RESTON, VA -- According to an independent survey released today by INPUT, the authority on government business, and commissioned by CA, one of the worlds largest information technology management software companies, nearly half of federal IT security executives do not have an integrated plan to help their agency meet the Office of Management and Budget (OMB) imposed October 27, 2006 deadline for compliance with the Homeland Security Presidential Directive (HSPD-12). HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of Personal Identity Verification (PIV) to be issued by the federal government to its employees and contractors. The survey results will be released today at CAs HSPD-12 and Identity and Access Management Symposium in Washington, D.C.
There appears to be considerable confusion in the industry as 46 percent of survey respondents do not feel that OMB is providing enough clarity for HSPD-12 compliance, said Bruce Brody, vice president, information security at INPUT. Federal IT security executives cite a noticeable lack of guidance as to how to actually define success with the compliance efforts and how funding and budgetary issues would be addressed. There is even more grey area with regards to the deadline itself since 37 percent of respondents either do not believe or are unsure that OMB will hold fast to the HSPD-12 compliance deadline.
When asked if their organization had implemented an Identity and Access Management (IAM) solution, 56 percent of respondents reported having not implemented one or just being in the initial stages of implementation. Of those organizations who have implemented IAM, most are leveraging either smart-cards or ID badges as the primary means to authenticate users.
Fifty-six percent of respondents indicated that they had seven or more Physical Access Control (PAC) systems and 58 percent indicated that there had been no decision made on whether or not to standardize these systems. Because HSPD-12 involves utilizing a single smart card for authentication and authorization of both physical and logical access, PAC systems must be integrated into a single identity and access solution. The research indicates that the vast majority of agencies are not in a position to be compliant by the October 2006 deadline because of the proliferation of PAC systems and their lack of progress on deciding to standardize on a system.
While these findings may be a cause for concern, 74 percent of respondents indicated that they have established an HSPD-12 task force, suggesting that agencies have realized the impact and complexity that HSPD-12 will have on their security infrastructures, added Brody.
Agencies are clearly struggling with HSPD-12 compliance, said Christopher Michael, federal technology strategist at CA. This compliance deadline, however, does present an opportunity for agencies to address their larger identity management issues and thereby improve the speed and efficiency with which they manage their growing user base and their access to an increasingly complex portfolio of IT services.