Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

HSPD-12's Toothless Deadline

US federal government's mandate for physical and logical security plagued by confusion, lack of funding

If a deadline falls on federal agencies, and most of them don't meet it, do any of them pay a penalty?

That's the sort of philosophical question security managers and their vendors are chewing on as the first deadline for the federal government's HSPD-12 compliance guidelines arrives today.

Homeland Security Presidential Directive 12, issued more than two years ago, requires all federal agencies to implement a system of tokens -- principally smartcards -- that deliver a common, two-factor authentication method for accessing both doors and computer systems in federal buildings.

One of the principal deadlines for HSPD-12 compliance was Oct. 27, 2006 -- today. But a lack of funding for HSPD-12 projects, as well as some confusion over what was required for today's deadline, has left most agencies bogged down in the earliest testing phases of the technology -- if they have gotten that far.

"This is an instance where the government issued a very strong mandate with very weak language," says Deepak Kanwar, head of the HSPD-12 Consortium, a group of security and risk management vendors that are working to develop interoperable technology that meets the compliance guidelines. "There are no clearly defined penalties for non-compliance. Many of the agencies still don't have any funding for their projects."

Andrea Wuebker, deputy press secretary at the White House Office of Management and Budget (OMB), was quoted yesterday as saying that federal agencies are "preparing to comply" with HSPD-12, but she did not give any specific numbers on how many agencies had met the deadline.

One of the chief problems is that federal agencies must rob money from other IT and security projects in order to pay for HSPD-12. "OMB's only instruction to agencies regarding paying for HSPD-12 program mandates is to find funding within existing budgets and merely redirect funds already being spent on badging, physical access, authentication, and authorization," noted INPUT, an IT research consultancy, in a report issued earlier this year.

"When we talk to the agencies, we're still finding a lot of people who are searching for funding in order to buy products," says Marc Van Zadelhoff, vice president of marketing and business development at Consul Risk Management, another member of the HSPD-12 Consortium.

HSPD-12 also has been sidetracked by some confusion over the meaning of today's deadline, observers say. At one point, many agencies believed that they had to put smartcards into the hands of all their employees by today, which caused a near-panic among some IT organizations. But after reading the requirements more closely, most agencies now believe that today's deadline only means that they must have the ability to issue smartcards -- a subtle but important difference.

"What that means is that the agencies have basically chosen a vendor and can demonstrate the ability to do it," says Kanwar, who is also director of product management and marketing at security tool vendor SafeNet. "That was all they needed to meet today's deadline. As a result, we've seen orders of 100 or 500 cards from agencies that have employees in the tens of thousands."

While the compliance guidelines have not yet brought smartcard access to federal agencies, the initiative has forced them to bring together people and departments that previously did not communicate, such as those who handle physical building security and those that handle IT security. "Those people previously worked in silos, but now they're working on project teams together," says Kanwar.

Those early meetings have helped federal agencies recognize both the potential value and the stiff challenges presented by a system that works on both building doors and desktop computers, observers say. "They're seeing the value of being able to correlate who's in the building with who's trying to go online," says Van Zadelhoff. "But they're also seeing that issuing smartcards also means being able to monitor users' activity and managing the lifecycle of the cards."

And so, despite the arrival of today's deadline, most experts agree that it may be two or three years before HSPD-12 protection is deployed widely at government sites. "I think the agencies are mostly on board now, and they will get there," Kanwar says. "But it's not going to happen today."

— Tim Wilson, Site Editor, Dark Reading

  • Consul Risk Management Inc.
  • SafeNet Inc. (Nasdaq: SFNT)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Unreasonable Security Best Practices vs. Good Risk Management
    Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19012
    PUBLISHED: 2019-11-17
    An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
    CVE-2019-19022
    PUBLISHED: 2019-11-17
    iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
    CVE-2019-19035
    PUBLISHED: 2019-11-17
    jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
    CVE-2019-19011
    PUBLISHED: 2019-11-17
    MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
    CVE-2019-19010
    PUBLISHED: 2019-11-16
    Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.