The White House Cyberspace Policy Review (76 Pages, pdf) requires the Federal implementation of HSPD-12. This review resulted from President Obama directing a 60-day, comprehensive review to assess U.S. policies and structures for cybersecurity. Page 34 Specifically states (Emphasis mine):
The Federal government, following the guidance of Homeland Security Presidential Directive 12 (HSPD-12), is seeking to leverage the federal interoperable identity credentialing mechanism across the federal enterprise.
The Federal government should ensure resources are available for full federal implementation of HSPD-12. The Federal government also should consider extending the availability of federal identity management systems to operators of critical infrastructure and to private-sector emergency response and repair service providers for use during national emergencies.
OMB Reports Significant HSPD-12 Implementation Progress but Areas for Improvement Identified
Washington, DC — Today, OMB released its fourth agency Homeland Security Presidential Directive (HSPD)-12 implementation progress report.
With the October 27th deadline, agencies provided an update to the September website posting of HSPD-12 status on the number of credentials issued. Since September 1, agencies have issued over 300,000 credentials. As of October 27, 2008, half of the scorecard agencies met the credentialing targets in their agreed-upon implementation plans. These agencies include: Education, EPA, DOD (includes USACE), HUD, Labor, NASA, NSF, OMB, State, SSA, and Treasury.
“All of these agencies should be commended for achieving the milestones in their HSPD-12 plans”, stated Karen Evans. “OMB congratulates NASA and Treasury in particular for achieving their targets and the HSPD-12 objectives given the challenges they experienced during their implementation. For those agencies that met their goals, we areencouraging them to document and share their best practices through the CIO Council Best Practices Committee in order for theother agencies to benefit while updating their existing implementation plans.”
In addition to the agencies listed above, the following scorecard agencies are issuing HSPD-12 credentials to all new employees and contractors as part of the boarding process: GSA, SBA, and USAID.
As of this date, 29% (1,593,191) of federal employees and contractors have received the new identity credentials.
Some important accomplishments on the HSPD-12 initiative over the past four years include:
- Issuance of the NIST standard (FIPS 201) in February 2005, followed by the issuance of several technical guidelines.
- Establishment of a conformance and interoperability program in May 2006, with over 370 products and 34 systems integrators on the GSA approved services and products list.
- Formation of the GSA HSPD-12 Shared Services offering in August 2006 to service approximately 70 customer agencies.
- Establishment of 19 credential issuance infrastructures to provide credentialing services to the federal workforce.
- A number of agencies have also begun to use the electronic capabilities of the credentials for physical and/or logical access.
“In implementing the Presidential Directive, agencies have reached an important milestone towards improving their security postures, but there is still more work to do,” said Clay Johnson, OMB Deputy Director for Management. “Agency senior leadership must follow through on their commitments and targets to the objectives of HSPD-12.”
For agencies not achieving the target in their agreed-upon plans, OMB is working with these agencies by providing recommended corrective actions and has requested that they submit updated plans by November 17 with milestones for how they intend to meet the requirements of the Presidential Directive as soon as possible.
The focus over the coming year, will be on completing the background investigations and issuance of credentials as part of the on boarding process and complete all other issuance, as well as implementing plans for leveraging the capabilities of the credentials.
To assist agencies with their planning, in May 2008, OMB issued guidance asking agencies to finalize plans for how they intend to leverage the credentials to the maximum extent. This guidance includes questions for what agencies should consider in developing their plans.
In addition to improving security, HSPD-12 has been the impetus to streamline business processes. For example, agencies are using the HSPD-12 enrollment stations to capture and transmit electronic fingerprint files used for the screening and adjudication of background investigations. This will speed the screening and adjudication time required for the hiring process, and improve the protection of sensitive personal information.
“By leveraging the capabilities of HSPD-12 identity credentials, agencies can achieve greatly enhanced physical and cybersecurity while obtaining the benefits of government-wide interoperability,” stated Karen Evans.
To view the HSPD-12 reports, please access: http://www.whitehouse.gov/omb/egov/b-1-information.html#hspd12.
HSPD 12 Full Text
Homeland Security Presidential Directive-12 August 27, 2004 SUBJECT: Policies for a Common Identification Standard for Federal Employees and Contractors
- Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).
- To implement the policy set forth in paragraph (1), the Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the “Standard”) not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy. The Secretary of Commerce shall periodically review the Standard and update the Standard as appropriate in consultation with the affected agencies.
- “Secure and reliable forms of identification” for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee’s identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2).
- Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems. Departments and agencies shall implement this directive in a manner consistent with ongoing Government-wide activities, policies and guidance issued by OMB, which shall ensure compliance.
- Not later than 6 months following promulgation of the Standard, the heads of executive departments and agencies shall identify to the Assistant to the President for Homeland Security and the Director of OMB those Federally controlled facilities, Federally controlled information systems, and other Federal applications that are important for security and for which use of the Standard in circumstances not covered by this directive should be considered. Not later than 7 months following the promulgation of the Standard, the Assistant to the President for Homeland Security and the Director of OMB shall make recommendations to the President concerning possible use of the Standard for such additional Federal applications.
- This directive shall be implemented in a manner consistent with the Constitution and applicable laws, including the Privacy Act (5 U.S.C. 552a) and other statutes protecting the rights of Americans.
- Nothing in this directive alters, or impedes the ability to carry out, the authorities of the Federal departments and agencies to perform their responsibilities under law and consistent with applicable legal authorities and presidential guidance. This directive is intended only to improve the internal management of the executive branch of the Federal Government, and it is not intended to, and does not, create any right or benefit enforceable at law or in equity by any party against the United States, its departments, agencies, entities, officers, employees or agents, or any other person.
- The Assistant to the President for Homeland Security shall report to me not later than 7 months after the promulgation of the Standard on progress made to implement this directive, and shall thereafter report to me on such progress or any recommended changes from time to time as appropriate.
GEORGE W. BUSH
INSPECTOR GENERAL DEPARTMENT OF DEFENSE 400 ARMY NAVY DRIVE ARLINGTON, VIRGINIA 22202-4704
June 23, 2008
MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR PERSONNEL AND READINESS UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND INFORMATION INTEGRATIONIDOD CHIEF INFORMATION OFFICER
SUBJECT: DoD Implementation of Homeland Security Presidential Directive-12 (Report No. D-2008-104)
We are providing this report for your review and comment.
We performed the audit in response to a request from the Office of Management and Budget that the President’s Council on Integrity and Efficiency review agency processes and help ensure they are consistent with HSPD-12 and FIPS 201-1. We considered comments from the Under Secretary of Defense for Personnel and Readiness, the Under Secretary of Defense for Intelligence, and the Assistant Secretary of Defense for Networks and Information Integration I DoD Chief Information Officer on a draft of the report in preparing the final report.
DoD Directive 7650.3 requires that all recommendations be resolved promptly. Recommendations B.1. and B.2.a. have been clarified in response to management comments.. We request additional comments from the Under Secretary of Defense for Personnel and Readiness, the Under Secretary of Defense for Intelligence, and the Assistant Secretary of Defense for Networks and Information Integration I DoD Chief Information Officer as detailed in the recommendations table on page ii by July 30, 2008.
If possible, please send management comments in electronic format (Adobe Acrobat file only) to AUDROS@dodig.mil. Copies of the management comments must contain the actual signature of the authorizing official. We cannot accept the / Signed / symbol in place of the actual signature. Ifyou arrange to send classified comments electronically, they must be sent over the SECRET Internet Protocol Router Network (SIPRNET).
We appreciate the courtesies extended to the staff. Please direct questions to Mr. Donald Bloomer at (703) 604-8863 (DSN 664-8863) or Mr. Robert Johnson at (703) 604-9024 (DSN 664-9024). The team members are listed inside the back cover.
Paul J. Granetto, Principal Assistant Inspector General for Auditing
Our overall audit objective was to determine whether DoD is complying with the requirements of Homeland Security Presidential Directive-12 to enhance the quality and security of the identification that Federal employees and contractors use, and to implement common personal identity verification (PIV) credentials1 that will be stronglyresistant to terrorist exploitation. Specifically, we evaluated whether DoD business processes comply with directives and standards to develop PIV credentials that are secure and reliable forms for identifying DoD employees and contractors.
President Bush signed the Homeland Security Presidential Directive-12 (HSPD-12) on August 27, 2004. HSPD-12 objectives are to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 establishes a mandatory, Government-wide standard for secure and reliable forms of identificationissued by Federal agencies to their employees and contractors.
The Presidential Directive defines secure and reliable identification as being (a) issued based on sound criteria for verifying an individual employee’s identity; (b) strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) capable of rapid electronic authentication; and (d) issued only by accredited providers. As required by HSPD-12, the Secretary of Commerce promulgated Federal Information Processing Standard (FIPS) 201, “Personal Identity Verification (PIV) of Federal Employees and Contractors,” February 25, 2005, which established minimum requirements for a Federal personal identity verification system (PIV-I) and detailed technical specifications of components and processes required for interoperability of PIV cards (PIV-II). On March 2006, the Secretary of Commerce issued FIPS 201 Change Notice 1 (FIPS 201-1), updating the requirements established by FIPS 201.
Office of Management and Budget (OMB) Memorandum M-05-24, “Implementation of Homeland Security Presidential Directive-12 Policy for a Common Identification Standard for Federal Employees and Contractors,” August 5, 2005, establishes timelines and milestones for FIPS 201-1-compliance. OMB Memorandum M-07-06, “Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials,” January 11, 2007, required all Federal agencies to submit their FIPS 201-1-compliant credential to the General Services Administration for testing by January 19, 2007. The memorandum announced that agencies would be contacted by their Inspector General to ensure business processes are being followed to foster the environment of trust needed for the credentials to be accepted by departments and agencies when deemed appropriate in implementing HSPD-12.
Agencies may elect to implement HSPD-12 through either a transitional or an end-point credential. DoD is the only agency granted transitional status by OMB because DoD already has a smart card program. DoD must achieve the end-point credential specification for all cardholders at some point. OMB established October 27, 2006, as the date for issuing an initial end-point credential by all agencies; however, OMB has not established a deadline for DoD to achieve initial operational capability.
In early 2007, DoD began to issue a limited number of transitional credentials to individuals whose previous credentials had expired. In the quarterly DoD PIV Status Report dated December 26, 2007, DoD reported it had issued 56 credentials as of March 2007. After the issuance of our draft report, the April 1, 2008, quarterly DoD PIV Status Report cited 108,778 total PIV cards issued: 83,659 to employees and 25,119 to contractors. DoD had not completed development of an end-point credential as of May 2008.
The Under Secretary of Defense for Personnel and Readiness is responsible for the timely implementation of HSPD-12 for the Department of Defense. The Defense Manpower Data Center (DMDC) has been assigned responsibility for development of a DoD common access card meeting the requirements of HSPD-12. We visited the DMDC East facility to determine the stage of HSPD-12 compliance and to review common access card (CAC) testing, issuance, and infrastructure. To determine HSPD-12 compliance at installations, we also visited 13 military and Coast Guard installations—all with CAC issuance facilities. We visited Defense Supply Center-Philadelphia and the Defense Logistics Agency concerning a photoless ID cardholder.
Review of Internal Controls
We identified an internal control weakness for DoD as defined by DoD Instruction 5010.40, “Managers’ Internal Control (MIC) Program Procedures,” January 4, 2006. DoD did not have adequate internal controls to ensure DoD compliance with the requirements of HSPD-12. DoD has not issued comprehensive HSPD-12 implementation guidance. Further, existing guidance pertaining to various aspects of HSPD-12 implementation, such as DoD Regulation 5200.08-R and DoD Directive 1000.25, is contrary to HSPD-12 policy. See finding B for specific results of those weaknesses. Implementing the recommendations made in this report will correct the weaknesses. A copy of this report will be provided to the senior official responsible for internal controls in DoD.
A. Implementation of Directive
DoD did not meet the milestones approved by the Office of Management and Budget (OMB) in 2005 for compliance with Homeland Security Presidential Directive-12 (HSPD-12) by 2010. DoD missed these milestones in part because it declared a “strategic pause” in HSPD-12 implementation from April to December 2007, and has not met HSPD-12 minimum standards for its transitional program. In addition, DoD has not provided centralized funding for critical required elements of HSPD-12 implementation.
As a consequence, the intended benefits of HSPD-12 to enhance security, increase Government efficiency, reduce identity fraud, protect personal privacy, and reduce the potential for terrorist exploitation will not begin to be realized by the Department until at least 2012.
Implementation Milestones and Strategic Pause
In June 2005 DoD submitted its HSPD-12 Implementation Plan to OMB for approval. OMB approved DoD milestones for the Personal Identity Verification (PIV)-I and PIV-II requirements to support DoD achieving full compliance with HSPD-12 requirements by April 2010. DoD’s updated January 2008 HSPD-12 Implementation Plan documents the failure of the Department to meet critical HSPD-12 implementation milestones. Implementation challenges remain that threaten to further delay full compliance with HSPD-12 requirements.
DoD attributes the adjustments in implementing HSPD-12 milestones to a strategic pause taken to update infrastructure for issuing CACs. DoD’s transition to a Web services architecture has not been as trouble-free as anticipated. In April 2007, DoD declared a strategic pause in the implementation of the Web version of its issuance infrastructure until December of 2007. After the strategic pause, DoD recommenced with the upgrade of its issuance infrastructure to the Web service architecture and full compliance with the FIPS 201-1, PIV-II requirements. DoD will need a year from the December 2007 reinitiation to upgrade the entire infrastructure. The strategic pause directly affected the Department’s ability to achieve full implementation of HSPD-12 PIV-I and PIV-II requirements.
Personal Identity Verification-I Requirements
PIV-I requirements are the minimum requirements for a Federal personal identification verification system that meets the control and security objectives of HSPD-12, including personal identity proofing and registration, issuance, and privacy protection.
1. PIV identity proofing and registration requirements include the initiation of a National Agency Check with Written Inquiries (NACI) background check. FIPS 201-1 Part 2 requires that when a PIV credential is issued to a Federal employee or contractor without a completed NACI background check, the credential must be electronically distinguishable from that issued to an individual who has completed a NACI background check.
2. PIV issuance requirements state that, at the time of issuance, the PIV applicant’s identity must be verified as the person intended to receive the PIV credential and for whom the background check was completed.
3. Protecting personal privacy is a requirement of the PIV system.
FIPS 201-1 requires that employees and contractors who are issued a PIV credential undergo, at a minimum, a NACI or OPM or National Security community investigation equivalent background check. The background check must be initiated and the fingerprint check completed before the issuance of any PIV credential. Further, at the time of PIV issuance, the issuing official is required to verify the status of the NACI process for the applicant (completed or ongoing). Credentials issued to individuals without a completed NACI or the equivalent must be electronically distinguishable from credentials issued to individuals who have a completed investigation.
Automated Verification of Status
The Director of DMDC issued a memorandum on September 12, 2007, stating that DMDC is working closely with the Office of the Deputy Under Secretary of Defense for Intelligence, Counterintelligence, and Security to establish an automated capability to verify the status of an individual’s background check. However, DoD does not intend to produce identity credentials that will include an electronic indication of the status of a NACI. Further, DoD has yet to establish an automated mechanism to verify that all individuals receiving the PIV credential have at least initiated, if not completed, the required NACI background investigation.
Deadlines for Completion of Background Checks
Office of Management and Budget Memorandum M-05-24 mandates that agencies:
- by October 27, 2007, verify or complete background checks for all current employees and contractors, except for agency employees employed more than 15 years; and
- by October 27, 2008, complete background checks for all Federal department or agency employees employed more than15 years.
DoD did not meet the OMB deadline of October 27, 2007, for current employees and contractors. According to DoD’s January 2008 Implementation Plan, as of December 26, 2007, the following numbers of DoD employees and contractors had not completed the required background checks.
DoD Employees and Contractors With Incomplete Background Checks
Military or Civilian 1,240,214
*DoD’s January 2008 Implementation Plan noted that these numbers may not be an accurate reflection of the completed qualifying investigations, but a reflection of data quality in the DoD Joint Personnel Adjudication System.
HSPD-12 explicitly states that protecting personal privacy is a requirement of the PIV-I implementation policy. All departments and agencies shall implement the PIV system in accordance with the spirit and letter of privacy controls specified by HSPD-12 and in Federal privacy laws and policies. The DoD Geneva Conventions credential for members of the uniformed services does not comply with HSPD-12 or with Federal policies and requirements to reduce identity fraud and protect personal privacy.
The continued display of Social Security numbers on the DoD Geneva Conventions credential is the result of adherence to guidance that does not reflect changes in Federal policies, technological advancements, or the increased need to protect personal information. DoD began displaying the Social Security number on identification badges in 1967. In 2007 OMB instructed Federal departments and agencies to take steps to reduce the risk related to loss of personally identifiable information. In 2007 OMB issued guidance to Federal agencies to eliminate unnecessary use of Social Security numbers and strengthen protection of personal information from loss or theft. In 2006 Congress identified the inherent risk of displaying the full Social Security number on identification credentials and the need to protect individuals’ right to privacy and reduce the risk of identity theft. Printing of the Social Security numbers in conjunction with the individuals’ dates of birth on DoD credentials unnecessarily exposes individuals’ personal privacy information and increases the risk of identity theft.
In response to an FY 2007 congressional request, DoD issued a report to Congress, “Omission of the SSN from the Department of Defense Military Identification Cards,” May 23, 2007. In it, the Under Secretary of Defense for Personnel and Readiness (USD [P&R]) recommended removing the full Social Security number from view on identification credentials, instead displaying only the last four digits. The full Social Security number would be retained in the portable data file 417 two-dimensional barcode and the integrated circuit chip on the credential. No timetable was provided to implement the recommendation, however, nor did the report specify who was responsible for implementation. The current appearance of DoD’s Geneva Conventions credential unnecessarily compromises personal privacy and increases the risk of identity theft and the potential for terrorist exploitation. DoD should immediately require USD(P&R) to implement the recommendation to print only the last four digits of the Social Security number on the Geneva Conventions credential.
Personal Identity Verification-II Requirements
PIV-II requirements are the detailed technical specifications of components and processes required for interoperability of PIV credentials for personal authentication, access controls, and PIV card management across Federal departments and agencies. HSPD-12envisions that when Federal departments and agencies issue and manage the required, fully interoperable PIV credentials, individuals’ identity can be authenticated Government-wide, thus increasing the security of Federal facilities and information systems. DoD did not meet the March 2006 PIV-II initial operational capability implementation milestone approved by OMB in the DoD Implementation Plan, nor did DoD meet the October 2006 OMB milestone for PIV-II implementation.
DoD PIV PKI Authentication Certificate
One of the technical specifications for a PIV-II-compliant card is a Public Key Infrastructure (PKI) authentication certificate. Because of the Department’s strategic pause, resources allocated to support the development of the authentication certificate were reallocated. The reallocation has caused a delay in the development, testing, and issuance of the authentication certificate. As a result, DoD now plans to delay issuance of the authentication certificate until the third quarter of FY 2008. The current DoD credential contains three certificates: (1) digital signature certificate, (2) key management certificate, and (3) card authentication certificate. The DoD Public Key InfrastructureProgram Management Office (PKI PMO), tasked with developing the required PIV PKI authentication certificate, chose to develop a new, fourth certificate to meet HSPD-12, FIPS 201-1, and PIV PKI authentication requirements rather than modify an existing certificate.
The PKI PMO elected to develop authentication certificates using the Federal bridge policy, despite the HSPD-12 requirement that became effective January 1, 2008, to use Common Policy object identifiers. DoD has been lobbying since 2006 to have changes made to FIPS 201-1 so that the Federal bridge policy would be adopted for DoD’s PIV PKI authentication certificate, rather than working toward meeting the current FIPS 201-1 Common Policy requirements. The PKI PMO program manager stated that DoD’s unique infrastructure is too robust to use the Common Policy object identifiers.
DoD is not currently planning to use Common Policy object identifiers in certificates unless the National Institute of Standards and Technology (NIST) promulgates two modifications to the Federal Common Policy object identifiers. The requested modifications to the Common Policy are as follows.
- • Increase the frequency of issuance of the certificate revocation list (CRL). DoD issues the CRL once every 24 hours from 14 certificate authorities. The Common Policy’s smaller 18-hour window will place a strain on system performance, according to DoD.
- • Shorten the NextUpdate time in the CRL. DoD NextUpdate time is 7 days, whereas the Common Policy time is no longer than 48 hours. According to DoD, reduction in the number of days for the next update would cause a large increase in CRL traffic and potentially consume network bandwidth well above what the DoD network is meant to accommodate.
DoD plans to use Common Policy object identifiers in the PIV PKI authentication certificate only after FIPS 201-1 is revised to meet DoD objections, and estimates that implementation will take 1 year. The petition for the two changes has been submitted to the Federal PKI policy authority for approval, but no date has been established for consideration of the two modifications.
DoD PIV End-Point Applet
Because DoD has elected to maintain its current CAC infrastructure, DoD must develop a PIV end-point applet to achieve full interoperability with other Federal agencies for the DoD PIV credential, as required by HSPD-12. The PIV applet, developed by DMDC, will be the intermediary that should allow readers compliant with HSPD-12 to access the necessary information on the DoD credential. After the required approval of the DoD PIV applet by NIST, General Services Administration (GSA) testing of the PIV credential with all the required components must be successfully completed before the DoD credential can be considered end-point-PIV-compliant.
DoD Transitional Credential
OMB granted DoD transitional status for implementation of the PIV system in June 2005. DoD was given until April 2010 for its PIV system to achieve full operational capability for its approximately 3.5 million PIV credentials. DoD plans to issue PIV credentials to DoD employees and contractors as their CACs expire. DoD CACs expire 3 years after issuance. DoD has started issuing some DoD PIV transitional credentials as card issuance workstations are updated to produce the transitional credentials.
Not all cardholders whose CACs expire receive the DoD transitional credential because not all card issuance workstations can issue the transitional credential. Some issuance sites are instructed to exhaust their current stock of noncompliant cards before issuing the DoD PIV transitional credential.
The DoD PIV transitional credentials do not contain either the required PIV PKI authentication certificate or the DoD PIV applet. According to DoD, the transitional credential can be updated at some future time with an approved and tested PIV PKI authentication certificate and PIV applet through downloads from the DMDC Web portal. DoD now projects PIV system full operational capability will occur in the summer of 2012. Achieving full operational capability remains problematic for DoD because of unresolved infrastructure issues and the unavailability of updated workstations required to issue the DoD transitional and eventually the fully compliant end-point PIV credentials.
DMDC is responsible for updating the centrally funded Real-time Automated Personnel Identification System (RAPIDS) workstations to RAPIDS version 7.2 to produce DoD PIV credentials for DoD installations in the continental United States by December 12, 2008. No schedule for deployment of updated RAPIDS workstations has been announced for four installations outside the continental United States, including two in Germany and one each in Djibouti and Greenland. No central funding is planned at installations for acquisition of equipment needed for the transition to physical access control systems that are compliant with HSPD-12 and FIPS 201-1. Installation commanders are responsible for granting access privileges and for funding to update or replace physical access control systems to bring them into compliance. The Military Services did not provide any plans, milestones, or dedicated resources to update or replace physical access control systems to comply with HSPD-12 and FIPS 201-1requirements.
Inconsistent agency approaches to security of facilities and information systems are inefficient and costly, and they increase risk to the Federal Government. On August 27, 2004, President Bush issued a directive to Federal agencies to implement a Government-wide standard for secure and reliable forms of identification for Government employees and contractors. Successful implementation was expected to increase the security of Federal facilities and information systems. The President directed Federal agencies to promptly implement the mandatory, Government-wide standard for secure and reliable forms of identification.
DoD has not met key HSPD-12 implementation milestones for completion of background checks, verification of completed or initiated background checks, or Government-wide interoperability. Additionally, DoD must modify its current Geneva Conventions PIV credential to reduce the potential for identity fraud. Unresolved DoD CAC infrastructure problems continue with no firm date for resolution. As a consequence, the intended benefits of HSPD-12 to enhance security, increase Government efficiency, reduce identity fraud, protect personal privacy, and reduce the potential for terrorist.
For Complete Report: DoD Implementation of Homeland Security Presidential Directive-12 Related IG Report Summary of Information Assurance Weaknesses Found in Audit Reports Issued From August 1, 2007, Through July 31, 2008 Department of Defense Inspector General Website
National Science Foundation (NSF) HSPD-12 Implementation Status Report, June 30, 2009 Homeland Security initiatives at the Social Security Administration TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION, December 14, 2007 Reference Number: 2008-20-030
Barack Obama Administration PPDs
In the Barack Obama Administration, the directives that are used to promulgate Presidential decisions on national security matters are designated Presidential Policy Directives (PPDs). Directives that are used to initiate policy review procedures are called Presidential Study Directives (PSDs)
Presidential Policy Directive Title
|PPD 1||Organization of the National Security Council System||02/13/09|
Sources and Resources
- The 21st Century Interagency Process, National Security Advisory Gen. James L. Jones, March 19, 2009, via New NSC memo: Jones on the 21st century interagency process by Laura Rozen, The Cable, April 6, 2009
- National Security Structure Is Set by Karen DeYoung, Washington Post, February 27, 2009
- NSC Gets a Face Lift by Josh Gerstein, Politico, February 27, 2009
George W. Bush Administration NSPDs
In the George W. Bush Administration, the directives that are used to promulgate Presidential decisions on national security matters are designated National Security Presidential Directives (NSPDs). As discussed in NSPD 1, this new category of directives replaces both the Presidential Decision Directives and the Presidential Review Directives of the previous Administration. Unless other otherwise indicated, however, past Directives remain in effect until they are superseded. The first directive, dated 13 February 2001, was formally approved for release by the National Security Council staff on 13 March 2001. On October 29, 2001, President Bush issued the first of a new series of Homeland Security Presidential Directives (HSPDs) governing homeland security policy.
National Security Presidential Directive Title
|NSPD 1||Organization of the National Security Council System||13 February 01|
|NSPD 2||Improving Military Quality of Life||15 February 01|
|NSPD 3||Defense Strategy, Force Structure, and Procurement||15 February 01|
|NSPD 4||Transforming Deterrence||15 February 01|
|NSPD 5||[Review of U.S. intelligence]||9 May 01|
|NSPD 8||National Director and Deputy National Security Advisor for Combating Terrorism|
|NSPD 9||Defeating the Terrorist Threat to the United States||25 October 01|
|NSPD 10||U.S. Strategic Nuclear Force||21 December 01|
|NSPD 12||United States Citizens Taken Hostage Abroad||18 February 02|
|NSPD 13||[on conventional arms transfers]|
|NSPD 14||[Nuclear Weapons Planning Guidance]|
|NSPD 15||National Space Policy Review [resulting in U.S. Commercial Remote Sensing Policy, 25 April 2003]||28 June 02|
|NSPD 16||[To Develop Guidelines for Offensive Cyber-Warfare]||XX July 02(?)|
|NSPD 17||[National Strategy to Combat Weapons of Mass Destruction] (unclassified version)(PDF)||11 Dec 02(unclassified) 14 Sep 02(classified)|
|NSPD XX(?)||[Authorizing Training for Iraqi Opposition Forces]||03 Oct 02(?)|
|NSPD 18||Supporting Democracy in Colombia||Nov 02|
|NSPD 19||[Review of Defense Trade Export Policy]|
|NSPD 20||Counterproliferation Interdiction|
|NSPD 21||Support for Inspections in Iraq||Nov 02|
|NSPD 22||Trafficking in Persons||16 Dec 02|
|NSPD 23||National Policy on Ballistic Missile Defense||16 Dec 02|
|NSPD 24||[Post-War Iraq Reconstruction]||20 January 2003|
|NSPD 25||[directs U.S. government agencies to attack the vulnerabilities of drug trafficking organizations]|
|NSPD 26||Intelligence Priorities|
|NSPD 27||U.S. Commercial Remote Sensing Space Policy||25 April 2003|
|NSPD 28||United States Nuclear Weapons Command and Control, Safety, and Security||20 June 2003|
|NSPD 29||[Transition to Democracy in Cuba]||30 November 2003|
|NSPD 31||U.S. Space Exploration Policy||14 January 2004|
|NSPD 32||[Latin America Policy]|
|NSPD 33||Biodefense for the 21st Century||28 April 2004|
|NSPD 34||Fiscal Year 2004-2012 Nuclear Weapons Stockpile Plan||May 2004|
|NSPD 35||Nuclear Weapons Deployment Authorization||6 May 2004|
|NSPD 36||United States Government Operations in Iraq||11 May 2004|
|NSPD 37||Relating to Support of Iraqi Government||2004|
|NSPD 38||National Strategy to Secure Cyberspace||2004|
|NSPD 39||U.S. Space-Based Position, Navigation, and Timing Policy||08 December 2004|
|NSPD 40||U.S. Space Transportation Policy||21 December 2004|
|NSPD 41||Maritime Security Policy||21 December 2004|
|NSPD 42||On Significant Military Exercise Briefs (SMEB)||26 January 2005|
|NSPD 43||Domestic Nuclear Detection||15 April 2005|
|NSPD 44||Management of Interagency Efforts Concerning Reconstruction and Stabilization (Fact Sheet)||7 December 2005|
|NSPD 46||U.S. Strategy and Policy in the War on Terror||6 March 2006|
|NSPD 47||National Strategy for Aviation Security||22 June 2006|
|NSPD 48||Nuclear Materials Information Program||28 August 2006|
|NSPD 49||U.S. National Space Policy||31 August 2006|
|NSPD 50||U.S. Strategy for Sub-Saharan Africa||2007|
|NSPD 51||National Continuity Policy||4 April 2007|
|NSPD 54||Cyber Security and Monitoring||8 January 2008|
|NSPD 55||[on dual-use export controls]||January 2008|
|NSPD 56||Defense Trade Reform||22 January 2008|
|NSPD 57||Implementation of the US-IAEA Additional Protocol||04 February 2008|
|NSPD 58||Advancing the Freedom Agenda (Fact Sheet)||21 May 2008 (?)|
|NSPD 59||Biometrics for Identification and Screening to Enhance National Security||5 June 2008|
|NSPD 66||Arctic Region Policy||9 January 20|
Homeland Security Presidential Directive Title
|HSPD 1||Organization and Operation of the Homeland Security Council||29 Oct 01|
|HSPD 2||Combating Terrorism Through Immigration Policies||29 Oct 01|
|HSPD 3||Homeland Security Advisory System||11 March 02|
|HSPD 4||National Strategy to Combat Weapons of Mass Destruction (unclassified version)||11 December 02|
|HSPD 5||Management of Domestic Incidents [Initial National Response Plan, 30 September 03]||28 February 03|
|HSPD 6||Integration and Use of Screening Information to Protect Against Terrorism||16 September 03|
|HSPD 7||Critical Infrastructure Identification, Prioritization, and Protection||17 December 03|
|HSPD 8||National Preparedness||17 December 03|
|HSPD 9||Defense of United States Agriculture and Food||30 January 04|
|HSPD 10||Biodefense for the 21st Century||28 April 04|
|HSPD 11||Comprehensive Terrorist-Related Screening Procedures||27 August 04|
|HSPD 12||Policy for a Common Identification Standard for Federal Employees and Contractors||27 August 04|
|HSPD 13||Maritime Security Policy||21 December 2004|
|HSPD 14||Domestic Nuclear Detection||15 April 2005|
|HSPD 15||U.S. Strategy and Policy in the War on Terror (classified directive)||6 March 2006|
|HSPD 16||National Strategy for Aviation Security||22 June 2006|
|HSPD 17||Nuclear Materials Information Program||28 August 2006|
|HSPD 18||Medical Countermeasures Against Weapons of Mass Destruction||31 January 2007|
|HSPD 19||Combating Terrorist Use of Explosives in the United States||12 February 2007|
|HSPD 20||National Continuity Policy||4 April 2007|
|HSPD 21||Public Health and Medical Preparedness||18 October 2007|
|HSPD 22||Domestic Chemical Defense|
|HSPD 23||Cyber Security and Monitoring||8 January 2008|
|HSPD 24||Biometrics for Identification and Screening to Enhance National Security||5 June 2008|
|HSPD 25||Arctic Region Policy||9 January 2009|
Sources and Resources
- Application of the National Security Exclusion to the Agreements Between the United States of America and the International Atomic Energy Agency for the Application of Safeguards in the United States of America, Department of Defense Instruction 2060.03, November 13, 2008 (NSPD 57)
- Interim Report on Interagency National Personnel Recovery Architecture, Institute for Defense Analyses, July 2003 (NSPD 12)
- Reinvigorating the Air Force Nuclear Enterprise, Prepared by the Air Force Nuclear Task Force, 24 October 2008
- National Security Presidential Directive 31 – space program, wikileaks.org, August 6, 2008
- Compilation of Homeland Security Presidential Directives (HSPD) through December 31, 2007, House Homeland Security Committee, January 2008
- Bush Order Expands Network Monitoring by Ellen Nakashima, Washington Post, January 26, 2008
- President Issues Export Controls Directive to Reform U.S. Defense Trade Policies and Practices, State Department Fact Sheet, January 22, 2008
- Bush ordered plans for air travel safety by Paul Caffera, San Francisco Chronicle, August 20, 2006
- President Issues ‘War On Terror’ Directive To Improve Government Coordination by Jason Sherman, InsideDefense.com, March 8, 2006
- Presidential Directive Tells Pentagon, DHS to Develop Maritime Security Policies by Jason Sherman, InsideDefense.com, March 17, 2005
- New Bush national security directive on maritime issues charts Administration course during his second term by Martin Edwin Andersen, Port Security News, January 18, 2005
- Bioterrorism Procedures Are Outlined by John Mintz, Washington Post, April 29, 2004.
- Bush Case on Defense Plan Cites N. Korea by Bill Gertz, The Washington Times, May 27, 2003 (on NSPD 23).
- U.S. Plan For Iraq’s Future Is Challenged; Pentagon Control, Secrecy Questioned, by Karen DeYoung and Dan Morgan, Washington Post, April 6, 2003 (on NSPD 24).
- Bush Orders Guidelines for Cyber-Warfare, by Bradley Graham, Washington Post, February 7, 2003, p. A1.
- Bush Approves Nuclear Response by Nicholas Kralev, Washington Times, January 31, 2003.
- Preemptive Strikes Part Of U.S. Strategic Doctrine, by Mike Allen and Barton Gellman, Washington Post, December 11, 2002, p. A1.
- Training of Iraqi Exiles Authorized; U.S. to Ready 5,000 Foes Of Hussein for Combat, by Karen DeYoung and Daniel Williams, Washington Post, October 19, 2002, p. A1.
- “Directive Says Rice, Bush Aide, Won’t Be Upstaged by Cheney,” by Jane Perlez, New York Times, February 16, 2001
For more detailed explanations why Griffin’s JPL rebadging directive is wrong, see our In-Depth Information page.
Letters to and from Government Officials and Representatives
- Letter from Dr. Linda Spilker, Dr. Bonnie J. Buratti, Dr. Candice Hansen, Trina L. Ray, Dr. Amanda Hendrix, Susan Paradise, Dr. Amanda K. Mainzer, and Dr. Amy Snyder Hale to Senator Barbara Boxer, with copies to all women senators.“We write to you as a community of women scientists and engineers [...] Our mothers’ era was marked by the struggle for equal protection under the Constitution. What legacy will we leave our daughters if we allow those rights to erode?”
- Letter from Gordon H. Mansfield, Deputy Secretary of Veterans Affairs, to Joshua Bolten, Director of the Office of Management and Budget, May 9, 2005
- Letter from Nelson et al. to Congressmen Holt and EhlersApril 26, 2007, from JPL employees Robert M. Nelson, Dennis L. Matson, Kevin H. Baines, and Timothy J. Parker.
- Letter from Robert M. Nelson to Congressman Schiff, March 17, 2007
- Letter from Dennis V. Byrnes to Congressman Dreier, April 7, 2007
- Letter from Congressman Holt to Commerce Secretary Gutierrez, May 21, 2007May 21, 2007, from Congressman Holt, requesting a meeting to address the changes necessary to the implementation of HSPD 12.
- Response from Michael D. Griffin, NASA Administrator, to Congressman Adam Schiff
- Response from NIST to Congressman Holt’s letter of May 21, indicates that NIST thinks the standard they wrote for personal identity verification does not require suitability checks.
Essays and Other Documents
- My Problems with HSPD-12, John Cooper (GSFC contractor), April-May, 2007.
- Improved “Authorization for Release of Information” An unofficial revised version of the SF85 release form. This attempts to fix some of the problems with the official one.
- PIV NewsNIST PIV Program News
- PIV Information Computer Security Division of NIST, Department of Commerce
- Federal Identity Credentialing Committee
- http://govtsecurity.com/mag/plan_ahead_maximize/index.htmlPlanning ahead to maximize benefits [sic] to HSPD-12 investment
- http://www.smartcard.gov/information/FSCPMmarch2005/TonyCieri.pdfPIV Supporting Documents
- http://www.smartcard.gov/information/FSCPMmarch2005/JohnMoore.pdfFederal Identity Management and Smart Cards
- Shared Service Providers
- [http://www.fips201.com FIPS201.com, a source of comparative information for GSA-approved FIPS 201 products]
- The Privacy Act of 1974 http://www.usdoj.gov/oip/privstat.htm
- California Constitution http://www.leginfo.ca.gov/const-toc.html
- Electronic Privacy Information Center ( RFID ) http://www.epic.org/privacy/rfid/