HomelandSecurity1492The White House Cyberspace Policy Review (76 Pages, pdf) requires the Federal implementation of HSPD-12. This review resulted from President Obama directing a 60-day, comprehensive review to assess U.S. policies and structures for cybersecurity. Page 34 Specifically states (Emphasis mine):

The Federal government, following the guidance of Homeland Security Presidential Directive 12 (HSPD-12), is seeking to leverage the federal interoperable identity credentialing mechanism across the federal enterprise.

The Federal government should ensure resources are available for full federal implementation of HSPD-12. The Federal government also should consider extending the availability of federal identity management systems to operators of critical infrastructure and to private-sector emergency response and repair service providers for use during national emergencies.

UPDATE: Senate panel passes Cybersecurity Act with revised “kill switch” language


OMB Reports Significant HSPD-12 Implementation Progress but Areas for Improvement Identified

Washington, DC — Today, OMB released its fourth agency Homeland Security Presidential Directive (HSPD)-12 implementation progress report.

With the October 27th deadline, agencies provided an update to the September website posting of HSPD-12 status on the number of credentials issued.  Since September 1, agencies have issued over 300,000 credentials. As of October 27, 2008, half of the scorecard agencies met the credentialing targets in their agreed-upon implementation plans. These agencies include: Education, EPA, DOD (includes USACE), HUD, Labor, NASA, NSF, OMB, State, SSA, and Treasury.

“All of these agencies should be commended for achieving the milestones in their HSPD-12 plans”, stated Karen Evans. “OMB congratulates NASA and Treasury in particular for achieving their targets and the HSPD-12 objectives given the challenges they experienced during their implementation. For those agencies that met their goals, we areencouraging them to document and share their best practices through the CIO Council Best Practices Committee in order for theother agencies to benefit while updating their existing implementation plans.”

In addition to the agencies listed above, the following scorecard agencies are issuing HSPD-12 credentials to all new employees and contractors as part of the boarding process: GSA, SBA, and USAID.

As of this date, 29% (1,593,191) of federal employees and contractors have received the new identity credentials.

Some important accomplishments on the HSPD-12 initiative over the past four years include:

  • Issuance of the NIST standard (FIPS 201) in February 2005, followed by the issuance of several technical guidelines.
  • Establishment of a conformance and interoperability program in May 2006, with over 370 products and 34 systems integrators on the GSA approved services and products list.
  • Formation of the GSA HSPD-12 Shared Services offering in August 2006 to service approximately 70 customer agencies.
  • Establishment of 19 credential issuance infrastructures to provide credentialing services to the federal workforce.
  • A number of agencies have also begun to use the electronic capabilities of the credentials for physical and/or logical access.

“In implementing the Presidential Directive, agencies have reached an important milestone towards improving their security postures, but there is still more work to do,” said Clay Johnson, OMB Deputy Director for Management. “Agency senior leadership must follow through on their commitments and targets to the objectives of HSPD-12.”

For agencies not achieving the target in their agreed-upon plans, OMB is working with these agencies by providing recommended corrective actions and has requested that they submit updated plans by November 17 with milestones for how they intend to meet the requirements of the Presidential Directive as soon as possible.

The focus over the coming year, will be on completing the background investigations and issuance of credentials as part of the on boarding process and complete all other issuance, as well as implementing plans for leveraging the capabilities of the credentials.

To assist agencies with their planning, in May 2008, OMB issued guidance asking agencies to finalize plans for how they intend to leverage the credentials to the maximum extent. This guidance includes questions for what agencies should consider in developing their plans.

In addition to improving security, HSPD-12 has been the impetus to streamline business processes. For example, agencies are using the HSPD-12 enrollment stations to capture and transmit electronic fingerprint files used for the screening and adjudication of background investigations. This will speed the screening and adjudication time required for the hiring process, and improve the protection of sensitive personal information.

“By leveraging the capabilities of HSPD-12 identity credentials, agencies can achieve greatly enhanced physical and cybersecurity while obtaining the benefits of government-wide interoperability,” stated Karen Evans.

To view the HSPD-12 reports, please access: http://www.whitehouse.gov/omb/egov/b-1-information.html#hspd12.


HSPD 12 Full Text

Homeland Security Presidential Directive-12 August 27, 2004 SUBJECT: Policies for a Common Identification Standard for Federal Employees and Contractors

  1. Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).
  2. To implement the policy set forth in paragraph (1), the Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the “Standard”) not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy. The Secretary of Commerce shall periodically review the Standard and update the Standard as appropriate in consultation with the affected agencies.
  3. “Secure and reliable forms of identification” for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee’s identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2).
  4. Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems. Departments and agencies shall implement this directive in a manner consistent with ongoing Government-wide activities, policies and guidance issued by OMB, which shall ensure compliance.
  5. Not later than 6 months following promulgation of the Standard, the heads of executive departments and agencies shall identify to the Assistant to the President for Homeland Security and the Director of OMB those Federally controlled facilities, Federally controlled information systems, and other Federal applications that are important for security and for which use of the Standard in circumstances not covered by this directive should be considered. Not later than 7 months following the promulgation of the Standard, the Assistant to the President for Homeland Security and the Director of OMB shall make recommendations to the President concerning possible use of the Standard for such additional Federal applications.
  6. This directive shall be implemented in a manner consistent with the Constitution and applicable laws, including the Privacy Act (5 U.S.C. 552a) and other statutes protecting the rights of Americans.
  7. Nothing in this directive alters, or impedes the ability to carry out, the authorities of the Federal departments and agencies to perform their responsibilities under law and consistent with applicable legal authorities and presidential guidance. This directive is intended only to improve the internal management of the executive branch of the Federal Government, and it is not intended to, and does not, create any right or benefit enforceable at law or in equity by any party against the United States, its departments, agencies, entities, officers, employees or agents, or any other person.
  8. The Assistant to the President for Homeland Security shall report to me not later than 7 months after the promulgation of the Standard on progress made to implement this directive, and shall thereafter report to me on such progress or any recommended changes from time to time as appropriate.

GEORGE W. BUSH


dod_ig_logo

INSPECTOR GENERAL
DEPARTMENT OF DEFENSE
400 ARMY NAVY DRIVE
ARLINGTON, VIRGINIA 22202-4704

June 23, 2008

MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR PERSONNEL AND READINESS UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND INFORMATION INTEGRATIONIDOD CHIEF INFORMATION OFFICER

SUBJECT: DoD Implementation of Homeland Security Presidential Directive-12 (Report No. D-2008-104)

We are providing this report for your review and comment.

We performed the audit in response to a request from the Office of Management and Budget that the President’s Council on Integrity and Efficiency review agency processes and help ensure they are consistent with HSPD-12 and FIPS 201-1. We considered comments from the Under Secretary of Defense for Personnel and Readiness, the Under Secretary of Defense for Intelligence, and the Assistant Secretary of Defense for Networks and Information Integration I DoD Chief Information Officer on a draft of the report in preparing the final report.

DoD Directive 7650.3 requires that all recommendations be resolved promptly. Recommendations B.1. and B.2.a. have been clarified in response to management comments.. We request additional comments from the Under Secretary of Defense for Personnel and Readiness, the Under Secretary of Defense for Intelligence, and the Assistant Secretary of Defense for Networks and Information Integration I DoD Chief Information Officer as detailed in the recommendations table on page ii by July 30, 2008.

If possible, please send management comments in electronic format (Adobe Acrobat file only) to AUDROS@dodig.mil. Copies of the management comments must contain the actual signature of the authorizing official. We cannot accept the / Signed / symbol in place of the actual signature. Ifyou arrange to send classified comments electronically, they must be sent over the SECRET Internet Protocol Router Network (SIPRNET).

We appreciate the courtesies extended to the staff. Please direct questions to Mr. Donald Bloomer at (703) 604-8863 (DSN 664-8863) or Mr. Robert Johnson at (703) 604-9024 (DSN 664-9024).  The team members are listed inside the back cover.

Paul J. Granetto, Principal Assistant Inspector General for Auditing


Introduction Objectives

Our overall audit objective was to determine whether DoD is complying with the requirements of Homeland Security Presidential Directive-12 to enhance the quality and security of the identification that Federal employees and contractors use, and to implement common personal identity verification (PIV) credentials1 that will be stronglyresistant to terrorist exploitation. Specifically, we evaluated whether DoD business processes comply with directives and standards to develop PIV credentials that are secure and reliable forms for identifying DoD employees and contractors.

Background

President Bush signed the Homeland Security Presidential Directive-12 (HSPD-12) on August 27, 2004. HSPD-12 objectives are to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 establishes a mandatory, Government-wide standard for secure and reliable forms of identificationissued by Federal agencies to their employees and contractors.

The Presidential Directive defines secure and reliable identification as being (a) issued based on sound criteria for verifying an individual employee’s identity; (b) strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) capable of rapid electronic authentication; and (d) issued only by accredited providers. As required by HSPD-12, the Secretary of Commerce promulgated Federal Information Processing Standard (FIPS) 201, “Personal Identity Verification (PIV) of Federal Employees and Contractors,” February 25, 2005, which established minimum requirements for a Federal personal identity verification system (PIV-I) and detailed technical specifications of components and processes required for interoperability of PIV cards (PIV-II). On March 2006, the Secretary of Commerce issued FIPS 201 Change Notice 1 (FIPS 201-1), updating the requirements established by FIPS 201.

Office of Management and Budget (OMB) Memorandum M-05-24, “Implementation of Homeland Security Presidential Directive-12 Policy for a Common Identification Standard for Federal Employees and Contractors,” August 5, 2005, establishes timelines and milestones for FIPS 201-1-compliance. OMB Memorandum M-07-06, “Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials,” January 11, 2007, required all Federal agencies to submit their FIPS 201-1-compliant credential to the General Services Administration for testing by January 19, 2007. The memorandum announced that agencies would be contacted by their Inspector General to ensure business processes are being followed to foster the environment of trust needed for the credentials to be accepted by departments and agencies when deemed appropriate in implementing HSPD-12.

Agencies may elect to implement HSPD-12 through either a transitional or an end-point credential. DoD is the only agency granted transitional status by OMB because DoD already has a smart card program. DoD must achieve the end-point credential specification for all cardholders at some point. OMB established October 27, 2006, as the date for issuing an initial end-point credential by all agencies; however, OMB has not established a deadline for DoD to achieve initial operational capability.

In early 2007, DoD began to issue a limited number of transitional credentials to individuals whose previous credentials had expired. In the quarterly DoD PIV Status Report dated December 26, 2007, DoD reported it had issued 56 credentials as of March 2007. After the issuance of our draft report, the April 1, 2008, quarterly DoD PIV Status Report cited 108,778 total PIV cards issued: 83,659 to employees and 25,119 to contractors. DoD had not completed development of an end-point credential as of May 2008.

The Under Secretary of Defense for Personnel and Readiness is responsible for the timely implementation of HSPD-12 for the Department of Defense. The Defense Manpower Data Center (DMDC) has been assigned responsibility for development of a DoD common access card meeting the requirements of HSPD-12. We visited the DMDC East facility to determine the stage of HSPD-12 compliance and to review common access card (CAC) testing, issuance, and infrastructure. To determine HSPD-12 compliance at installations, we also visited 13 military and Coast Guard installations—all with CAC issuance facilities. We visited Defense Supply Center-Philadelphia and the Defense Logistics Agency concerning a photoless ID cardholder.

Review of Internal Controls

We identified an internal control weakness for DoD as defined by DoD Instruction 5010.40, “Managers’ Internal Control (MIC) Program Procedures,” January 4, 2006. DoD did not have adequate internal controls to ensure DoD compliance with the requirements of HSPD-12. DoD has not issued comprehensive HSPD-12 implementation guidance. Further, existing guidance pertaining to various aspects of HSPD-12 implementation, such as DoD Regulation 5200.08-R and DoD Directive 1000.25, is contrary to HSPD-12 policy. See finding B for specific results of those weaknesses. Implementing the recommendations made in this report will correct the weaknesses. A copy of this report will be provided to the senior official responsible for internal controls in DoD.

A. Implementation of Directive

DoD did not meet the milestones approved by the Office of Management and Budget (OMB) in 2005 for compliance with Homeland Security Presidential Directive-12 (HSPD-12) by 2010. DoD missed these milestones in part because it declared a “strategic pause” in HSPD-12 implementation from April to December 2007, and has not met HSPD-12 minimum standards for its transitional program. In addition, DoD has not provided centralized funding for critical required elements of HSPD-12 implementation.

As a consequence, the intended benefits of HSPD-12 to enhance security, increase Government efficiency, reduce identity fraud, protect personal privacy, and reduce the potential for terrorist exploitation will not begin to be realized by the Department until at least 2012.

Implementation Milestones and Strategic Pause

In June 2005 DoD submitted its HSPD-12 Implementation Plan to OMB for approval. OMB approved DoD milestones for the Personal Identity Verification (PIV)-I and PIV-II requirements to support DoD achieving full compliance with HSPD-12 requirements by April 2010. DoD’s updated January 2008 HSPD-12 Implementation Plan documents the failure of the Department to meet critical HSPD-12 implementation milestones. Implementation challenges remain that threaten to further delay full compliance with HSPD-12 requirements.

DoD attributes the adjustments in implementing HSPD-12 milestones to a strategic pause taken to update infrastructure for issuing CACs. DoD’s transition to a Web services architecture has not been as trouble-free as anticipated. In April 2007, DoD declared a strategic pause in the implementation of the Web version of its issuance infrastructure until December of 2007. After the strategic pause, DoD recommenced with the upgrade of its issuance infrastructure to the Web service architecture and full compliance with the FIPS 201-1, PIV-II requirements. DoD will need a year from the December 2007 reinitiation to upgrade the entire infrastructure. The strategic pause directly affected the Department’s ability to achieve full implementation of HSPD-12 PIV-I and PIV-II requirements.

Personal Identity Verification-I Requirements

PIV-I requirements are the minimum requirements for a Federal personal identification verification system that meets the control and security objectives of HSPD-12, including personal identity proofing and registration, issuance, and privacy protection.

1. PIV identity proofing and registration requirements include the initiation of a National Agency Check with Written Inquiries (NACI) background check. FIPS 201-1 Part 2 requires that when a PIV credential is issued to a Federal employee or contractor without a completed NACI background check, the credential must be electronically distinguishable from that issued to an individual who has completed a NACI background check.

2. PIV issuance requirements state that, at the time of issuance, the PIV applicant’s identity must be verified as the person intended to receive the PIV credential and for whom the background check was completed.

3. Protecting personal privacy is a requirement of the PIV system.

Background Checks

FIPS 201-1 requires that employees and contractors who are issued a PIV credential undergo, at a minimum, a NACI or OPM or National Security community investigation equivalent background check. The background check must be initiated and the fingerprint check completed before the issuance of any PIV credential. Further, at the time of PIV issuance, the issuing official is required to verify the status of the NACI process for the applicant (completed or ongoing). Credentials issued to individuals without a completed NACI or the equivalent must be electronically distinguishable from credentials issued to individuals who have a completed investigation.

Automated Verification of Status

The Director of DMDC issued a memorandum on September 12, 2007, stating that DMDC is working closely with the Office of the Deputy Under Secretary of Defense for Intelligence, Counterintelligence, and Security to establish an automated capability to verify the status of an individual’s background check. However, DoD does not intend to produce identity credentials that will include an electronic indication of the status of a NACI. Further, DoD has yet to establish an automated mechanism to verify that all individuals receiving the PIV credential have at least initiated, if not completed, the required NACI background investigation.

Deadlines for Completion of Background Checks

Office of Management and Budget Memorandum M-05-24 mandates that agencies:

  • by October 27, 2007, verify or complete background checks for all current employees and contractors, except for agency employees employed more than 15 years; and
  • by October 27, 2008, complete background checks for all Federal department or agency employees employed more than15 years.

DoD did not meet the OMB deadline of October 27, 2007, for current employees and contractors. According to DoD’s January 2008 Implementation Plan, as of December 26, 2007, the following numbers of DoD employees and  contractors had not completed the required background checks.

DoD Employees and Contractors With Incomplete Background Checks

Military or Civilian 1,240,214

Contractors 196,185

Total *1,436,399

*DoD’s January 2008 Implementation Plan noted that these numbers may not be an accurate reflection of the completed qualifying investigations, but a reflection of data quality in the DoD Joint Personnel Adjudication System.

Privacy Requirements

HSPD-12 explicitly states that protecting personal privacy is a requirement of the PIV-I implementation policy. All departments and agencies shall implement the PIV system in accordance with the spirit and letter of privacy controls specified by HSPD-12 and in Federal privacy laws and policies. The DoD Geneva Conventions credential for members of the uniformed services does not comply with HSPD-12 or with Federal policies and requirements to reduce identity fraud and protect personal privacy.

The continued display of Social Security numbers on the DoD Geneva Conventions credential is the result of adherence to guidance that does not reflect changes in Federal policies, technological advancements, or the increased need to protect personal information. DoD began displaying the Social Security number on identification badges in 1967. In 2007 OMB instructed Federal departments and agencies to take steps to reduce the risk related to loss of personally identifiable information. In 2007 OMB issued guidance to Federal agencies to eliminate unnecessary use of Social Security numbers and strengthen protection of personal information from loss or theft. In 2006 Congress identified the inherent risk of displaying the full Social Security number on identification credentials and the need to protect individuals’ right to privacy and reduce the risk of identity theft. Printing of the Social Security numbers in conjunction with the individuals’ dates of birth on DoD credentials unnecessarily exposes individuals’ personal privacy information and increases the risk of identity theft.

In response to an FY 2007 congressional request, DoD issued a report to Congress, “Omission of the SSN from the Department of Defense Military Identification Cards,” May 23, 2007. In it, the Under Secretary of Defense for Personnel and Readiness (USD [P&R]) recommended removing the full Social Security number from view on identification credentials, instead displaying only the last four digits. The full Social Security number would be retained in the portable data file 417 two-dimensional barcode and the integrated circuit chip on the credential. No timetable was provided to implement the recommendation, however, nor did the report specify who was responsible for implementation. The current appearance of DoD’s Geneva Conventions credential unnecessarily compromises personal privacy and increases the risk of identity theft and the potential for terrorist exploitation. DoD should immediately require USD(P&R) to implement the recommendation to print only the last four digits of the Social Security number on the Geneva Conventions credential.

Personal Identity Verification-II Requirements

PIV-II requirements are the detailed technical specifications of components and processes required for interoperability of PIV credentials for personal authentication, access controls, and PIV card management across Federal departments and agencies. HSPD-12envisions that when Federal departments and agencies issue and manage the required, fully interoperable PIV credentials, individuals’ identity can be authenticated Government-wide, thus increasing the security of Federal facilities and information systems. DoD did not meet the March 2006 PIV-II initial operational capability implementation milestone approved by OMB in the DoD Implementation Plan, nor did DoD meet the October 2006 OMB milestone for PIV-II implementation.

DoD PIV PKI Authentication Certificate

One of the technical specifications for a PIV-II-compliant card is a Public Key Infrastructure (PKI) authentication certificate. Because of the Department’s strategic pause, resources allocated to support the development of the authentication certificate were reallocated. The reallocation has caused a delay in the development, testing, and issuance of the authentication certificate. As a result, DoD now plans to delay issuance of the authentication certificate until the third quarter of FY 2008. The current DoD credential contains three certificates: (1) digital signature certificate, (2) key management certificate, and (3) card authentication certificate. The DoD Public Key InfrastructureProgram Management Office (PKI PMO), tasked with developing the required PIV PKI authentication certificate, chose to develop a new, fourth certificate to meet HSPD-12, FIPS 201-1, and PIV PKI authentication requirements rather than modify an existing certificate.

The PKI PMO elected to develop authentication certificates using the Federal bridge policy, despite the HSPD-12 requirement that became effective January 1, 2008, to use Common Policy object identifiers. DoD has been lobbying since 2006 to have changes made to FIPS 201-1 so that the Federal bridge policy would be adopted for DoD’s PIV PKI authentication certificate, rather than working toward meeting the current FIPS 201-1 Common Policy requirements. The PKI PMO program manager stated that DoD’s unique infrastructure is too robust to use the Common Policy object identifiers.

DoD is not currently planning to use Common Policy object identifiers in certificates unless the National Institute of Standards and Technology (NIST) promulgates two modifications to the Federal Common Policy object identifiers. The requested modifications to the Common Policy are as follows.

  • Increase the frequency of issuance of the certificate revocation list (CRL). DoD issues the CRL once every 24 hours from 14 certificate authorities. The Common Policy’s smaller 18-hour window will place a strain on system performance, according to DoD.
  • Shorten the NextUpdate time in the CRL. DoD NextUpdate time is 7 days, whereas the Common Policy time is no longer than 48 hours. According to DoD, reduction in the number of days for the next update would cause a large increase in CRL traffic and potentially consume network bandwidth well above what the DoD network is meant to accommodate.

DoD plans to use Common Policy object identifiers in the PIV PKI authentication certificate only after FIPS 201-1 is revised to meet DoD objections, and estimates that implementation will take 1 year. The petition for the two changes has been submitted to the Federal PKI policy authority for approval, but no date has been established for consideration of the two modifications.

DoD PIV End-Point Applet

Because DoD has elected to maintain its current CAC infrastructure, DoD must develop a PIV end-point applet to achieve full interoperability with other Federal agencies for the DoD PIV credential, as required by HSPD-12. The PIV applet, developed by DMDC, will be the intermediary that should allow readers compliant with HSPD-12 to access the necessary information on the DoD credential. After the required approval of the DoD PIV applet by NIST, General Services Administration (GSA) testing of the PIV credential with all the required components must be successfully completed before the DoD credential can be considered end-point-PIV-compliant.

DoD Transitional Credential

OMB granted DoD transitional status for implementation of the PIV system in June 2005. DoD was given until April 2010 for its PIV system to achieve full operational capability for its approximately 3.5 million PIV credentials. DoD plans to issue PIV credentials to DoD employees and contractors as their CACs expire. DoD CACs expire 3 years after issuance. DoD has started issuing some DoD PIV transitional credentials as card issuance workstations are updated to produce the transitional credentials.

Not all cardholders whose CACs expire receive the DoD transitional credential because not all card issuance workstations can issue the transitional credential. Some issuance sites are instructed to exhaust their current stock of noncompliant cards before issuing the DoD PIV transitional credential.

The DoD PIV transitional credentials do not contain either the required PIV PKI authentication certificate or the DoD PIV applet. According to DoD, the transitional credential can be updated at some future time with an approved and tested PIV PKI authentication certificate and PIV applet through downloads from the DMDC Web portal. DoD now projects PIV system full operational capability will occur in the summer of 2012. Achieving full operational capability remains problematic for DoD because of unresolved infrastructure issues and the unavailability of updated workstations required to issue the DoD transitional and eventually the fully compliant end-point PIV credentials.

DMDC is responsible for updating the centrally funded Real-time Automated Personnel Identification System (RAPIDS) workstations to RAPIDS version 7.2 to produce DoD PIV credentials for DoD installations in the continental United States by December 12, 2008. No schedule for deployment of updated RAPIDS workstations has been announced for four installations outside the continental United States, including two in Germany and one each in Djibouti and Greenland. No central funding is planned at installations for acquisition of equipment needed for the transition to physical access control systems that are compliant with HSPD-12 and FIPS 201-1. Installation commanders are responsible for granting access privileges and for funding to update or replace physical access control systems to bring them into compliance. The Military Services did not provide any plans, milestones, or dedicated resources to update or replace physical access control systems to comply with HSPD-12 and FIPS 201-1requirements.

Conclusion

Inconsistent agency approaches to security of facilities and information systems are inefficient and costly, and they increase risk to the Federal Government. On August 27, 2004, President Bush issued a directive to Federal agencies to implement a Government-wide standard for secure and reliable forms of identification for Government employees and contractors. Successful implementation was expected to increase the security of Federal facilities and information systems. The President directed Federal agencies to promptly implement the mandatory, Government-wide standard for secure and reliable forms of identification.

DoD has not met key HSPD-12 implementation milestones for completion of background checks, verification of completed or initiated background checks, or Government-wide interoperability. Additionally, DoD must modify its current Geneva Conventions PIV credential to reduce the potential for identity fraud. Unresolved DoD CAC infrastructure problems continue with no firm date for resolution. As a consequence, the intended benefits of HSPD-12 to enhance security, increase Government efficiency, reduce identity fraud, protect personal privacy, and reduce the potential for terrorist.

For Complete Report: DoD Implementation of Homeland Security Presidential Directive-12 Related IG Report Summary of Information Assurance Weaknesses Found in Audit Reports Issued From August 1, 2007, Through July 31, 2008 Department of Defense Inspector General Website


National Science Foundation (NSF) HSPD-12 Implementation Status Report, June 30, 2009 Homeland Security initiatives at the Social Security Administration TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION, December 14, 2007 Reference Number: 2008-20-030


obamapic1Barack Obama Administration PPDs

In the Barack Obama Administration, the directives that are used to promulgate Presidential decisions on national security matters are designated Presidential Policy Directives (PPDs). Directives that are used to initiate policy review procedures are called Presidential Study Directives (PSDs)

Number

Presidential Policy Directive Title

Date

PPD 1 Organization of the National Security Council System 02/13/09

Sources and Resources


georgewGeorge W. Bush Administration NSPDs

In the George W. Bush Administration, the directives that are used to promulgate Presidential decisions on national security matters are designated National Security Presidential Directives (NSPDs). As discussed in NSPD 1, this new category of directives replaces both the Presidential Decision Directives and the Presidential Review Directives of the previous Administration. Unless other otherwise indicated, however, past Directives remain in effect until they are superseded. The first directive, dated 13 February 2001, was formally approved for release by the National Security Council staff on 13 March 2001. On October 29, 2001, President Bush issued the first of a new series of Homeland Security Presidential Directives (HSPDs) governing homeland security policy.

Number

National Security Presidential Directive Title

Date

NSPD 1 Organization of the National Security Council System 13 February 01
NSPD 2 Improving Military Quality of Life 15 February 01
NSPD 3 Defense Strategy, Force Structure, and Procurement 15 February 01
NSPD 4 Transforming Deterrence 15 February 01
NSPD 5 [Review of U.S. intelligence] 9 May 01
NSPD 6
NSPD 7
NSPD 8 National Director and Deputy National Security Advisor for Combating Terrorism
NSPD 9 Defeating the Terrorist Threat to the United States 25 October 01
NSPD 10 U.S. Strategic Nuclear Force 21 December 01
NSPD 12 United States Citizens Taken Hostage Abroad 18 February 02
NSPD 13 [on conventional arms transfers]
NSPD 14 [Nuclear Weapons Planning Guidance]
NSPD 15 National Space Policy Review [resulting in U.S. Commercial Remote Sensing Policy, 25 April 2003] 28 June 02
NSPD 16 [To Develop Guidelines for Offensive Cyber-Warfare] XX July 02(?)
NSPD 17 [National Strategy to Combat Weapons of Mass Destruction] (unclassified version)(PDF) 11 Dec 02(unclassified) 14 Sep 02(classified)
NSPD XX(?) [Authorizing Training for Iraqi Opposition Forces] 03 Oct 02(?)
NSPD 18 Supporting Democracy in Colombia Nov 02
NSPD 19 [Review of Defense Trade Export Policy]
NSPD 20 Counterproliferation Interdiction
NSPD 21 Support for Inspections in Iraq Nov 02
NSPD 22 Trafficking in Persons 16 Dec 02
NSPD 23 National Policy on Ballistic Missile Defense 16 Dec 02
NSPD 24 [Post-War Iraq Reconstruction] 20 January 2003
NSPD 25 [directs U.S. government agencies to attack the vulnerabilities of drug trafficking organizations]
NSPD 26 Intelligence Priorities
NSPD 27 U.S. Commercial Remote Sensing Space Policy 25 April 2003
NSPD 28 United States Nuclear Weapons Command and Control, Safety, and Security 20 June 2003
NSPD 29 [Transition to Democracy in Cuba] 30 November 2003
NSPD 31 U.S. Space Exploration Policy 14 January 2004
NSPD 32 [Latin America Policy]
NSPD 33 Biodefense for the 21st Century 28 April 2004
NSPD 34 Fiscal Year 2004-2012 Nuclear Weapons Stockpile Plan May 2004
NSPD 35 Nuclear Weapons Deployment Authorization 6 May 2004
NSPD 36 United States Government Operations in Iraq 11 May 2004
NSPD 37 Relating to Support of Iraqi Government 2004
NSPD 38 National Strategy to Secure Cyberspace 2004
NSPD 39 U.S. Space-Based Position, Navigation, and Timing Policy 08 December 2004
NSPD 40 U.S. Space Transportation Policy 21 December 2004
NSPD 41 Maritime Security Policy 21 December 2004
NSPD 42 On Significant Military Exercise Briefs (SMEB) 26 January 2005
NSPD 43 Domestic Nuclear Detection 15 April 2005
NSPD 44 Management of Interagency Efforts Concerning Reconstruction and Stabilization (Fact Sheet) 7 December 2005
NSPD 46 U.S. Strategy and Policy in the War on Terror 6 March 2006
NSPD 47 National Strategy for Aviation Security 22 June 2006
NSPD 48 Nuclear Materials Information Program 28 August 2006
NSPD 49 U.S. National Space Policy 31 August 2006
NSPD 50 U.S. Strategy for Sub-Saharan Africa 2007
NSPD 51 National Continuity Policy 4 April 2007
NSPD 54 Cyber Security and Monitoring 8 January 2008
NSPD 55 [on dual-use export controls] January 2008
NSPD 56 Defense Trade Reform 22 January 2008
NSPD 57 Implementation of the US-IAEA Additional Protocol 04 February 2008
NSPD 58 Advancing the Freedom Agenda (Fact Sheet) 21 May 2008 (?)
NSPD 59 Biometrics for Identification and Screening to Enhance National Security 5 June 2008
NSPD 66 Arctic Region Policy 9 January 20

Number

Homeland Security Presidential Directive Title

Date

HSPD 1 Organization and Operation of the Homeland Security Council 29 Oct 01
HSPD 2 Combating Terrorism Through Immigration Policies 29 Oct 01
HSPD 3 Homeland Security Advisory System 11 March 02
HSPD 4 National Strategy to Combat Weapons of Mass Destruction (unclassified version) 11 December 02
HSPD 5 Management of Domestic Incidents [Initial National Response Plan, 30 September 03] 28 February 03
HSPD 6 Integration and Use of Screening Information to Protect Against Terrorism 16 September 03
HSPD 7 Critical Infrastructure Identification, Prioritization, and Protection 17 December 03
HSPD 8 National Preparedness 17 December 03
HSPD 9 Defense of United States Agriculture and Food 30 January 04
HSPD 10 Biodefense for the 21st Century 28 April 04
HSPD 11 Comprehensive Terrorist-Related Screening Procedures 27 August 04
HSPD 12 Policy for a Common Identification Standard for Federal Employees and Contractors 27 August 04
HSPD 13 Maritime Security Policy 21 December 2004
HSPD 14 Domestic Nuclear Detection 15 April 2005
HSPD 15 U.S. Strategy and Policy in the War on Terror (classified directive) 6 March 2006
HSPD 16 National Strategy for Aviation Security 22 June 2006
HSPD 17 Nuclear Materials Information Program 28 August 2006
HSPD 18 Medical Countermeasures Against Weapons of Mass Destruction 31 January 2007
HSPD 19 Combating Terrorist Use of Explosives in the United States 12 February 2007
HSPD 20 National Continuity Policy 4 April 2007
HSPD 21 Public Health and Medical Preparedness 18 October 2007
HSPD 22 Domestic Chemical Defense
HSPD 23 Cyber Security and Monitoring 8 January 2008
HSPD 24 Biometrics for Identification and Screening to Enhance National Security 5 June 2008
HSPD 25 Arctic Region Policy 9 January 2009

Sources and Resources


ANOTHER VIEWPOINT

no_hspd12

In-Depth Information

For more detailed explanations why Griffin’s JPL rebadging directive is wrong, see our In-Depth Information page.

  • Federal Information Processing Standards (FIPS) Publication 201-1, “Personal Identity Verification of Federal Employees and Contractors,” March 2006This is the standard the Department of Commerce developed, as directed by HSPD-12. It requires a National Agency Check with written Inquiries (NACI) background investigation for federal employees and contractors.
  • Standard Form 85Questionnaire for Non-Sensitive Poisitions, required by the NACI process. The applicant fills this out to kick off the background investigation. The main complaint regarding this form is the release at the end that grants the federal government authority to perform an investigation that is “not limited.”
  • Standard Form 85PQuestionnaire for Public Trust Positions, required by the NACI process. The applicant fills this out to kick off the background investigation.
  • OPM INV 41 (partial)Written inquiry sent by the Office of Personnel Management (OPM) to to applicant’s supervisor(s).
  • OPM INV 42Written inquiry sent by the Office of Personnel Management (OPM) to to applicant’s references and neighbors.
  • Office of Personnel Management’s “Issue Characterization Chart”, also known as the federal employment “Suitability Matrix”. This chart is also a part of NASA’s Desk Guide for Suitability and Security Clearance Processing.Indicates the standards by which suitability for federal employment/contracting will be made. E.g, “sodomy” (gay sex) disqualifies one from federal employment or contracting.
  • GENERAL QUESTIONS AND ANSWERS ABOUT OPM BACKGROUND INVESTIGATIONSU.S. Office of Personnel Management, May 22, 2002.
  • OPM Forms
  • Requesting OPM Federal InvestigationsA guide for agencies requesting background investigations from OPM, May 2001.
  • GAO Report on FBI information securityA report on major weaknesses in the FBI’s protection of information.
  • GAO Report on implementation of HSPD-12NASA had some flexibility in implementation, and could have made separate rules for JPL (see page 32)
  • NASA Privacy Impact AssessmentThis appears to be the privacy impact assessment that NASA produced as part of its HSPD-12 implementation.
  • NASA Privacy Act NoticeDescribes categories and sources of the information collected.
  • Dept of Commerce Privacy Impact AssessmentExplains the background-check process and what information is contained on the “smart card”.
  • Letters to and from Government Officials and Representatives

    Essays and Other Documents

    External Links

    hlsterrorlevel


    END

    About these ads