I just finished reading through the newly released M-11-11, “Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors“.
Disclaimer: The following is my interpretation of M-11-11 … I have no authority or influence over actual requirements. My opinions, interpretations or recommendations in no way constitute official guidance. Please refer to the official documentation for official guidance.
That being said, here are a few key points:
- By February 25, 2011 – Agencies SHOULD designate a lead official for ensuring the issuance of they agency’s HSPD-12 implementation policy.
- By March 31, 2011 – Each Agency SHOULD develop and issue an implementation policy, through which the agency will require the use of PIV as the common means of authentication.
- Effective immediately (February 3, 2011) – All new systems under development MUST be PIV enabled (according to NIST guidelines) prior to becoming operational
- Effective beginning of FY2012 (October 2011) – All existing physical and logical access control systems MUST be upgraded to use PIV (according to NIST guidelines), prior to using funds to complete other activities.
- Procurements for services and products, involving facility (PACS) or system access (LACS) MUST be in accordance with HSPD-12 and the Federal Acquisition Regulation.
- Agency processes MUST accept and electronically verify PIV credentials issued by other federal agencies.
- The government-wide architecture and completion of agency transition plans MUST align (as described in the Federal CIO Council’s “Federal Identity, Credential and Access Management Roadmap and Implementation Guidance“
Basically what this is saying is now that the majority of the federal workforce has been issued HSPD-12 cards it’s time to starting utilizing them. I am currently working with one Federal agency to develop their architecture to implement support for the requirements in this memo. I would be more than happy to talk shop with anyone that is interested.
Nishant Kaushik, from Oracle has provided slides that explain Oracle’s IDM product suite and how it addresses the Federal ICAM requirements. I suggest taking a look at that. Additionally, Anil John (JHU) is doing a lot of research on the Federal ICAM initiatives. He has done a lot of great work and blogged about it.