The goal was to develop HSPD-12 standards in months, and then implementing them throughout the government, again in months. As anyone who has endeavored to implement a massive federated identity management system can tell you, the directive's timetables were, to say the least, naive.
The various departments had varying degrees of interest and budget to actually implement the directive. The technology was immature, particularly in the face of the millions of federal employees and contractors who would be subject to it. And everything from doorways to databases and applications all had been previously conceived with no thought of a unified identity management system--meaning virtually all required a retrofit.
By October 2007, anyone with fewer than 15 years on the fed payroll was supposed to have an ID card. Not a single agency met that deadline. The Office of Management and Budget and the General Services Administration got more serious about the program and by mid-2008 reported that 97% of the more than 5 million employees and related contractors had their cards. Agencies have since been retrofitting and conducting background checks.
The other lesson to take from the feds is that while a grand vision is needed, the rollout of the technology will take a good bit of department-by-department hand-holding. In an environment where more and more critical and sensitive data is being accessed ever more broadly, for a variety of legitimate business uses, the granularity of control provided by a solid identity management system will often prove indispensible.
Art Wittmann is director of InformationWeek Analytics. Write to him at firstname.lastname@example.org.
To find out more about Art Wittmann, please visit his page.
Register to see all reports at InformationWeekAnalytics.com.