By Calvin Biesecker
The Department of Homeland Security (DHS) has not made it a priority to implement a White House mandated standards-based credentialing and access control program for federal employees and contractors and will not meet an extended deadline for when its employees and contractors were supposed to be issued and using new credentials, the department’s Inspector General (IG) says in a report released this week.
Under Homeland Security Presidential Directive (HSPD)-12, which created a policy for common identification credentials for federal employees and contractors, departments and agencies were supposed to have issued the new credentials to their respective employees and contractors by Oct. 27, 2008. DHS was granted an extension to the deadline until December 2010 but as of Sept. 22, 2009, DHS had only issued the identity credentials to 15,567 of its 250,000 employees and contractors, the IG says in the report, Resource and Security Issues Hinder DHS’ Implementation of Homeland Security Presidential Directive 12.
But DHS won’t meet the December deadline and is currently planning to complete credential issuance to employees and contractors by September 2011, the IG says.
The report cites several reasons for the delays in implementing HSPD-12, including weak program management, insufficient funding and resources, and a change in the implementation strategy. The IG also says that DHS is facing hurdles in implementing the policy directive as it relates to logical access to its information systems.
And there’s more, the IG says.
“Furthermore, system security and account management controls are not effective in protecting personally identifiable information collected and stored from unauthorized access,” the report says.
The report says that DHS components currently have their own physical access control systems (PACS) that eventually will have to be consolidated into the department’s PACS. It also says that upgrades need to be made at component’s facilities to make sure their credentials work with DHS’s physical and logical access control systems.
As for its HSPD-12 implementation strategy, the IG says that last June DHS changed its plans for issuing the new credentials. The original plan called for a component by component issuance but then DHS switched to a centrally managed regional strategy.
“Since this change in the department’s implementation strategy, the PMO (Program Management Office) has not received adequate staffing or funding, developed a viable implementation and regional deployment plan, estimated the department-wide cost of implementing HSPD-12, or identified performance measures to properly track implantation progress,” the IG says.
DHS, in its response to the IG report, says it is looking into the staffing issues by possibly conducting reorganization within its Office of the Chief Security Officer and detailing certain employees to obtain the necessary staffing levels.
DHS also says it is finalizing a regional implementation plan.
Under current plans, DHS issued cards to 10,000 employees and contractors in FY ’09. In FY ’10, the department has a $25 million budget to issue 135,000 cards. In FY ’11, DHS plans to issue 105,000 cards with a $22 million budget.
The IG says that the funding DHS has, and plans to have, for HSPD-12 card issuance isn’t enough. The report notes that the FY ’10 budget doesn’t cover the costs of establishing card enrollment centers at component locations or the cost of facilities to ensure their PACS interoperate with DHS headquarters.
The FY ’11 budget request doesn’t cover the costs to establish logical access controls.
“Costs for infrastructure and system upgrades associated with interoperability issues have not been considered, and these issues may take many years to address,” the IG says.