of work and a lot of things going on and we anticipate coming out of the other side with a lot of benefits. Let’s go to the private sector view point and start with PV Puvvada from Unisys. PV what do you see as some of the big benefits you expect to come out of HSPD-12?

PV PUVVADA, UNISYS

What HSPD-12 allows us to do is to embrace standards, FIPS 201 standards, so private industry now has one set of standards by which we can go and build products and integrate products.

So this obviously enables interoperability which always is a tough problem with the technology, (that is) when you buy technology and then you buy an integrated set of products, that challenge goes away with HSPD-12.

The other key benefit is that at the end of the day it lays out an infrastructure for us to do broader identity management and do things like tag identity to assets and address privacy in a way that we weren’t able to address. The obvious thing is we are doing this because we want to protect the country, secure the country, and protect our assets, our people and our systems. But from an industry perspective, this really accelerated the deployment of products where we can work together and interoperate the solutions so that we can provide cost effective solutions in an accelerated way.  

JIM FLYZIK, THE FLYZIK GROUP

I’m happy to hear that you keep that perspective in place. It all started after 9/11 as a way to begin to protect our country so the ultimate issue here is national security. Gordon, let’s stay with the private sector, can you add to that some of the key benefits that you would see from your vantage point to this program?

GORDON HANNAH, BEARINGPOINT

I think the first benchmark is definitely going to be security. Having a common, credentialed activity trusted across the agencies and as PV said the interoperability -- having the ability for agencies to visit other agencies and have their identification cards trusted, rather than perhaps having to go through an extensive vetting process -- is going to be a significant aim.

As contractors who often frequent Federal facilities and use their applications networks, we are excited about the fact that there will also be a contractor credential and we can better authenticate our people and ourselves as we do business and work with the government. The first bench mark will really be security.

We want to see rapid use. October 27^th wasn’t the end, it was the beginning. We want to see the cards in circulation and being used; and we are really excited about the potential of things like strong electronic authentication, accessing applications, performing functions that perhaps were done on paper before, now being done on line.

So we are really excited about the application field and the stronger authentication of individuals. I’ve also said before that this may enable more telework; the government is short of meeting their telework goals, so we are very excited about the potential for HSPD-12.

JIM FLYZIK, THE FLYZIK GROUP

Yes, I think so too, you just think of some of the future applications, especially when we think of identity management, not just of people but things, opens up a whole new world of opportunities. Now I want to hear from our government guests too on some of the benefits you see, but before we do that we are going to take a short break.

Break

JIM FLYZIK, THE FLYZIK GROUP

We want to turn to our government panelists and get a sense of where you see this. Let’s start with Judy Spencer at GSA. What do you see as some of the benefits to come out of HSPD-12 implementation?

JUDY SPENCER, GSA

I wanted to expand on what Gordon said about trust. Because at the end of the day what we are really doing here is putting in place a basis for a trust framework. This card in itself in many ways is just a key. It’s what we do with it now that we have it. But by doing the standardization across the identity proofing, across how the card is actually implemented, what information, data, goes on to the cards and how it will be used, actually helps to put in place for the first time a government-wide trust framework, where we as a government will be in fact operating under a single standard and, if you will, speaking with a single voice.

JIM FLYZIK, THE FLYZIK GROUP

Let’s jump down to the other end of the table. Carol Bales over at OMB. What does OMB see, or you see as some of the key benefits that you are anticipating coming out of HSPD-12 implementation?

CAROL BALES, OMB

Jim, I’d like to note that prior to the President’s direction, there were no trusted government-wide standards and millions of dollars were being invested annually on incompatible systems.

With the implementation of HSPD-12 the Executive Branch is applying a consistent risk based approach to physical and information systems security that will improve our security and keep costs at the same or reduced level.

The government’s implementation of HSPD-12 cards will result in a standardized environment for launching of a number of new applications and improving the security of all Federal information systems and facilities. I’d also like to note that there’s been a lot of increased coordination between the physical security, IT security, and human resources communities as well.

JIM FLYZIK, THE FLYZIK GROUP

Yes, it is definitely happening. HSPD-12 has forced them together with that physical access issue with logical access, and I think that’s a good thing. Barbara, with the IRS, have you thought through some of the things you are looking down the road as benefits that the IRS and Treasury in general can gain from HSPD-12?

BARBARA SYMONDS, IRS

Yes, Jim and in fact I would even take you back a little bit, not in advance of the technology solution, expanding a little bit more on the things that Carol was talking about (in reference to) the conversions of business processes and administrative functions.

In fact (for) the first due date of October 2005, when we had to streamline the processes for a manual identity approving process, that was a tremendous eye opener for the IRS in particular and across all of our bureaus. It was the first time that IT security, physical security, personnel and privacy all got together and looked at how did we bring an individual off the streets and into a government facility to be employed.

So we found tremendous efficiencies in reengineering the business processes well in advance of applying the technology solution around that. So the benefits are far reaching just beyond an identity credential and a technology solution. We really saw this as a business problem to solve and we found a lot of inefficiencies and differences in how things were being applied (such as) differences in background investigations that were fairly subjective. So now we have a common standard process that as we are looking at evaluating technology solutions and what is the right fit for Treasury, we know what process we are trying to solve.

JIM FLYZIK, THE FLYZIK GROUP

That’s great. I look forward to that reciprocity thing. I remember from my days in government. I remember being in the Secret Service taking people for personal tours of the White House on a Friday night and then going from Secret Service to Treasury on Monday morning, showing up at Treasury and sitting in the lobby for two hours because my credentials for Secret Service were not good at Treasury, even though at the time Secret Service was a bureau of the Treasury Department. Little efficiencies like that are going to go a long way to improving government operations. Mike Butler, OSD and on detail helping on the government-wide implementation, what do you think are some of the key benefits we are going to see coming out of this implementation?

MIKE BUTLER, DOD

I think if we look at all the agencies that have come forward to start issuing their credentials here this week, one of the things that is in common to almost all of them is that they have put multiple PKI certificates on the card.

That was, I think, a decision that a lot of people thought carefully about when something was going to be delivered to people. It’s going to be a piece of infrastructure that’s out there, and agencies that may not have even considered that for their networks for protection, will now have a big expensive part of that given to their employees, in their employees hands, and they are going to have to put that to use.

So network security is a big thing. The second piece is in the physical security business model. (For many it) is just not good. It hasn’t been. It’s very proprietary. This standard really makes it more of a commodity item. I think what it is going to do is allow reciprocity to the government. But if I were a private company and had to go and put physical security, a new infrastructure in, I’d be using the standards that the government has put in place. So I think we are going to see price points come down too, people are going to encode to the standard because it’s going to be efficient.

JIM FLYZIK, THE FLYZIK GROUP

That’s great Mike. Since we’ve been talking about the benefits, let’s stay with you. Kick off the other side of that coin; some of the challenges that we think we have yet to overcome. Tomorrow is the first deadline and I think everyone will be all excited about being able to produce a card. But really the implementation challenges still loom large -- technical challenges, cultural challenges, money challenges and so forth, I’d like to explore that a little bit.

Let’s start with you on that one Mike. What do you see as some of the biggest hurdles and challenges and constraints that lie ahead that we are going to have to tackle to make this overall program be a success?

MIKE BUTLER, DOD

I would say one of the most important things -- I would make a guess that this week there has probably been a thousand engineers working round the clock at a lot of agencies and a lot of companies -- and one of the things that I think is going to be of huge value to this is (up to now) this has been a niche product in our country. (However) this week lots of people, in order to cross this finish line, have learned what a standard really meant. I do know our team has.

So I think that we shouldn’t lose the value of everybody understanding what the common requirements are to continue this movement throughout the country with local and state governments. So there’s a challenge, but the other challenge is on the cultural side. We’ve been doing things sometimes just as we did in the 1940s era and folks are going to have to understand that there is new technology and new processes here we can take advantage of.

JIM FLYZIK, THE FLYZIK GROUP

We are going to examine that culture a little bit when we talk about trying to achieve interoperability and getting folks to work together across. Gordon and PV, give us a quick view from the private sector. You know when things don’t happen on time we usually beat up on the contractors whom we expect to deliver and get things done and so forth. What do you see as some of the challenges and the real hurdles? Let’s start with you Gordon at BearingPoint.

GORDON HANNAH, BEARINGPOINT

Certainly the past couple of months have been a technological challenge but I have always argued that the technology on this is probably the easier part relative to the policy and the process.

One of the things we are looking at as a challenge and a business problem that we want to solve is the fact that many government agency employees are very remote and in very small offices. We want to work very closely with the agencies to solve that problem, because there is not a good cost effective way to get those folks enrolled and credentialed and that is a big problem that we want help the agencies solve.

So that is one of the key issues we are working on. Then I think a lot of policy issues probably between agencies are another focus area. Not only the Federal agencies, but we’ll talk soon about state and local and getting trust models in place whereby folks can trust different employees in different agencies coming to see them in a seamless fashion as you referenced, and not having to wait 2 hours in a lobby somewhere even if it is inside one of your own agency components.

JIM FLYZIK, THE FLYZIK GROUP

PV from UNISYS, do you have anything to add to that?

PV PUVVADA, UNISYS

One of my team members yesterday said, “It’s not going to be pretty, but we are all going to get there and start issuing cards on October 27.” I think we have to recognize that the FIPS 201 tool and standard is relatively new. We haven’t really tested it out in all the technology and especially (in) the tools, the testing tools that help us verify that these things work and that trust exists, the ones that Judy is talking about.

On the culture side I think that it is one more thing that people have to focus on and have the sense of urgency and I think that all this has been an issue for people to understand that we really have to this done. Thousands of people are working overnight tonight probably to try to get those bugs out and we will be ready tomorrow.

JIM FLYZIK, THE FLYZIK GROUP

Barbara from the IRS, again from my Treasury days I know IRS is a big place and everybody moving in a common direction is in and of itself a major challenge. What are some of the things you are encountering and things you need to overcome to keep the program moving forward?

BARBARA SYMONDS, IRS

As an implementing agency of course we are working very hard to meet the deadlines and meet the compliance requirements; and balancing that with when is the technology ready and when do we put it through all the right rigor of a good life cycle of testing, improving and interfacing?

So it definitely is a balancing act of meeting the deadlines and supporting the mandate and seeing the benefit in it; and making sure that products are ready to go out to a work force that is so large and has a very important mission to serve every single day across all of Treasury.

The idea of having a technology glitch or the potential of somebody not being able to get access or into their office is something that we weigh very heavily. So it is a challenge of making sure, of putting it through its due diligence and making sure the technology is ready.

On the cultural side, that really is I think the most significant challenge that we are going to face. There is a perception and I think as the cards start to be deployed, and we start to apply usage of the cards for facilities and network access, the concern is Big Brother is coming further down into the government employees’ workspace.

So I think we will have some negotiation issues and some policy issues of what are we really going to be using the card for? How will we be preserving the security and privacy of the information that is stored on that card? It is all of the most key information about an individual and if it is exploited or exposed, the potential for an identity theft case and the magnitude of getting into the system and having that kind of information is of great concern to us.

We need to make sure that we can look all of our employees and contractors in the eye and make sure we tell them that we have your back. We have to collect this information, it is very important to make sure that we have the right people having the right access, but we are supporting you and your needs and protecting your most private information. It’s a real balancing act.

JIM FLYZIK, THE FLYZIK GROUP

Well said. I want to hear from both Carol and Judy on the same thing, but I’m going to ask them to walk us into the interoperability challenge in addition to your own views. But before we do that we need to take a short break.

Break

JIM FLYZIK, THE FLYZIK GROUP

When we left we were talking about challenges still ahead and that need to be overcome for implementation of HSPD-12, and we are going to pick that up with Carol Bales over at OMB and then we’ll go to Judy at GSA, both of you are looking more globally across the Federal government, not only individual challenges but challenges associated with interoperability, to get agencies working together.

And I guess we need to think beyond that to where state and local government interoperability come into play together. I wonder if I could ask you to lead off in addressing those kinds of challenges.

CAROL BALES, OMB

As our other panelists mentioned, agencies had to overcome cultural challenges bringing together the teams responsible for physical access control and logical access control, as well as the technical challenges associated with integrating the physical and logical access control systems.

A GAO report issued in February 2006 outlines specific challenges that agencies face with respect to their HSPD-12 implementations, and funding was one of the challenges. OMB asked the agencies to analyze their current expenditures in the area of identity management, physical access control, and human resources to identify funding opportunities. To help ensure that the agencies are able to overcome these challenges OMB has taken steps to closely monitor the agency implementation progress and the completion of key activities.

In September 2006 OMB asked agencies to submit updated HSPD-12 plans, and in 2007 OMB intends to establish an agency reporting process to monitor agency progress in meeting the goals of HSPD-12.

With respect to interoperability, as with all our new initiatives, we work very closely with the National Institute of Standards and Technology, which works with the standards community to ensure everything we do, is interoperable. We also work closely with the agencies through the HSPD-12 Executive Steering Committee (ESC) and its working groups.

OMB established the HSPD-12 executive steering committee to provide strategic direction for the government wide implementation of HSPD-12 and the technical standard FIPS 201. The ESC working groups will continue to meet and coordinate with the physical security community, the IT security community, and human resource experts to ensure the consistent implementation of OMB policy and the standard.

JIM FLYZIK, THE FLYZIK GROUP

Judy Spencer and Mike Butler, both of you have a government-wide role to look at there. Interoperability challenges loom large; I know we have standards in place and every time we have a major issue, we have problems communicating it. What are you guys doing to address some of those interoperability challenges? Let’s start with you Judy.

JUDY SPENCER, GSA

Interoperability has been on our minds for a long time, because even though you have a set of standards and you build to the standard, you can certainly still build such that one won’t talk to the other and we know that and we’ve had experience with that over the years.

So one of the things we did under the Federal Identity Credentialing Committee is that we’ve set up an architectural working group. We actually devised a basic architecture for the implementation of HSPD-12 and these identity credentials. And what we started doing was defining the interfaces.

We named five major components of the infrastructure and then we started looking at how you would actually implement the interfaces in between these and the connections. And it’s not just between these, the interfaces between the different components, but also then how the interfaces between the agencies would work and what the protocols for communication would be.

Where possible we are going to the international standards, to the national standards, where it’s not possible, we are essentially working together. We’ve got industry folks and government folks that are very technologically savvy in this area and they are working together to find the best solutions.

We already have three of these interface standards published for comment out to the community. The other two will be published next year. What we anticipate is that we will actually have an implementation strategy for the communication links between all these different pieces that will be standardized across the entire Federal enterprise.

In addition to that I participate very strongly with the PKI initiative in the Federal government. I participate with the Federal PKI policy authority, and we at the request of the CIO Council, actually before HSPD-12 was even published, and developed what we call the common policy framework for the Federal PKI.

It is in essence the root policy for the Federal government. All the implementations that are taking place now for agencies that did not already have an enterprise PKI of their own are implementing in accordance with that policy. And we actually put in place a process to certify commercial providers of these PKI services as operating under this policy. Because as you know with PKI it’s all about the trust, it’s all about performing the duties of the PKI in a particular manner that ensures that the trust is in place and that the security procedures are all there. So we already have that in place, it’s already available. So today PKI is being implemented in a manner that is consistent across the entire enterprise, which is really good news.

In addition to that we have found a lot of industry groups that are looking very strong and hard at FIPS 201 and want to be compatible. We see this is as something that is actually going to very quickly spread beyond the Federal government. We’ve actually had discussions with international groups that would like to have an identity credentialing process that is compatible with ours. So that in the future we can actually extend that trust beyond the Federal enterprise.

JIM FLYZIK, THE FLYZIK GROUP

I think that’s the vision for everybody and I remember a little bit about that PKI stuff from my days in the Federal CIO Council when we worked those issues hard. Real quick question here for Gordon and PV. Let me ask you this question PV, if Unisys develops a system for an agency, will it work with a system that Gordon develops for another agency over at BearingPoint?

How are you guys going to address that? If you are building a program at one agency, how do you know it’s going to work with one being done by another contractor at another agency?

PV PUVVADA, UNISYS

I think we have to work together and we are working together. As a matter of fact Gordon and Unisys and I are working together on several programs, (including) the registered traveler program and HSPD-12.

From an interoperability perspective, I want to pick up something that Judy just talked about. The way we ensure that in the long run there is interoperability, the integration of PKI, (and) the authentication of HSPD-12, is to integrate the blueprints that Judy was talking about; the blueprints that we are developing for the agencies in their enterprise architecture (EA) program and is now being put in all the architectural blueprints in what is called the Federal transformation framework.

We have to make sure that these blueprints are integrated into the overall IT and business process modernization throughout the enterprise architecture. That is really critical. We don’t want to go and create a stovepipe architecture artifact out of this.

The other part of this is that you talked about Unisys and BearingPoint (working together) The adoption of critical mass for the shared service centers of both private and public sectors is really a critical step in ensuring that there is security and we will be forced to make sure that they are seamlessly interoperable. I think the two critical elements are one on the implementation side and one on the planning side.

JIM FLYZIK, THE FLYZIK GROUP

Gordon, do you have anything to add to that?

GORDON HANNAH, BEARINGPOINT

I think the other piece to this is agencies like NIST and GSA have not only written these standards, but put the performance testing in place for as many as, I think at last count it was about 22 product categories that essentially make up these HSPD-12 systems.

We’ve been working very interactively with NIST and GSA to provide each piece of our system to make sure it runs through their performance tests and is conforming to the standards and specifications in place. So when you get down to the card level they’ve done the same with the card. So the card has to perform in certain ways, have certain information on it in certain formats and there is very robust testing in place to look at that. So with that kind of testing and conformance, not just to trust but to verify, I think we will achieve interoperability.

JIM FLYZIK, THE FLYZIK GROUP

Mike, if you look at interoperability we do have that other issue that we’ve been talking quite a bit about: interoperability amongst Federal agencies and that challenge, but we have state and local governments and things like the harmonization of all the 50 state drivers’ licenses and all those kinds of challenges.

Have you given some thought in the work you are doing as to beyond Federal interoperability where this could go? Is there anything you could care to comment about that?

MIKE BUTLER, DOD

Actually for about two years there has been an initiative that the Department of Homeland Security has championed called First Responder. There have been some exercises that have been joint exercises among multiple agencies including the Department of Defense at the Pentagon, and it’s included Fairfax County, some of the counties, the State of Virginia, State of Maryland and the DC government.

All of them are based on the same type of credential, the initial credentials that have been available since earlier this year. (But) now that the government has laid out this set of tools in front of us is we can take them and put them to use to help make this happen.

So I think that we’ve laid those tools out and I think that in talking to many of the local governments and the state governments many of them will come and join this. What this is going to do is give us is: for at least those people who come and join together in an emergency, number one we will be able to identify them, which we don’t do well in this country; and the second piece, which has still work to be done, is (we will know) what does that person know how to do? What is his role?

So those two pieces, when you put them together, really provides a powerful tool, not only in a catastrophic emergency but in day-to-day emergencies if someone gets sick or has a heart attack in the building. This is the type of work that this process is going to do for our country. It’s very important.

JIM FLYZIK, THE FLYZIK GROUP

It’s very exciting stuff to see that level of thinking taking place around this issue. Barbara, over at the IRS, the IRS as much as any other agency in town needs to work with state and local government and tax practitioners and to carry this to the extreme, the entire tax paying public of the country. So identity management in terms of what it can do for the tax system I’m sure is a big issue.

Have you given some thought to, as this thing moves forward, (as to) what some of that might look like for the IRS and the interoperability with state and local? Is there anything we are doing at the Federal level that can be sort of be reused at the state and local activity area?

BARBARA SYMONDS, IRS

I definitely think that there’s a lot that can be done. In fact we are keeping an eye on the interoperability standards and the products that are coming out. We are really working right now on getting the infrastructure in place and being able to issue cards to all our employees and contractors that require, that have that need. We’re thrilled to see that GSA and OMB and NIST as well as all the private sector are stepping up to common standards, common architecture, doing a lot of the heavy lifting and testing of the products in advance.

So that when we go out to streamline the procurement to accelerate our implementation and usage of these cards, a lot of that work has been done in advance, so we can have a higher confidence that making selections from the approved products list and within the right architecture and framework will get us that much farther along.

But we certainly, especially within the IRS and all the Treasury bureaus, have tremendous sensitivity to who we are giving this information to, as well as the information that’s coming in, to verify that it’s coming from a known and authenticated source. So a lot of my peers, who are working on the Federal and state sharing issues, as well as the tax practitioners and the tax payers themselves, are keeping an eye on what does HSPD-12 do for them, as a cornerstone to help them round out their identity management problems.

So we are first looking at it internally from an employee and contractor standpoint but already we are keeping an eye on how we take this architecture and this framework and these technologies outward to the state and partner relationships.

JIM FLYZIK, THE FLYZIK GROUP

We’ve slowly been evolving from the card itself to the challenges and the benefits into some higher level issues of interoperability, state coordination, and coordination even with citizens of the country. And what we want to do is save some time for our final segment to move in to a broader scale. I want to talk about where we are going with this in terms of what we might see as a vision for the future and when that vision might be realized. I’ll ask each of the panelists to give a little bit of thought to that for our final segment here as what you see as the vision for the future.  

Break.

JIM FLYZIK, THE FLYZIK GROUP

In our last section here I’m going to ask each one of our panelists to give us a brief overview of what they see for a vision for the future of where this is all going. When we think about this subject, we think about identification, we think about the cards today, but then when you think about the need to identify cargo and RFID tagging, think about identifying bits, good bits and bad bits, letting the good ones in and keep the bad ones out in terms of cyber security; and coordination of these programs with things like reciprocity for background investigations and being able to clear something through one agency and move to another agency, that portability.

All these things are things talked about in terms of where we are going with this. So I’d like to hear maybe your vision of where all this is and some timeframes of when we might see these visions actually happening. Let’s start with Carol from OMB. Carol can you give us your one minute version of a vision for the future on all of this.

CAROL BALES, OMB

As with everything new that we do, the Federal government works very closely with industry as well as state and local to ensure that everything we do is transparent. Our goal is to bring identity management under a common umbrella in order to simplify and unify the identity and authentication efforts of the agencies and deliver value to the citizens.

We will apply existing processes and standards where practical and we also want to see standardization in the industry so that we can adopt industry standards. With respect to the reciprocity issue that Jim raised and in addition to the HSPD-12 Executive Steering Committee, there is a working group, the OMB Security Clearance Oversight Group, to address the personnel security reciprocity issue in accordance with Executive Order 13381, OMB’s director for management is responsible for both HSPD-12 and reciprocity so these efforts are already being coordinated and we are maximizing the benefits of both of these working groups.

JIM FLYZIK, THE FLYZIK GROUP

Gordon Hannah, BearingPoint your vision for where this is all going and how you might achieve such a vision.

GORDON HANNAH, BEARINGPOINT

I think the potential first for good government is already in place. The Federal government has taken a significant lead role here in putting standards in place that better identify, perform background checks, and credential individuals.

State and local governments are embracing these standards and welcoming them and I think as we heard from the panel today, they are actually going to go outside of these boundaries, and we’d like to move into the international realm very quickly, so we will have these. We won’t all have one credential but we’ll have credentials that are trusted and we can verify.

My hope is that the agencies can have seamless business processes for on-boarding and off-boarding both employees and contractors. We’ll get to hopefully a single identity credential for multiple roles, which is actually one of the biggest challenges when we talk about audiences like First Responders. Inevitably it means we are going to have stronger networks and stronger physical security around our core Federal government critical infrastructure.

And then my hope is that more business transactions will move on line, we’ll have better business processes around that and just like we see in the healthcare and the business world round Sarbanes-Oxley and HIPPA requirements we will have better auditing, better privacy protection and better controls.

JIM FLYZIK, THE FLYZIK GROUP

Clearly there are better business processes down the road. Barbara Symonds, your vision from the IRS and Treasury perspective on working these issues. Where do you see the future?

BARBARA SYMONDS, IRS

I think that you are absolutely right, it’s talking about where we see the future and part of it is understanding that we have to always walk before we can run and the HSPD-12 credential is just the beginning and it’s really just the cornerstone of identity management and that’s really what we are all talking about.

It’s not just a security credential that gets you into a network or into a building; we are really talking the larger umbrella of identity management. So it is multi-pronged so we know you are who you say you are, and we know you have a right to be in this building, we know you have this reason to be into this technology, and it gives us a stronger sense of exactly what is going on a day-to-day basis both with our partners, as well as our employees, contractors, our systems.

So as the threat of the security vulnerabilities continue to grow, we can see efficiency and a streamlining and a convergence of the security disciplines where the physical security and the logical security prior to this haven’t had a reason or a mandate to work together and to talk with each other. So this gives us a great opportunity to continue to look for additional new efficiencies and think of this as only a beginning and not nearly at the end.

JIM FLYZIK, THE FLYZIK GROUP

Terrific, thank you so much. PV?

PV PUVVADA, UNISYS

I’ll just pick up on what Carol said; it’s a beginning of this convergence that you talked about Jim, people, assets, logical, physical, bits. But where I really see this going is this investment that the Federal government is making is going to accelerate private industry to implement these.

We are seeing a lot interest especially from the Transportation industry as well as the Health Care industry to implement a trusted credential that can be integrated into the business processes. I think we are also very encouraged by the work that the Department of Homeland Security is doing and the DOD is doing to do the convergence with the stakeholders, our allies, as well as our state and local government agencies. So I clearly see this happening and this is really taking a life of its own in accelerating private industry to actually address this.    

JIM FLYZIK, THE FLYZIK GROUP

Mike Butler, what is your vision for where this is all going and what might we expect in the future?    

MIKE BUTLER, DOD

I think attaching roles is a very important part because that lays us out for a whole bunch of new things that maybe we haven’t even thought about in the future. In my DOD hat, one of the things that we’ve always thought best is to be more efficient about things. I always look at my customers who always carry their credential in their pocket. Some of the things that we’ve done, which are possibilities, is the Marine Corps have put an electronic bursar on the card for their recruits which goes across the Department of the Defense. So actually putting money on your ID card is a possibility.

I think that would be a fantastic thing. So there are a lot of things that are customer driven that these people hold, because the card is theirs, it is them electronically, and I think that we should make it convenient for our customers and drive efficiency in the government. This is a tool set that will help do that.

JIM FLYZIK, THE FLYZIK GROUP

Judy, what about your vision from working this issue from GSA perspective?

JUDY SPENCER, GSA

Well, for the first time we actually have an identity credential that is part of a chain of trust that goes all the way back to when we first became a government employee or a contractor working for the government and had some ID vetting done. This actually is a real chain of trust to the identity credential to the point that you can even now have a positive way through a biometric match on the card of ensuring that the card holder is in fact the person to whom the card was issued --whether it was three years ago or five years ago.

That is a huge step forward for ensuring that we do have good identity management as Barbara said earlier. But in addition to that, over the last several years in the Federal government we have had what we call lines of business; places where we are taking repeatable processes that we all do across government and we are consolidating them in a few places.

We’ve done it with finance, we are doing it with human resources, and we are doing it with several other areas. And what this card now gives us is a consistent way for employees to gain access to these lines of business for these processes to do what they do. The President’s eGovernment agenda that he announced back in 2001 had four sectors. HSPD-12 meets and succeeds in the fourth sector which is internal efficiencies and effectiveness.

JIM FLYZIK, THE FLYZIK GROUP

Let me have the last word on the subject before we close out our session today. The thing to me is so exciting about HSPD-12 is that for the first time we’ll be able to positively identify people, things, bits and so forth and if you separate that authentication piece from the privilege piece, think of what it does for the future and the world it sets up for the future.

If we can prove who you are, an individual can then opt in to privileges they can put on that card. The card can be used for multiple purposes, it can become your bank card, it can become your form of cash, you can become a registered traveler, you can secure a flight, the list can go on, you are limited only by your imagination of what we will be able to do once we cross that initial hurdle of positive authentication.

So I look forward to this in the future, that we go beyond just producing the card. Reciprocity in data bases, it means better hiring, better skills, better business processes, world class government agencies, a more efficient government and most importantly, a more secure country.

And with that I want to thank everybody, first thank the panelists for taking time from their busy schedules to be with us, thank the audience for being with us today at the Federal Information Assurance Conference at the University of Maryland, University College and invite everyone back next month when we talk about disaster recovery planning. Thank you all for listening to the Federal Executive Forum.