Can Federal Security be Threatened by Lack of Real Property Knowledge?

By the end of October, the federal government will have to address the next milestone in compliance with Homeland Security Presidential Directive 12 (HSPD-12), which calls for a uniform, standardized information and physical security system for all government employees and federal contractors.

While the technology for such a system has been established and approved by the GSA for compliance, it is still likely that a basic lack of information about federal buildings and property might compromise the system.

Susan M. Menke, in an article called "Trustworthy," in the May 2006 issue of FedTech magazine, interviewed David Temoshok, GSA's director of ID policy and management. (see article) According to Temoshok, the next HSPD-12 milestone is Oct. 27, 2006, by which time agencies must be ready to issue FIPS 201-compliant cards to new employees. Existing workers will need to be transitioned.

FIPS 201 is the Federal Information Processing Standard, also known as Personal Identity Verification of Federal Employees and Contractors. The standard was developed by the NIST Computer Security Division as a means of complying with HSPD-12, to improve the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems. FIPS 201 incorporates three technical publications specifying several aspects of the required administrative procedures and technical specifications that may change as the standard is implemented and used.

The next significant milestone related to HSPD-12 will take place next year. By October 2007, agencies must have completed background investigations of current workers who have been employed for less than 15 years, plus contractors. And by October 2008, the investigations of longer-serving employees must be finished.

HSPD-12 was issued in August 2004. Last fall, the Office of Management and Budget issued HSPD-12 implementation guidance to all executive agencies. The guidance reiterated HSPD-12's goals: to "enhance security, increase government efficiency, reduce identity fraud and protect personal privacy."

What may stand in the way of a completely foolproof solution to this directive is the lack of an accurate inventory of property owned or leased by the federal government. Surprisingly, there is no call for such an inventory in either HSPD-12 or OMB's implementation guidance.

The seeming logical inconsistency in achieving compliance with HSPD-12 is that it focuses on the technological aspects of the identification system, despite a dearth of accurate knowledge about the physical infrastructure to which that system will be applied.

In particular, without a full understanding of facilities, demographics and responsibilities, the "graduated criteria" for secure access as called for in HSPD-12 is likely to be flawed, and the entire system vulnerable to exploitation.

Fortunately, with regulation such as Executive Order 13327 on federal real property asset management, the government will be required to get a better handle on its real property and human resources assets.

The technology exists to create a comprehensive physical security system. Unfortunately, without an inventory of property, the personnel employed there and their functions, the likelihood of vulnerability in such a system is high.

For the common governmentwide physical and information security system called for by HSPD-12, agencies must work together. The linchpin for a successful security system is a shared pool of comprehensive information about real property holdings. Without it, you can never be completely confident that agencies have truly addressed this important homeland security requirement.