In August 2004, not long after the Department of Homeland Security was formed, the Bush administration issued Homeland Security Presidential Directive 12, or HSPD-12. The directive noted the wide variations in security and identification capabilities among agencies, and it set out to create standards for managing the identities of government employees and federal contractors and their access to both physical facilities and data systems. Like most identity management projects, the concept is simple and straightforward: Put some biometric data on cards, issue the cards to everyone who needs any form of access to federal facilities and systems, and in the process enable better sharing of data while taking an important step toward keeping the truly bad guys out.
The goal was to develop HSPD-12 standards in months, and then implementing them throughout the government, again in months. As anyone who has endeavored to implement a massive federated identity management system can tell you, the directive's timetables were, to say the least, naive.
The various departments had varying degrees of interest and budget to actually implement the directive. The technology was immature, particularly in the face of the millions of federal employees and contractors who would be subject to it. And everything from doorways to databases and applications all had been previously conceived with no thought of a unified identity management system--meaning virtually all required a retrofit.
By October 2007, anyone with fewer than 15 years on the fed payroll was supposed to have an ID card. Not a single agency met that deadline. The Office of Management and Budget and the General Services Administration got more serious about the program and by mid-2008 reported that 97% of the more than 5 million employees and related contractors had their cards. Agencies have since been retrofitting and conducting background checks.
The other lesson to take from the feds is that while a grand vision is needed, the rollout of the technology will take a good bit of department-by-department hand-holding. In an environment where more and more critical and sensitive data is being accessed ever more broadly, for a variety of legitimate business uses, the granularity of control provided by a solid identity management system will often prove indispensible.
Art Wittmann is director of InformationWeek Analytics. Write to him at firstname.lastname@example.org.
To find out more about Art Wittmann, please visit his page.
Register to see all reports at InformationWeekAnalytics.com.