PLAN AHEAD TO MAXIMIZE BENEFITS TO HSPD-12 INVESTMENT
With Homeland Security Presidential Directive 12 (HSPD-12) being implemented, nearly every employee and contractor in the federal government is set to receive his or her own smart card credential.
Few initiatives have affected as many individuals in as many agencies. Certainly, the card is the most visible part of this initiative, aiming to bring about the convergence of physical and IT security. However, the supporting infrastructure and processes must also be put in place to enable one-card access to offices, IT networks and other assets required in the directive. Even though this major initiative is still in the implementation phase, innovative government managers and executives are looking ahead to identify additional ways to use this government-wide identity infrastructure to advance their agency’s mission through better asset management, increased productivity, cost reduction and service improvements.
Because decisions made now will affect the ability to leverage an agency’s investment in HSPD-12 compliance, now is the right time to consider the useful possibilities and determine what makes the most sense for a particular agency.
- Managing resources and reducing costs
Since every employee and contractor will have his or her own card, applications can be enabled to check and validate these IDs in the normal course of the agency’s activities. And with a mobile validation system, credentials can be securely checked and validated anywhere, from a restricted area at a special event to a small field office in a National Park or at a diplomatic outpost halfway around the world.
This will reduce fraud, give managers the data needed to match resources with needs, reduce costs and improve service.
- Controlling access to information
Smart card-based records management systems reduce the dependence on paper documents throughout the agency, improve the control over access to information and provide detailed audit records for compliance. This will reduce costs and increase confidence in the organization and its control of sensitive information.
The detailed records also provide the basis for analyzing business processes, which may lead to increased productivity.
Further increases can be achieved by enabling greater self-service, even within the agency. For example, employees can digitally sign human resources forms and request changes to their records with the appropriate authentication and validation.
- Controlling access to facilities
With a converged, smart card security system, physical access control is integrated into the same system that controls access to information systems. With one central point of control, a manager can change a user’s privileges throughout the agency. This control increases security and regulatory compliance, while reducing the costs of administrating separate systems for different networks and buildings.
- Asset control and tracking
Smart cards can be used to validate individuals in order to ensure that equipment is used or operated only by those who are trained and authorized to do so. This can cover everything from laboratory field equipment to machinery, vehicles, firearms and special-issue equipment.
By associating equipment and materials with individuals, these systems track issuance. For equipment that requires maintenance or updating, these systems can track field service time and manage the issuance of substitute or loaner equipment.
- Safeguarding employees and contractors
Mustering is another application that is made possible through mobile validation of smart credentials. In the event of an emergency that requires quick evacuation of a facility, managers are able to account for and validate the identities of employees and contractors without requiring access to any other system.
- Improving job satisfaction
Beyond the bounds of an agency, in those areas where there are large concentrations of federal employees, public and private institutions will invest in the additional infrastructure necessary to give employees one-card access to services such as transit systems or healthcare providers.
In the case of healthcare, an expansion of the infrastructure would make it possible for employees to use a single card to control access to electronic medical records and save time and money through electronic prescribing, appointment booking and telemedicine.
Using the underlying infrastructure to validate transactions, service providers will cut administrative costs, reduce fraud and increase customer satisfaction and loyalty.
ACHIEVING AGENCY GOALS
While the Federal government smart credential initiative may seem large, outside the United States, a deployment of this size is not unusual. There are several programs currently being implemented in other countries in which government agencies use smart cards and identity infrastructure to deliver services directly to citizens.
Why don’t we have those kinds of programs in the United States today? Familiarity and the lack of widely-adopted standards have been factors, but HSPD-12 and FIPS (Federal Information Processing Standard) 201 will change all that. By taking cues from other countries’ government smart card programs, and with some creativity, agencies are realizing ways they can reach their goals faster through the deployment of an effective infrastructure and the issuance of cards.
Most of the benefits noted above, such as detailed reporting, give an agency a solid basis for resource planning. The benefits apply to interacting and transacting with those outside of a particular agency.
For example, secure communications between agencies, between agencies and suppliers and between agencies and their constituents help cut down on the use of paper. Thus, costs are lowered, productivity is increased and organizations can be more nimble and responsive.
The pharmaceutical industry is implementing Secure Access for Everyone (SAFE), another wide-ranging initiative. SAFE is composed of many of the world’s largest pharmaceutical companies, as well as several smaller companies that make up the pharmaceutical marketplace.
Working with U.S. and European regulators, this industry-led effort is developing a system of identity-based trusted communication that is compatible with HSPD-12 and is projected to lower the costs of drug discovery and approval by millions of dollars. Additional savings will come as the technology is applied to other areas.
DECISIONS AHEAD
Members of several government and industry bodies, including the Inter-agency Advisory Board, have products and processes that can help an agency meet the deadlines for implementing the control objectives in HSPD-12.
However, whether or not an agency is able to take advantage of the opportunities beyond initial implementation of compliant systems depends in large part on decisions made now.
Many of these decisions concern the basic architecture, including the choices between partnering with another agency with an established solution, using a Shared Service Provider, or building and managing the project in-house. These apply to both card and certificate issuance and management and the implementation of a distributed validation infrastructure. Such questions need to be considered at the beginning, in order to ensure that an agency does not incur additional costs and delays in the deployment of compliant systems.
In terms of physical access, decisions include determining the buildings, floors and offices that must be secured. Using systems that take advantage of card-connected technology enables an agency to control more of its access points, while reducing costs by 40 to 60 percent over traditional approaches. In the case of remote locations, cost savings are even greater, making it possible to reach people in places that were cost-prohibitive with traditional architecture and systems.
Putting all of this in perspective is difficult in the middle of an implementation of this size, but in a few years it will be clear that the infrastructure decisions made today will be the foundation for a host of convenient, reliable services that have an even larger, more fundamental impact than ever imagined when HSPD-12 was first issued.
David Belchick is the manager of PKI Products at CoreStreet, Cambridge, Mass. He previously managed smart card and PKI deployments for the Department of the Interior and the Department of the Navy.