Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

HSPD-12's Toothless Deadline

US federal government's mandate for physical and logical security plagued by confusion, lack of funding

If a deadline falls on federal agencies, and most of them don't meet it, do any of them pay a penalty?

That's the sort of philosophical question security managers and their vendors are chewing on as the first deadline for the federal government's HSPD-12 compliance guidelines arrives today.

Homeland Security Presidential Directive 12, issued more than two years ago, requires all federal agencies to implement a system of tokens -- principally smartcards -- that deliver a common, two-factor authentication method for accessing both doors and computer systems in federal buildings.

One of the principal deadlines for HSPD-12 compliance was Oct. 27, 2006 -- today. But a lack of funding for HSPD-12 projects, as well as some confusion over what was required for today's deadline, has left most agencies bogged down in the earliest testing phases of the technology -- if they have gotten that far.

"This is an instance where the government issued a very strong mandate with very weak language," says Deepak Kanwar, head of the HSPD-12 Consortium, a group of security and risk management vendors that are working to develop interoperable technology that meets the compliance guidelines. "There are no clearly defined penalties for non-compliance. Many of the agencies still don't have any funding for their projects."

Andrea Wuebker, deputy press secretary at the White House Office of Management and Budget (OMB), was quoted yesterday as saying that federal agencies are "preparing to comply" with HSPD-12, but she did not give any specific numbers on how many agencies had met the deadline.

One of the chief problems is that federal agencies must rob money from other IT and security projects in order to pay for HSPD-12. "OMB's only instruction to agencies regarding paying for HSPD-12 program mandates is to find funding within existing budgets and merely redirect funds already being spent on badging, physical access, authentication, and authorization," noted INPUT, an IT research consultancy, in a report issued earlier this year.

"When we talk to the agencies, we're still finding a lot of people who are searching for funding in order to buy products," says Marc Van Zadelhoff, vice president of marketing and business development at Consul Risk Management, another member of the HSPD-12 Consortium.

HSPD-12 also has been sidetracked by some confusion over the meaning of today's deadline, observers say. At one point, many agencies believed that they had to put smartcards into the hands of all their employees by today, which caused a near-panic among some IT organizations. But after reading the requirements more closely, most agencies now believe that today's deadline only means that they must have the ability to issue smartcards -- a subtle but important difference.

"What that means is that the agencies have basically chosen a vendor and can demonstrate the ability to do it," says Kanwar, who is also director of product management and marketing at security tool vendor SafeNet. "That was all they needed to meet today's deadline. As a result, we've seen orders of 100 or 500 cards from agencies that have employees in the tens of thousands."

While the compliance guidelines have not yet brought smartcard access to federal agencies, the initiative has forced them to bring together people and departments that previously did not communicate, such as those who handle physical building security and those that handle IT security. "Those people previously worked in silos, but now they're working on project teams together," says Kanwar.

Those early meetings have helped federal agencies recognize both the potential value and the stiff challenges presented by a system that works on both building doors and desktop computers, observers say. "They're seeing the value of being able to correlate who's in the building with who's trying to go online," says Van Zadelhoff. "But they're also seeing that issuing smartcards also means being able to monitor users' activity and managing the lifecycle of the cards."

And so, despite the arrival of today's deadline, most experts agree that it may be two or three years before HSPD-12 protection is deployed widely at government sites. "I think the agencies are mostly on board now, and they will get there," Kanwar says. "But it's not going to happen today."

— Tim Wilson, Site Editor, Dark Reading

  • Consul Risk Management Inc.
  • SafeNet Inc. (Nasdaq: SFNT)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "I feel safe, but I can't understand a word he's saying."
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-10374
    PUBLISHED: 2020-03-30
    A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
    CVE-2020-11104
    PUBLISHED: 2020-03-30
    An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
    CVE-2020-11105
    PUBLISHED: 2020-03-30
    An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
    CVE-2020-11106
    PUBLISHED: 2020-03-30
    An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
    CVE-2020-5284
    PUBLISHED: 2020-03-30
    Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...