Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

HSPD-12's Toothless Deadline

US federal government's mandate for physical and logical security plagued by confusion, lack of funding

If a deadline falls on federal agencies, and most of them don't meet it, do any of them pay a penalty?

That's the sort of philosophical question security managers and their vendors are chewing on as the first deadline for the federal government's HSPD-12 compliance guidelines arrives today.

Homeland Security Presidential Directive 12, issued more than two years ago, requires all federal agencies to implement a system of tokens -- principally smartcards -- that deliver a common, two-factor authentication method for accessing both doors and computer systems in federal buildings.

One of the principal deadlines for HSPD-12 compliance was Oct. 27, 2006 -- today. But a lack of funding for HSPD-12 projects, as well as some confusion over what was required for today's deadline, has left most agencies bogged down in the earliest testing phases of the technology -- if they have gotten that far.

"This is an instance where the government issued a very strong mandate with very weak language," says Deepak Kanwar, head of the HSPD-12 Consortium, a group of security and risk management vendors that are working to develop interoperable technology that meets the compliance guidelines. "There are no clearly defined penalties for non-compliance. Many of the agencies still don't have any funding for their projects."

Andrea Wuebker, deputy press secretary at the White House Office of Management and Budget (OMB), was quoted yesterday as saying that federal agencies are "preparing to comply" with HSPD-12, but she did not give any specific numbers on how many agencies had met the deadline.

One of the chief problems is that federal agencies must rob money from other IT and security projects in order to pay for HSPD-12. "OMB's only instruction to agencies regarding paying for HSPD-12 program mandates is to find funding within existing budgets and merely redirect funds already being spent on badging, physical access, authentication, and authorization," noted INPUT, an IT research consultancy, in a report issued earlier this year.

"When we talk to the agencies, we're still finding a lot of people who are searching for funding in order to buy products," says Marc Van Zadelhoff, vice president of marketing and business development at Consul Risk Management, another member of the HSPD-12 Consortium.

HSPD-12 also has been sidetracked by some confusion over the meaning of today's deadline, observers say. At one point, many agencies believed that they had to put smartcards into the hands of all their employees by today, which caused a near-panic among some IT organizations. But after reading the requirements more closely, most agencies now believe that today's deadline only means that they must have the ability to issue smartcards -- a subtle but important difference.

"What that means is that the agencies have basically chosen a vendor and can demonstrate the ability to do it," says Kanwar, who is also director of product management and marketing at security tool vendor SafeNet. "That was all they needed to meet today's deadline. As a result, we've seen orders of 100 or 500 cards from agencies that have employees in the tens of thousands."

While the compliance guidelines have not yet brought smartcard access to federal agencies, the initiative has forced them to bring together people and departments that previously did not communicate, such as those who handle physical building security and those that handle IT security. "Those people previously worked in silos, but now they're working on project teams together," says Kanwar.

Those early meetings have helped federal agencies recognize both the potential value and the stiff challenges presented by a system that works on both building doors and desktop computers, observers say. "They're seeing the value of being able to correlate who's in the building with who's trying to go online," says Van Zadelhoff. "But they're also seeing that issuing smartcards also means being able to monitor users' activity and managing the lifecycle of the cards."

And so, despite the arrival of today's deadline, most experts agree that it may be two or three years before HSPD-12 protection is deployed widely at government sites. "I think the agencies are mostly on board now, and they will get there," Kanwar says. "But it's not going to happen today."

— Tim Wilson, Site Editor, Dark Reading

  • Consul Risk Management Inc.
  • SafeNet Inc. (Nasdaq: SFNT)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Tor Weaponized to Steal Bitcoin
    Dark Reading Staff 10/18/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2015-9501
    PUBLISHED: 2019-10-22
    The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
    CVE-2019-16971
    PUBLISHED: 2019-10-22
    In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
    CVE-2019-16972
    PUBLISHED: 2019-10-22
    In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
    CVE-2019-16973
    PUBLISHED: 2019-10-22
    In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
    CVE-2015-9496
    PUBLISHED: 2019-10-22
    The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.