Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

HSPD-12's Toothless Deadline

US federal government's mandate for physical and logical security plagued by confusion, lack of funding

If a deadline falls on federal agencies, and most of them don't meet it, do any of them pay a penalty?

That's the sort of philosophical question security managers and their vendors are chewing on as the first deadline for the federal government's HSPD-12 compliance guidelines arrives today.

Homeland Security Presidential Directive 12, issued more than two years ago, requires all federal agencies to implement a system of tokens -- principally smartcards -- that deliver a common, two-factor authentication method for accessing both doors and computer systems in federal buildings.

One of the principal deadlines for HSPD-12 compliance was Oct. 27, 2006 -- today. But a lack of funding for HSPD-12 projects, as well as some confusion over what was required for today's deadline, has left most agencies bogged down in the earliest testing phases of the technology -- if they have gotten that far.

"This is an instance where the government issued a very strong mandate with very weak language," says Deepak Kanwar, head of the HSPD-12 Consortium, a group of security and risk management vendors that are working to develop interoperable technology that meets the compliance guidelines. "There are no clearly defined penalties for non-compliance. Many of the agencies still don't have any funding for their projects."

Andrea Wuebker, deputy press secretary at the White House Office of Management and Budget (OMB), was quoted yesterday as saying that federal agencies are "preparing to comply" with HSPD-12, but she did not give any specific numbers on how many agencies had met the deadline.

One of the chief problems is that federal agencies must rob money from other IT and security projects in order to pay for HSPD-12. "OMB's only instruction to agencies regarding paying for HSPD-12 program mandates is to find funding within existing budgets and merely redirect funds already being spent on badging, physical access, authentication, and authorization," noted INPUT, an IT research consultancy, in a report issued earlier this year.

"When we talk to the agencies, we're still finding a lot of people who are searching for funding in order to buy products," says Marc Van Zadelhoff, vice president of marketing and business development at Consul Risk Management, another member of the HSPD-12 Consortium.

HSPD-12 also has been sidetracked by some confusion over the meaning of today's deadline, observers say. At one point, many agencies believed that they had to put smartcards into the hands of all their employees by today, which caused a near-panic among some IT organizations. But after reading the requirements more closely, most agencies now believe that today's deadline only means that they must have the ability to issue smartcards -- a subtle but important difference.

"What that means is that the agencies have basically chosen a vendor and can demonstrate the ability to do it," says Kanwar, who is also director of product management and marketing at security tool vendor SafeNet. "That was all they needed to meet today's deadline. As a result, we've seen orders of 100 or 500 cards from agencies that have employees in the tens of thousands."

While the compliance guidelines have not yet brought smartcard access to federal agencies, the initiative has forced them to bring together people and departments that previously did not communicate, such as those who handle physical building security and those that handle IT security. "Those people previously worked in silos, but now they're working on project teams together," says Kanwar.

Those early meetings have helped federal agencies recognize both the potential value and the stiff challenges presented by a system that works on both building doors and desktop computers, observers say. "They're seeing the value of being able to correlate who's in the building with who's trying to go online," says Van Zadelhoff. "But they're also seeing that issuing smartcards also means being able to monitor users' activity and managing the lifecycle of the cards."

And so, despite the arrival of today's deadline, most experts agree that it may be two or three years before HSPD-12 protection is deployed widely at government sites. "I think the agencies are mostly on board now, and they will get there," Kanwar says. "But it's not going to happen today."

— Tim Wilson, Site Editor, Dark Reading

  • Consul Risk Management Inc.
  • SafeNet Inc. (Nasdaq: SFNT)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-17452
    PUBLISHED: 2020-08-09
    flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
    CVE-2020-17451
    PUBLISHED: 2020-08-09
    flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
    CVE-2020-17447
    PUBLISHED: 2020-08-09
    MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
    CVE-2020-16248
    PUBLISHED: 2020-08-09
    ** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
    CVE-2020-15820
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.