Feds to Require PIV to Access Data, FacilitiesAgency Policies Must be In Place by Mar. 31
Office of Management and Budget Director Jacob Lew issued Memorandum 11-11 to require federal agencies to develop policies requiring PIV credentials to access IT systems and facilities by Mar. 31. An attached memo from the Department of Homeland Security says agencies should begin using the PIV credentials by Oct. 1, the beginning of fiscal year 2012. It also says agencies should designate a lead official by Feb. 25 to ensure the policy is properly implemented.
DHS estimates that nearly 90 percent of the 5.7 million federal employees and contractors have completed background investigations, and 4.5 million have received PIV credentials. "The majority of the federal workforce is now in possession of the credentials, and therefore agencies are in a position to aggressively step up their efforts to use the electronic capabilities of the credentials," Lew says, in the memo dated Feb. 3
The addendum to Lew's memo - written by Gregory Schaffer, DHS assistant secretary for cybersecurity and communication - outlines requirements the policies should entail:
- All new systems under development must be enabled to use PIV credentials, in accordance with guidelines established by the National Institute of Standards and Technology, prior to being made operational. This provision is effective immediately.
- Effective Oct. 1, existing physical and logical access control systems must be upgraded to use PIV credentials, in accordance with NIST guidelines, prior to the agency using development and technology refresh funds to complete other activities.
- Procurements for services and products involving facility or system access control must be in accordance with Homeland Security Presidential Directive 12 policy and the Federal Acquisition Regulation. To ensure government-wide interoperability, agencies must acquire products and services that are compliant with federal policy, standards and supporting technical specifications.
- Agency processes must accept and electronically verify PIV credentials issued by other federal agencies.
- The government-wide architecture and completion of agency transition plans must align as described in the Federal CIO Council's Federal Identity, Credential and Access Management Roadmap and Implementation Guidance.
HSPD-12, issued by President George W. Bush in 2004, requires agencies to follow specific technical standards and business processes for the issuance and routine use of federal PIV smartcard credentials, including a standardized background investigation to verify employees' and contractors' identities. Specific benefits of the standardized credentials required by HSPD-12 include secure access to federal facilities and disaster response sites, as well as multi-factor authentication, digital signature and encryption capabilities. "Standardization leads to reduced overall costs and better ability to leverage the federal government's buying power with industry," Schaeffer says.
The Obama administration is a firm believer of the synergy between virtual and physical security, as DHS Deputy Undersecretary Philip Reitinger voiced at a Congressional hearing last year when the administration refused to endorse legislation establishing White House and DHS organizations solely focused on IT security (see Administration Declines to Back Cybersecurity Bill). He said it's more effective to address jointly the risks to key physical and cyber infrastructures:
"The private sector speaks the language of all hazards, they worry about risk, as a telecom would say, whether it's from a cyber attack or a back hoe," Reitinger said. "We, in government, need to step to that, and speak their same language if we want to influence how they behave in an all-hazards way, in a risk-based way, and if something bad happens, physical or cyber, to be able to address it seamlessly."