If a deadline falls on federal agencies, and most of them don't meet it, do any of them pay a penalty?

That's the sort of philosophical question security managers and their vendors are chewing on as the first deadline for the federal government's HSPD-12 compliance guidelines arrives today.

Homeland Security Presidential Directive 12, issued more than two years ago, requires all federal agencies to implement a system of tokens -- principally smartcards -- that deliver a common, two-factor authentication method for accessing both doors and computer systems in federal buildings.

One of the principal deadlines for HSPD-12 compliance was Oct. 27, 2006 -- today. But a lack of funding for HSPD-12 projects, as well as some confusion over what was required for today's deadline, has left most agencies bogged down in the earliest testing phases of the technology -- if they have gotten that far.

"This is an instance where the government issued a very strong mandate with very weak language," says Deepak Kanwar, head of the HSPD-12 Consortium, a group of security and risk management vendors that are working to develop interoperable technology that meets the compliance guidelines. "There are no clearly defined penalties for non-compliance. Many of the agencies still don't have any funding for their projects."

Andrea Wuebker, deputy press secretary at the White House Office of Management and Budget (OMB), was quoted yesterday as saying that federal agencies are "preparing to comply" with HSPD-12, but she did not give any specific numbers on how many agencies had met the deadline.

One of the chief problems is that federal agencies must rob money from other IT and security projects in order to pay for HSPD-12. "OMB's only instruction to agencies regarding paying for HSPD-12 program mandates is to find funding within existing budgets and merely redirect funds already being spent on badging, physical access, authentication, and authorization," noted INPUT, an IT research consultancy, in a report issued earlier this year.

"When we talk to the agencies, we're still finding a lot of people who are searching for funding in order to buy products," says Marc Van Zadelhoff, vice president of marketing and business development at Consul Risk Management, another member of the HSPD-12 Consortium.

HSPD-12 also has been sidetracked by some confusion over the meaning of today's deadline, observers say. At one point, many agencies believed that they had to put smartcards into the hands of all their employees by today, which caused a near-panic among some IT organizations. But after reading the requirements more closely, most agencies now believe that today's deadline only means that they must have the ability to issue smartcards -- a subtle but important difference.

"What that means is that the agencies have basically chosen a vendor and can demonstrate the ability to do it," says Kanwar, who is also director of product management and marketing at security tool vendor SafeNet. "That was all they needed to meet today's deadline. As a result, we've seen orders of 100 or 500 cards from agencies that have employees in the tens of thousands."

While the compliance guidelines have not yet brought smartcard access to federal agencies, the initiative has forced them to bring together people and departments that previously did not communicate, such as those who handle physical building security and those that handle IT security. "Those people previously worked in silos, but now they're working on project teams together," says Kanwar.

Those early meetings have helped federal agencies recognize both the potential value and the stiff challenges presented by a system that works on both building doors and desktop computers, observers say. "They're seeing the value of being able to correlate who's in the building with who's trying to go online," says Van Zadelhoff. "But they're also seeing that issuing smartcards also means being able to monitor users' activity and managing the lifecycle of the cards."

And so, despite the arrival of today's deadline, most experts agree that it may be two or three years before HSPD-12 protection is deployed widely at government sites. "I think the agencies are mostly on board now, and they will get there," Kanwar says. "But it's not going to happen today."

— Tim Wilson, Site Editor, Dark Reading