I just finished reading through the newly released M-11-11, “Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors“.
Disclaimer: The following is my interpretation of M-11-11 … I have no authority or influence over actual requirements. My opinions, interpretations or recommendations in no way constitute official guidance. Please refer to the official documentation for official guidance.
That being said, here are a few key points:
- By February 25, 2011 – Agencies SHOULD designate a lead official for ensuring the issuance of they agency’s HSPD-12 implementation policy.
- By March 31, 2011 – Each Agency SHOULD develop and issue an implementation policy, through which the agency will require the use of PIV as the common means of authentication.
- Effective immediately (February 3, 2011) – All new systems under development MUST be PIV enabled (according to NIST guidelines) prior to becoming operational
- Effective beginning of FY2012 (October 2011) – All existing physical and logical access control systems MUST be upgraded to use PIV (according to NIST guidelines), prior to using funds to complete other activities.
- Procurements for services and products, involving facility (PACS) or system access (LACS) MUST be in accordance with HSPD-12 and the Federal Acquisition Regulation.
- Agency processes MUST accept and electronically verify PIV credentials issued by other federal agencies.
- The government-wide architecture and completion of agency transition plans MUST align (as described in the Federal CIO Council’s “Federal Identity, Credential and Access Management Roadmap and Implementation Guidance“
Basically what this is saying is now that the majority of the federal workforce has been issued HSPD-12 cards it’s time to starting utilizing them. I am currently working with one Federal agency to develop their architecture to implement support for the requirements in this memo. I would be more than happy to talk shop with anyone that is interested.
Nishant Kaushik, from Oracle has provided slides that explain Oracle’s IDM product suite and how it addresses the Federal ICAM requirements. I suggest taking a look at that. Additionally, Anil John (JHU) is doing a lot of research on the Federal ICAM initiatives. He has done a lot of great work and blogged about it.
Brad.
>All existing physical and logical access control systems
>MUST be upgraded to use PIV (according to NIST guidelines)
>prior to using funds to complete other activities
I would say that the mention of “… prior to the agency using development and technology refresh funds to complete other activities” is the aspect that makes this memo of particular interest and urgency to federal agencies, and different from past memos.
I agree with your assessement that the pressure is now on agencies to use the government issued cards in ways envisioned in the original HSPD-12 document. Suggested use cases were for strong identity verification, and for access to government buildings and logical resources.
We would be happy to “talk shop” with you on how we have assisted numerous agencies in deploying FIPS201-based physical/logical access control solutions.