[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
FEDERAL SECURITY: ID CARDS AND BACKGROUND CHECKS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
ORGANIZATION, AND PROCUREMENT
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
APRIL 9, 2008
__________
Serial No. 110-102
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.oversight.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
45-946 PDF WASHINGTON : 2008
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
HENRY A. WAXMAN, California, Chairman
EDOLPHUS TOWNS, New York TOM DAVIS, Virginia
PAUL E. KANJORSKI, Pennsylvania DAN BURTON, Indiana
CAROLYN B. MALONEY, New York CHRISTOPHER SHAYS, Connecticut
ELIJAH E. CUMMINGS, Maryland JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio JOHN L. MICA, Florida
DANNY K. DAVIS, Illinois MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania
WM. LACY CLAY, Missouri CHRIS CANNON, Utah
DIANE E. WATSON, California JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio
BRIAN HIGGINS, New York DARRELL E. ISSA, California
JOHN A. YARMUTH, Kentucky KENNY MARCHANT, Texas
BRUCE L. BRALEY, Iowa LYNN A. WESTMORELAND, Georgia
ELEANOR HOLMES NORTON, District of PATRICK T. McHENRY, North Carolina
Columbia VIRGINIA FOXX, North Carolina
BETTY McCOLLUM, Minnesota BRIAN P. BILBRAY, California
JIM COOPER, Tennessee BILL SALI, Idaho
CHRIS VAN HOLLEN, Maryland JIM JORDAN, Ohio
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
------ ------
Phil Schiliro, Chief of Staff
Phil Barnett, Staff Director
Earley Green, Chief Clerk
Lawrence Halloran, Minority Staff Director
Subcommittee on Government Management, Organization, and Procurement
EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania BRIAN P. BILBRAY, California
CHRISTOPHER S. MURPHY, Connecticut TODD RUSSELL PLATTS, Pennsylvania,
PETER WELCH, Vermont JOHN J. DUNCAN, Jr., Tennessee
CAROLYN B. MALONEY, New York
Michael McCarthy, Staff Director
C O N T E N T S
----------
Page
Hearing held on April 9, 2008.................................... 1
Statement of:
Evans, Karen, Administrator for Electronic Government and
Information Technology, Office of Management and Budget;
Kathy Dillaman, Associate Director of Investigations,
Office of Personnel Management; Linda Koontz, Director,
Information Management Issues, Government Accountability
Office; accompanied by Brenda Farrell, Director, Defense
Capabilities and Management, Government Accountability
Office; Michael Sade, Acting Deputy Assistant Commissioner,
Office of Integrated Technology Service, Federal
Acquisition Service, General Services Administration; and
Thomas Wiesner, Deputy Chief Information Officer for the
Office of the Assistant Secretary for Administration and
Management, Department of Labor............................ 8
Dillaman, Kathy.......................................... 16
Evans, Karen............................................. 8
Koontz, Linda............................................ 22
Sade, Michael............................................ 57
Wiesner, Thomas.......................................... 64
Zivney, Robert, vice president, marketing, Hirsch
Electronics, representing the Security Industry
Association; and Benjamin Romero, Chair, Information
Technology Association of America Security Clearance Reform
Task Group, representing the Security Clearance Reform
Coalition.................................................. 81
Romero, Benjamin......................................... 88
Zivney, Robert........................................... 81
Letters, statements, etc., submitted for the record by:
Bilbray, Hon. Brian P., a Representative in Congress from the
State of California, prepared statement of................. 7
Dillaman, Kathy, Associate Director of Investigations, Office
of Personnel Management, prepared statement of............. 18
Evans, Karen, Administrator for Electronic Government and
Information Technology, Office of Management and Budget,
prepared statement of...................................... 11
Koontz, Linda, Director, Information Management Issues,
Government Accountability Office, prepared statement of.... 24
Romero, Benjamin, Chair, Information Technology Association
of America Security Clearance Reform Task Group,
representing the Security Clearance Reform Coalition,
prepared statement of...................................... 90
Sade, Michael, Acting Deputy Assistant Commissioner, Office
of Integrated Technology Service, Federal Acquisition
Service, General Services Administration, prepared
statement of............................................... 59
Towns, Hon. Edolphus, a Representative in Congress from the
State of New York, prepared statement of................... 3
Wiesner, Thomas, Deputy Chief Information Officer for the
Office of the Assistant Secretary for Administration and
Management, Department of Labor, prepared statement of..... 66
Zivney, Robert, vice president, marketing, Hirsch
Electronics, representing the Security Industry
Association, prepared statement of......................... 84
FEDERAL SECURITY: ID CARDS AND BACKGROUND CHECKS
----------
WEDNESDAY, APRIL 9, 2008
House of Representatives,
Subcommittee on Government Management,
Organization, and Procurement,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:10 p.m. in
room 2247, Rayburn House Office Building, Hon. Edolphus Towns
(chairman of the subcommittee) presiding.
Present: Representatives Towns and Bilbray.
Staff present: Michael McCarthy, staff director; William
Jusino, professional staff member; Kwane Drabo, clerk; Janice
Spector, minority senior professional staff member; and
Benjamin Chance; minority professional staff member.
Mr. Towns. The committee will come to order.
Welcome to today's hearing on Federal Security. This
hearing will review two important elements of Federal security:
identification cards for Federal employees and contractors, and
background checks and security clearances.
In 2004, President Bush issued an order titled HSPD-12,
adding new requirements in these areas designed to heighten
security. In today's hearing we will examine how it is working.
There is a lot at stake with these issues. HSPD-12 helps
prevent criminals and terrorists from exploiting Federal ID
cards to get access to Federal buildings and computers.
Counterfeiters are always hard at work to create phony
documents and IDs, so we also have to work hard to stay ahead
of them.
I support this kind of effort, but we have to be careful;
otherwise, our eagerness to improve security can lead to
increased spending without gains in security. That is why I
joined with the ranking member, Mr. Bilbray, in asking GAO to
review HSPD-12 on the basis of both security and efficiency.
We are releasing their reports today. On the positive side,
GAO found that agencies have made a lot of progress in making
sure all their employees have the appropriate background
checks, and we salute you for that. But GAO has also found that
agencies are making very little progress in issuing the new ID
cards and, more importantly, are not even using their new
security features.
GAO measured progress in eight agencies, and the numbers
are grim. At the Department of Commerce, 54,000 employees need
cards, but as of December only 23 had been issued. Of the
90,000 employees at the Department of Interior, only 17 had
received new cards. For the 6,000 employees at the Nuclear
Regulatory Commission, just 1 card had been issued.
These types of numbers raise serious questions about
whether HSPD-12 is working as intended. What is even more
troubling is GAO's finding that, even when cards have been
issued, the security features are not being used. These
features are what makes the new cards so much more secure and
also much more expensive--about $80 to issue and to maintain
each card in the first year. If agencies do not use these
security features, they are just wasting money.
Agencies aren't gaining anything from the new cards if
employees just wave them at the security officer instead of
putting them through a reader, but they are still spending a
lot of money issuing the cards.
Today I hope we can learn more about how to get this
program on track so all of this money being spent actually
makes the Federal Government more secure, not wasting money.
[The prepared statement of Hon. Edolphus Towns follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. At this time I would like to yield to the
ranking member, Mr. Bilbray.
Mr. Bilbray. Thank you, Mr. Chairman. Mr. Chairman, I thank
you for this hearing. I appreciate the witnesses showing up
this afternoon.
Let me just say that I really have a big concern. When you
read the 9/11 Commission's report on the state of national
security, one of their No. 1 recommendations right out of the
chute was that America has to get serious about secure IDs, not
just in the Government but around our country. But by far the
Federal Government needs to lead through example.
How many years later are we now saying we are still working
on it, we are trying to move the ball ahead? And I think a lot
of it is almost reminiscent of what we went through, Mr.
Chairman, a couple of years ago with body armor for our troops
in Iraq, that people said yes, we want to get it there, we want
to deploy it, we want to get it into the hands so that it can
be used for protecting our troops. Well, ladies and gentlemen,
secure IDs are the body armor of homeland security. It is
sometimes the first and sometimes the last line of defense
against a terrorist attack, as the 9/11 Commission said.
I would like to just add a degree of urgency to the
execution of this directive, that it is not just a nice thing
to do, it is an essential thing to do. God forbid if we have
another attack. I will tell you right now I can guarantee you
that the lack of a uniform enforceable identification system is
going to be raised again, and I don't think any of us in this
room want to be caught in the position of saying yes, you are
right, we just didn't think it was that important. It is of
major importance that I do not think we can overstate when it
comes down to the fact of knowing who are or who isn't going
into our Government facilities and how we are setting examples
for States and counties and cities to do the same with their
identification system.
So, Mr. Chairman, I appreciate the hearing. I appreciate
the chance to be updated on the situation, and hopefully what
we can do is learn from our mistakes, raise the degree of
urgency, and move forward with a successful implementation
plan.
I yield back, Mr. Chairman, and again thank you.
[The prepared statement of Hon. Brian P. Bilbray follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very much.
It is a longstanding policy that we swear our witnesses in,
so if you would be kind enough to please stand and raise your
right hands.
[Witnesses sworn.]
Mr. Towns. Let the record reflect that all of them answered
in the affirmative.
We are delighted to have with us today the Honorable Karen
Evans, Administrator for Electronic Government and Information
Technology, Office of Management and Budget. Welcome.
We are also happy to have Kathy Dillaman, Associate
Director of Investigations, Office of Personnel Management.
Thank you. Welcome.
Ms. Linda Koontz, Director, Information Management Issues,
Government Accountability Office. Thank you. Good to see you
again. Accompanied by Ms. Brenda Farrell, Director of Defense
Capabilities and Management of the Government Accountability
Office.
Also, Mr. Michael Sade, Acting Deputy Assistant
Commissioner, Office of Integrated Technology Service, Federal
Acquisition Service, General Services Administration. What a
title.
Mr. Thomas Wiesner, Deputy Chief Information Officer for
the Office of the Assistant Secretary for Administration and
Management, Department of Labor.
Why don't we just go right on down the line, starting with
you, Ms. Evans, and just come right down the line. Thank you.
Thank you so much.
We would like you to summarize in 5 minutes. Of course, we
have a light there that comes on. Of course, it starts out as
green, and then it turns to caution. That means begin to sum
up. And then red means to stop up.
We will start with you, Ms. Evans.
STATEMENTS OF KAREN EVANS, ADMINISTRATOR FOR ELECTRONIC
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND
BUDGET; KATHY DILLAMAN, ASSOCIATE DIRECTOR OF INVESTIGATIONS,
OFFICE OF PERSONNEL MANAGEMENT; LINDA KOONTZ, DIRECTOR,
INFORMATION MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY
OFFICE; ACCOMPANIED BY BRENDA FARRELL, DIRECTOR, DEFENSE
CAPABILITIES AND MANAGEMENT, GOVERNMENT ACCOUNTABILITY OFFICE;
MICHAEL SADE, ACTING DEPUTY ASSISTANT COMMISSIONER, OFFICE OF
INTEGRATED TECHNOLOGY SERVICE, FEDERAL ACQUISITION SERVICE,
GENERAL SERVICES ADMINISTRATION; AND THOMAS WIESNER, DEPUTY
CHIEF INFORMATION OFFICER FOR THE OFFICE OF THE ASSISTANT
SECRETARY FOR ADMINISTRATION AND MANAGEMENT, DEPARTMENT OF
LABOR
STATEMENT OF KAREN EVANS
Ms. Evans. Good afternoon, Mr. Chairman and members of the
subcommittee. Thank you for inviting me to discuss the
administration's implementation of Homeland Security
Presidential Directive 12. Protection of our Federal facilities
and information systems is priority for the administration, and
my remarks today will focus on the progress we have made in
improving security through the implementation of HSPD-12.
Details have been included in my written statement.
Prior to HSPD-12 there were wide variations in the quality
and security of forms of identification used by Federal
employees and contractors to gain access to Federal facilities
and information systems. The directive enhances security,
increases Government efficiency, reduces identity fraud, and
protects personal privacy by establishing a mandatory,
Government-wide standard.
The intent of HSPD-12 is to allow agencies to grant access
based on risk-based access control decisions; however, we must
also protect the personal information of Federal employees and
contractors. HSPD-12 implementation is grounded in the
longstanding policy framework overseen by OMB, and the agencies
must follow existing privacy and security law and policies to
ensure our employee and contractor information is protected and
appropriately used.
Following the issuance of the FIPS 201 standard, NIST and
GSA established a performance and interoperability program to
ensure programs are certified with the standard. Currently,
there are approximately 350 products and 33 system integrators
on the Government certified and approved services and products
listing maintained by GSA. NIST and GSA have also issued
various publications and guidance to support interoperability
and the use of credentials.
It is essential for Federal agencies to be interoperable if
we are to significantly improve the security of our Federal
systems and facilities.
To ensure agencies are on track with their HSPD plans, OMB
has taken steps to closely monitor agency implementation
progress and completion of the key activities. In September
2006, OMB asked agencies to submit updated implementation
plans. As part of their plans, we requested agencies to include
the integration of physical and logical access control systems
using the PIV credentials and how they intend to use the
capabilities of the credentials to the fullest extent possible
to address cyber-security weaknesses and to improve physical
access control.
In January 2007 OMB issued guidance requiring quarterly
reporting on the status of background investigations and the
number of PIV credentials issued. On October 26, 2007, OMB also
issued a memorandum providing updated instructions for public
reporting of the implementation status, and we requested
additional information on background investigation status and
major milestones, as outlined in the agency plans.
We are ensuring that agency status is transparent and
accessible to the public.
As of March 1, 2008, agencies reported 2.5 million, or 59
percent, of their employees, which includes military personnel,
and over 500,000, or 42 percent, of the contractors had
completed their background investigations.
The PIV credentials have been issued over 140,000, or 3
percent of employees, and just 36,000 or 3 percent of the
contractors.
As part of our oversight role, OMB will continue to use
quarterly reporting mechanisms along with agency information
technology budget planning documents to track key performance
metrics for HSPD-12 compliance.
Over the past three-and-a-half years the executive branch
has made steady progress in achieving the goals of the
Presidential directive. HSPD-12 is part of the administration's
overall plans to enhance security, and it is closely aligned
with other ongoing security initiatives and plans for improving
physical security to implement the recommendations of the 9/11
Commission.
With evaluating the physical security, information
security, and human resources business practices, the executive
branch is applying a consistent, risk-based approach to
physical and information systems security that will improve our
overall security and reduce cost.
We look forward to working with the members of this
committee and appreciate your continued support in improving
the security posture. I will be glad to answer questions at the
appropriate time.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very much, Ms. Evans.
STATEMENT OF KATHY DILLAMAN
Ms. Dillaman. Good afternoon. Chairman Towns, members of
the subcommittee, it is my privilege to testify today on behalf
of the Office of Personnel Management on the implementation of
HSPD-12 and the status of the background investigations
program.
OPM's mission is to ensure that the Federal Government has
an effective work force. To accomplish this mission, we conduct
over 2 million background investigations each year for Federal
agencies to assist them in making decisions relating to
identity verification, basic suitability, and eligible for
security clearances.
HSPD-12 requires agencies to initiate, at a minimum, a
national agency checks with written inquiries level
investigation or any other standard level of investigation
required for Federal employment prior to issuance of a PIV
card.
The national agency check portion of the investigation
includes searches of the investigative files maintained by the
Office of Personnel Management, the Department of Defense, the
FBI, and a fingerprint-based criminal history check.
Agencies may issue new PIV card after the fingerprint check
has been completed, which is typically within the first 24
hours after an investigation is scheduled.
Last year, OPM received 285,000 requests for the NACI level
investigation. That was an increase of over 113,000 from the
previous year. This type of investigation is almost entirely
automated. It includes electronic processes for the exchange of
information between OPM and many Federal, State, and local
agencies.
Automated letters of inquiry are also sent to former
employers, supervisors, educational institutions, and other
references to identify potential suitability or security
concerns.
The advanced fingerprint check results and the full
investigative results may be sent to the requesting agencies
electronically, as well.
Given the automated nature of a NACI investigation, the
overall impact on OPM's investment program with this increased
workload has been minimal, and we have successfully expanded
our work force to process the additional workload without
negatively impacting on the timeliness of our national security
investigations.
This increased workload did, however, have an impact on a
number of the records we asked for from Federal, State, and
local agencies. We have been working closely with them to
increase their processing capacity, automate information
exchanges whenever possible, and improve the time required to
obtain those necessary searches.
To support adjudication of these investigations, in
December 2007, OPM issued interim standards for agencies to
apply when determining whether to issue or revoke PIV cards to
their employees or contractor personnel. Agencies are now
reviewing the standards, and an interagency working group will
be formed to address their implementation concerns prior to
issuing final standards later this year.
I would also like to provide you with an update of where we
are with processing national security investigations. The
Intelligence Reform and Terrorism Prevention Act of 2004 set
timeliness standards for the overall security clearance
process. I am pleased to report that, overall, OPM and
clearance granting agencies are meeting and exceeding the
standards of completing 80 percent of initial security
clearance determinations in an average of 120 days or less.
There is no longer a backlog of investigations due to
insufficient resources.
To meet the act's standard, we first focused on the
timeliness and quality of the agencies' submissions for
investigations. By increasing the use of OPM's Web-based
electronic questionnaire for investigations processing instead
of sending by paper, we have reduced the time required to
request investigations to 14 days and dropped the rejection
rate to about 7 percent.
Today over 83 percent of all submissions for national
security investigations are electronic, not paper, and 14
agencies are submitting all of their requests online.
Within the 120-day standard the act specifically required
that 80 percent of the background investigations that support
the clearances be completed within an average of 90 days. We
are exceeding this goal.
Of the 586,000 investigations OPM opened last year for
national security clearances, 80 percent were completed in an
average of 67 days.
After completing the investigation, it is returned to the
employing agency for adjudication. The act further established
a standard for agencies to adjudicate 80 percent of the initial
clearances in an average of 30 days or less. Last fiscal year
for actions reported, agencies adjudicated 80 percent of the
completed investigations in an average of 28 days, which
included up to 14 days of mail and handling time between OPM
and the Federal security offices.
To streamline and minimize the time required to transmit
completed investigations between OPM and the agencies, we have
implemented a state-of-the-art imaging system that allows us to
transmit completed investigations to agencies electronically,
eliminating mail and reducing handling time.
We continuing to optimize the current process by
maintaining adequate staffing, building partnerships with
information suppliers, and through greater use of information
technology. We are also partnering with the Office of the
Director of National Intelligence and DOD for more significant
reforms to the overall security clearance processes. This
reform effort is challenging traditional processing from
application through adjudication. The ultimate outcome of this
effort will be a Government-wide system that continues to
protect national security through more modern processes that
are secure, dependable, scaleable, time-, and cost-efficient.
That concludes my remarks. I would be happy to answer any
questions you may have.
[The prepared statement of Ms. Dillaman follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very much.
Ms. Koontz.
STATEMENT OF LINDA KOONTZ
Ms. Koontz. Good afternoon. Mr. Chairman and members of the
subcommittee, I appreciate the opportunity to discuss our work
on the Federal Government's progress in implementing Homeland
Security Presidential Directive 12 and challenges in the
Department of Defense's personnel security clearance process.
Brenda Farrell is with me today. She is responsible for
GAO's work on the security clearances and can address any
questions that you might have on that subject.
First, I would like to summarize our report on HSPD-12 that
is being released today. As you know, the directive was
intended to increase the quality and security of identification
practices across the Federal Government and called for the
establishment of a mandatory, Government-wide standard for
secure and reliable forms of identification. Much work has been
accomplished to lay the foundations for implementing this
directive, which we recognize as a major Government
undertaking.
However, agencies have made limited progress in using the
full suite of sophisticated electronic capabilities built into
these smart card based ID cards. As a result, at the time of
our review, agencies had realized only marginal improvements in
heightening security. More specifically, the eight agencies we
reviewed had generally done basic foundation work, such as
completing background checks on most of their employees and
contractors, and beginning to acquire essential equipment, such
as card readers. However, none of agencies met OMB's goal of
issuing ID cards by October 27, 2007, to all employees who had
been with the agency 15 years or less and to contractor
personnel.
Further, for the limited number of cards that had been
issued, agencies generally were not using the electronic
authentication capabilities of the cards which are critical to
improving security, and instead were primarily relying on
visual inspection, much as previous ID cards had been used.
Most agencies we looked at had also not developed detailed
plans as to when they would be able to use these critically
important capabilities.
This has occurred largely because OMB's implementation
strategy has focused on card issuance rather than on agencies
establishing complete security systems, of which the new cards
are only one part.
We made a number of recommendations to OMB, including that
it establish milestones for completing the complete security
systems needed to optimize use of the cards and to align
acquisition of the cards with the implementation of these
systems.
In commenting on our report, OMB neither agreed nor
disagreed with these recommendations. However, until OMB takes
action to address the issues we identified, agencies will
likely continue to make limited progress in using the cards to
improve security over Federal facilities and systems.
Regarding personnel security clearances, our past reports
have identified delays and impediments in DOD's personnel
security clearance program which maintains about 2.5 million
clearances. These longstanding delays resulted in our adding
the DOD security clearance program to our high-risk list in
2005.
Over the past few years several positive changes have been
made to the clearance processes because of increased
congressional oversight, recommendations from our body of work,
new legislative and Executive requirements, most notably the
passage of the Intelligence Reform and Terrorism Prevention Act
of 2004.
An important step forward is the formation of an
interagency team that plans to address past impediments and
manage security reform efforts. The President has called for
this interagency team to provide this reform proposal no later
than the end of this month; however, much work remains to be
done before a new system can be implemented.
That concludes my summary, and Ms. Farrell and I would be
happy to answer questions at the appropriate time.
[The prepared statement of Ms. Koontz follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very much.
Mr. Sade.
STATEMENT OF MICHAEL SADE
Mr. Sade. Good afternoon, Chairman Towns and Ranking Member
Bilbray. Thank you for the opportunity to participate on
today's panel to discuss GSA's initiatives implementing HSPD-
12, including the establishment of Government-wide standards
for secure, reliable forms of identification for Federal
Government employees and contractors.
I am pleased to report that, working with our agency
customers, we have successfully deployed a complex set of
technologies in credential issuing. We have packaged these
technologies in an effective and cost-efficient manner to
provide agencies with solutions they need at prices they can
afford with a business model that is sustainable into the
future.
To facilitate Government-wide implementation of the
Presidential directive and the requirements that all HSPD-12
implementations be interoperable, GSA took a lead role for the
Government-wide implementation. As an initial step, GSA began
to dialog with Federal agencies that were faced with the
technical, operational, funding, and schedule challenges to
meet HSPD-12 requirements.
Next, we established the U.S. access program to offer
Federal agencies a compelling solution to meet these
challenges. Through the U.S. access program, GSA offers
participating agencies a managed shared-service solution that
simplifies the process of procuring and maintaining the PIV
compliant credentials, while at the same time meeting the
demanding HSPD-12 milestones for credential issuing.
The program provides a common infrastructure that is shared
by all participating agencies. This allows the cost of building
and managing this complex infrastructure to be shared, rather
than having each agency attempt to build separate redundant
systems on their own.
GSA also provides the project acquisition and financial
management support necessary to help participating agencies
receive the U.S. access service.
Since launch of the program in 2006, the U.S. access
program has enrolled approximately 70 Federal agencies
representing the potential to issue between 850,000 to 1
million cards to Government employees. This program serves as
an example of how infrastructure and program management
expenses can be shared across agency participants to provide
overall cost savings for the Government, while improving
service quality and decreasing implementation risk.
Specifically agency benefits include centralized program
management, which alleviates Federal agencies from having to
manage their own in-house HSPD-12 compliant products, built-in
HSPD-12 policy compliance. GSA has evaluated the technology to
ensure it meets HSPD-12 requirements. Reduce capital
expenditures--using a shared service model, the U.S. access
program has adopted a simplified, per-credential fee system
that eliminates the large up-front cost typically encountered
with implementing new information technology infrastructures.
And, finally, enhanced security. Federal agencies can trust the
credentials issued under the U.S. access program by GSA.
There are currently more than 57 U.S. access program
enrollment centers located in more than a dozen States, with
the majority being in the D.C. area. Ultimately, there will be
225 enrollment centers across the country, 25 of which will be
mobile.
GSA additionally sponsors a Government-wide HSPD-12 forum
for coordination of implementation activities, common issue
resolution, and direction through the Federal Identity
Credentialing Committee.
In summary, GSA has created an innovative, full-service
program to assist agency customers in meeting HSPD-12
requirements and schedule milestones. Significant progress has
been made to deliver cost-effective agency solutions to all
HSPD-12 challenges and to develop a sustainable business model.
I thank you for the opportunity to testify today, and I am
happy to answer any questions you may have.
[The prepared statement of Mr. Sade follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very much.
Mr. Wiesner.
STATEMENT OF THOMAS WIESNER
Mr. Wiesner. Good afternoon, Mr. Chairman and members of
the subcommittee. Thank you for inviting me here today to
discuss the Department of Labor's HSPD-12 program. We share a
common interest in protecting employees, facilities, and
information systems.
As reported in our March report to OMB, we have issued PIV
cards to over 10,000 of the 15,000 employees at DOL. We have
issued PIV cards to over 1,200 of the 2,400 contractors.
Overall, DOL has completed PIV card issuance to 66 percent of
employees and contractors.
Consistent with the Department's implementation plan,
enrollment and issuance of PIV cards continue. Our strategy
leverages mobile deployment using DOL resources and what we
refer to as a travelers program. This program was established
to allow eligible employees, when on official travel, to obtain
a PIV card from one of our existing issuing sites located
around the country.
As required, PIV cards are issued upon fingerprint results
and the initiative of background investigations. To date, 90
percent of our employees have an adjudicated investigation,
along with 35 percent of our contractors. We are working toward
completion of all adjudicated investigations by the October
2008 milestone.
The Department's efforts to date are derived from the
Presidential Directive and OMB guidance. The Department has
also complied with OMB's guidance relative to products and
services for use in implementing PIV; that is, vendors and
components used by the Department are in conformance with the
applicable NIST specifications and approval by the GSA
evaluation program office.
To meet the first phase of PIV compliance, planning began
in late 2004 to establish requirements for a Federal personnel
identification system that meets the control and security
objectives of the directive. A certified process was completed
and approved in October 2005.
To meet the second part of the PIV compliance, the
Department, consistent with our internal information technology
governance, developed the program as an IT investment. In early
fiscal year 2006 the Department conducted a performance
analysis of our legacy badge system to identify functionality
and technical gaps between this system and the PIV II
requirements. As a result, the system was identified as not
compliant with FIPS 201 requirements.
Without a PIV II compliance solution that would meet the
mandated security and technology guidelines, the Department
conducted market research to identify viable alternatives to
comply with HSPD-12 requirements. Potential alternatives
included relying exclusively on shared services offered by the
GSA or the Department of Interior, Department of Labor-owned IT
solutions to cover all Federal and contractor employees
throughout the country, or a hybrid model that utilized a
Labor-owned IT solution to conduct PIV card activities in
facilities with high concentrations of employees, while using a
shared service for facilities with small employee populations,
where deployment of IT infrastructure would be cost
prohibitive.
In the absence of an existing DOL IT solution for identity
management, and at the time the emerging status of constraints
and schedule capabilities and unknown costs associated with a
shared service solution, the Department in April 2006 decided
to move forward with the hybrid option of the Labor-owned IT
solution, with plans to use GSA shared services as they became
widely available.
Later this year, DOL plans to utilize GSA shared service
sites for our employees who are yet to be issued a PIV card,
particularly remote locations with small DOL populations.
The Department is already leveraging the PIV card in our
Boston and New York regions, where regional staff worked with
the GSA to use the DOL PIV card for physical access control.
In addition, the Department has initiated planning
activities associated with the deployment of the physical
access control system at DOL headquarters. Our plans are to
begin with a pilot of this technology at one facility in
Washington, DC, later this year. Simultaneously, in fiscal year
2009, we will begin planning activities associated with the use
of PIV cards for access to information systems through the
deployment of logical access control system technology.
To date, the deployment of HSPD-12 solution has enabled the
Department to streamline and tighten the processes associated
with identity verification and PIV card issuance. The
Department's goal is to extract the full potential benefits of
this HSPD-12 investment.
In conclusion, the HSPD-12 program is a core element of our
business and operational culture at the Department of Labor.
Secretary Chao, Chief Information Officer Pizzella, agency
senior management, and our dedicated employees are committed to
the success of the Department's HSPD-12 program.
Mr. Chairman, thank you for the opportunity to provide a
brief outline of the Department of Labor's approach to HSPD-12.
I would be happy to answer any questions.
[The prepared statement of Mr. Wiesner follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very much. Thank you all very much.
Let me start out with you, Ms. Koontz. Do you think the
Federal Government buildings an information systems are more
secure today as a result of HSPD-12?
Ms. Koontz. Mr. Chairman, I think we have to say that there
has been a marginal improvement in security. One of the aspects
of the new standard is to provide for a uniform way of doing
background checks on all Federal employees before credentials
are issued, and this is being implemented by all Federal
agencies, and they have, in fact, completed most of the
background investigations as of this point in time, so I think
that is something that does increase security.
To the extent that agencies are using any of the electronic
capabilities in the cards, that is an improvement; however, we
have to point out that the majority of agencies are not yet in
the position to use the electronic authentication capabilities
in the cards, so in those cases what we have is a large outlay
for expensive cards, and we are not receiving associated and
corresponding benefits to security.
Mr. Towns. So let me put it this way. What has been wasted?
Have you assessed that?
Ms. Koontz. I could not give you a number to quantify what
that was, but I think to some extent how the system was
implemented has been wasteful. In any case where cards have
been issued and the cards, I think someone said before, cost
$82 for the first year, $36 per year for the next 4 years, for
over a life of 5 years. When those are issued with that kind of
outlay but they are still being used just for visual
inspection, there is really no increase in security benefits.
What we recommended is that we wanted to see more emphasis
on putting together the security systems that will make the
cards be able to be used, and also to align the acquisition of
the cards with the ability to be able to optimize their use.
Mr. Towns. Thank you.
Ms. Evans, GAO says that because OMB directs agencies to
distribute the new ID cards to employees according to a set
time line, but does not also direct them to get the readers and
equipment to use them, that money and resources dedicated to
HSPD-12 implementations are actually being wasted.
Ms. Evans. Sir, if we could step back, first and foremost
about the money that is being wasted I think we should really
look to see how many cards have actually been issued. It is 3
percent. So it is 180,000 credentials out of the potential 2.5
million for the Federal employees that we have to do. So I
would actually say that we have been very mindful of the
taxpayers' dollars going forward.
What the program has really been focused on, and so this is
why we should step back from card readers and really look at
what HSPD-12 was intended to do. It is building off of existing
programs that were already there. We had a program out in place
that was looking at all of the IT investments, which we called
e-authentication. We issued guidance back in 2003 for agencies
to look at their IT systems, their physical access systems, all
those types of things and assign a level of security risk
associated with that.
HSPD-12 builds off of that, but what is really important
about HSPD-12 is getting a common business practice so that
when Department of Commerce issues a credential, that DOD has
trust in that credential; that they know that they have used
the same business processes, that they validated that
individual or that contract in the same way, that contractor in
the same way, so that they can trust it.
So what we have been really very focused on is the
foundation across the Government, having agencies really look
at what are those positions, who are those contractors, who is
coming into your facility, should they even have access to your
facilities, should they have access to your IT systems. That
takes a lot of work for the agencies to really go back, look at
that, and then fully vet those people in a standardized way so
that once that credential is issued, if you as an agency then
say, OK, Contractor A who is under a contract over at Commerce,
now they are a contractor over here at DOD, I need to have them
come into my facility. I need to have them access my systems.
You can trust that credential. And then the level of trust that
you are using, you know that you can start using these other
features.
But what is critical here is getting the foundation and
those business processes normalized and harmonized across the
Government so you can trust it.
Mr. Towns. Thank you.
I guess my real question is why hasn't OMB mandated the
purchase for readers and scanners?
Ms. Evans. Because every agency needs to go back. We have
implementation plans of this. They are building this into the
regular life cycle of their investments. Agencies have to look
to see is that really what is necessary for each and every
facility and have a full comprehensive plan. They are going to
be doing that on a different time line.
We put into policy the target date of the critical
activities that we thought that they needed to have across the
board in all agencies, but it varies. The implementation plan
is going to vary, because what Department of Interior needs to
have, you may issue identification cards for people that are
out in the field but you don't have to have card readers going
into Yosemite National Park.
So what we are doing is working with each individual
agency, having them analyze the risk, look at what they really
need. Where do they need to have card readers? Is it
appropriate to have the card reader? And then make sure that
there is a program in place so that they can buy them and
implement them in a very efficient way, which is what GSA has
outlined.
Mr. Towns. Let's hear from GAO on this.
Ms. Koontz. Where to begin. It is true that Ms. Evans is
correct, there have been few cards issued to date because none
of the agencies meet the deadline for issuance. I think that is
actually, in some ways, fortunate, because I think we have an
opportunity to make a mid-course correction before we go on and
issue new cards without being able to fully exploit their
capabilities, so I look at that as an opportunity to get things
back on course, and that is exactly what we recommended in our
report.
The whole issue of building the underlying security systems
that allow you to use the electronic capabilities of the card,
I think that is the foundation that we are talking about. Ms.
Evans talked about needing the foundation, and I think that is
the foundation that we have to work on, and we have to have
goals for implementing that foundation, and we need to put more
emphasis on that, rather than just emphasizing the issuance of
cards, especially in cases where we are not ready to use the
electronic capabilities.
It may be true that a card reader may not be needed in
Yosemite. I am not sure. But in the vast majority of cases you
are going to want to use some kind of electronic
authentication. You are going to want to read that card in
order to authenticate the individual's identity, and you are
also probably going to want to have some kind of visual
inspection so that you have a couple factors of identification
to make sure that yes, that is the person that they claim to
be, and that card is authentic.
Mr. Towns. Don't you think it is important to set some
goals or mandates or do something? I figured you will come back
here 2 years from now or 3 years from now and still be at this
level.
Ms. Koontz. I think what you see here is the power of goals
and mandates. When OMB says what we are going to be tracking
over time is the number of background investigations that we
are doing and the number of cards that were issued, that is
going to be the focus for Federal agencies, because that is
what has been set out to them as the priorities.
I think what we are asking for is to add other goals that
have to do with establishing the foundation to best use of
cards.
Mr. Towns. I yield to the ranking member, Mr. Bilbray.
Mr. Bilbray. Thank you.
Karen, the evaluation was kind of disappointing. What is
your reaction to it?
Ms. Evans. As far as GAO's report, we use the reporting
overall, and we recognize the power of setting targets and
milestones, so I agree with both what you guys are saying. I am
not necessarily disappointed that the credentials weren't
issued, because we recognize that there were issues associated
with that, and that is why we came out with additional guidance
working with the agencies on what the problems were. We were
using that information.
There were several challenges going forward with this
program. First and foremost, what we wanted to do, the
technology didn't exist, and so industry rose up to that. NIST,
in setting the standard, did it in less than 6 months, so this
is a very aggressive program, but when you put it in the frame
of implementing the recommendations of the 9/11 Commission it
really falls behind the mark of improving the security.
So I am disappointed from the aspect that we aren't further
along, just like you are, but what we do believe we have done
is made it a more comprehensive program, so when we talk about
card readers and looking, you are only looking at one piece,
which is physical access. We are also using this card for
logical access, which is information security and system
access. So that is where we have done a lot of making sure that
the milestones are there. We issued additional guidance after
the VA situation. We said that agencies had to use two-factor
authentication. This card allows for that two-factor----
Mr. Bilbray. Two-factor identification?
Ms. Evans. Yes.
Mr. Bilbray. What is that?
Ms. Evans. So the idea of two-factor identification is
something you have and something you know, so a password is
something you know, the card would be something you have. You
use the two of those in conjunction to make sure that the
person who is getting on the system is the person who it should
be.
Mr. Bilbray. Ms. Dillaman, the backlog concerns, are you
able to use biometrics in your background checks?
Ms. Dillaman. Yes, sir. Every background investigation
includes a biometric check of the FBI's record. So to the
extent that there is a biometric name base search conducted,
that is universally applied across Government.
Mr. Bilbray. You get into the FBI files, just like most law
enforcement. Can you go into the INS files?
Ms. Dillaman. Biometrically, no.
Mr. Bilbray. Why not?
Ms. Dillaman. We have no biometric exchange system in INS.
Mr. Bilbray. Mr. Chairman, every immigrant coming into this
country is now being biometrically read. Every immigrant
legally entering into the country is put into the system. Every
illegal immigrant who is detained is put into the system. Now
we have a background check that can't access those codes.
I am concerned that these kind of firewalls--and I am not
blaming you for it, I just think that one of the things that we
need to talk about is the fact that we have a data base system
over there. And it is not just you, it is local and State law
enforcement, too, that we have these firewalls that were
developed after the Watergate fiasco so that now we are still
out there, and I am just concerned about the ability. I think
anybody would say it is reasonable that you should be able to
have access to all the Federal records that may be able to
detect that somebody coming in under one name is not exactly
what they say.
Ms. Dillaman. And perhaps maybe I can alleviate some of
those concerns, because we are working with Homeland Security
and the FBI, tying those three systems together, so that INS'
records of concern are available to us through that biometric
search that we send to the FBI. Every fingerprint that I
receive, whether I receive it electronically or hard copy, if I
get a hard copy I immediately convert it to a digital image,
which allows me to move that around system to system. I
transmit the image to the FBI, and the FBI can cross-reference
that with INS' records.
I think we are on the cusp of being exactly where you would
like us to go.
Mr. Bilbray. I am trying to make a point that the D.C.
snipers, if the one immigrant had not committed a misdemeanor,
even though we had the fingerprints at a murder site, law
enforcement would not have been able to know about this except
for the fact there was a misdemeanor and so the record was
transferred out of INS' records over to FBI to where then the
Alabama officials were able to detect it. That just shows you
how close we were not to catching this guy. Thank God he
committed the misdemeanor so that we could stop the killing
spree.
That is a major concern of mine, but we are using the
biometric fingerprinting system as first sweep right across the
board, right?
Ms. Dillaman. Absolutely.
Mr. Bilbray. And now when we are going in with
implementation of real IDs, States are now going into a data
bank based on all the new drivers' licenses, too?
Ms. Dillaman. Yes.
Mr. Bilbray. OK. Thank you very much. I appreciate it.
Thank you, Mr. Chairman.
Mr. Towns. Thank you.
Ms. Dillaman, we hear from OPM that the security clearance
backlog has been eliminated and the OPM has exceeded the
requirements of the 2004 intelligence reform law, but Federal
agencies and entities say they still have a serious problem
with backlog and delays from OPM, and they are very skeptical
of your claims that the backlogs are gone. Can you be very
precise in explaining what you mean when you say there is no
backlog?
Ms. Dillaman. Certainly, sir. We track every investigation,
and every single hand-to-hand process with that, so my data is
hard and accurate, and we have been measuring every
investigation, beginning to end, with those types of metrics.
The best way I can demonstrate the backlog elimination was
7 years ago, when we merged the program with Defense Security
Service's program there was a pending backlog investigations
inventory of over 700,000 investigations. We do 2 million a
year, the combined organizations. The 700,000 was over twice
what it should have been if you were processing cases timely
and current.
Today our inventory is around 285,000 total investigations
of all types--national security, public trust, and basic
suitability investigations.
The percentages I gave you, mid-60 percent of all initial
national security investigations averaged in the mid-60 days.
That was 80 percent, I am sorry, in 60 days. These are hard and
fast numbers.
Anecdotally, are there investigations that take much
longer? You bet. There are investigations that probably should
take a while because there are issues developed that we had to
explore. We have problems accessing third-party information,
but 145,000 people had the initial clearance investigations
done in under 45 days last year, too. It is usually the ones
that are delayed that are getting the most attention. But by
pulling enough resources, Federal and contractor combined,
dedicated to the background investigations program, working to
improve access to the information critical to the process--and
it is building electronic bridges between us and Federal
agencies, all 50 States, and over 20,000 local law enforcement
agencies. By getting our automation systems, we have been able
to do that.
I think it took a long time for everyone to identify just
how bad it got in the year 2000, and it has taken a long time
to notice this improvement, as well. But that is where we are
at today. There is no backlog because of insufficient
resources.
Mr. Towns. Let me ask you, Ms. Farrell, if you have any
thoughts on that issue. I know you did a lot of work with this.
Ms. Farrell. Certainly. GAO has done a lot of work in this
area over the last three decades, and the backlog that Ms.
Dillaman is referring to, GAO reported in 2004 about the fact
that DOD did not at that time even know what the backlog was.
We went in and we calculated it with help from the agencies and
made recommendations regarding how DOD could get control of the
backlog, and suggested that they had a plan to move forward.
There have been a number of positive steps, as my colleague
noted in her opening statement, in terms of what the agencies
have done, including OPM and OMB, in trying to manage the
backlog. The question here is what is your definition of a
backlog. We have not looked at that for a couple of years. We
have started work in February to go in and look at the
timeliness and the quality of investigations and adjudications
for the DOD program, as well as we will be starting up work
looking at the Intelligence Committee. But our understanding is
that OPM, when they look at the backlog, they are looking at
investigations that have been done in 180 days versus the
Intelligence Reform and Terrorism Prevent Act that requires
that investigations, as she has noted, be done within 90 days
for the investigation part. So I think there is still a great
deal of work to be done in the area of the backlog.
But, again, we don't have hard and fast data. We are in the
middle of looking at that to see what is the backlog, not just
for investigations but adjudications, as well.
Mr. Towns. We have heard the need for reciprocal
clearances. If I receive a security clearance in order to work
for one agency, that clearance ought to be good enough for
another agency, especially because the guidelines for
adjudication come from the administration. Why are agencies
still being allowed to refuse to recognize each other's
clearances? Why?
Ms. Farrell. Do you want me to take that? We think it may
be because of the quality, the quality of the investigations.
There are Federal guidelines that the adjudicators, as well as
the investigators, are supposed to adhere to, but the metric
that has been missing for all six phases of the clearance
process is quality metrics. OPM has reported for one of the six
phases that for the investigative phase that they do look at
the number of investigations that are returned because they are
incomplete, and they count that as one of the metrics, but we
think that there are a number of metrics that should be used
from the time that DOD or the other agencies determine the
requirements, as well as the application submission process,
the investigation process, the adjudication process, the appeal
process, and if there is a need to reopen the case.
Again, there are six phases of the clearance process, and
there are not metrics for all six to determine the quality.
Thus, the reluctance, I think, of some agencies to accept a
clearance from another one, not knowing which standards have
been adhered to.
Ms. Dillaman. If I may, I think there is also some
confusion about reciprocal accepted security clearances and
suitability determinations. It is true that a security
clearance is reciprocal acceptable. If you obtain the top
secret level of one agency, you can and should move seamlessly
to another position requiring a top secret clearance.
When it comes to determining basic suitability for a
position, however--and Federal civil servants are held to
suitability standards--there are some position-specific
requirements. Past drug use may not be an issue in some
agencies, but it very much may be an issue in DEA. The former
Smith Amendment that precluded security clearances in some
agencies but not all might have meant that someone could have
had a felony conviction with one agency and had a clearance,
but have been able to move seamlessly, reciprocally to the
Department of Defense.
Now all of those issues are being worked on, including
providing transparency into the suitability determinations. So
if individuals determined to be suitable for a job but may not
be suitable, specific position factors have to be considered.
We have to add transparency into that issue, as well.
Mr. Towns. Is that because you are using contractors?
Ms. Dillaman. No, sir. Not at all. The contractors who are
used to do the background investigations are trained and
cleared to exactly the same level as their Federal
counterparts. They are held accountable to the same standards
of performance.
Mr. Towns. I just think that some way or another if a
person is cleared, I mean, there should be some kind of working
relationship here that everybody could sort of respect and
accept and move forward on.
Ms. Dillaman. And to support that, one of the mechanisms
which we do have in place is that if you went to work for the
Department of Treasury, for example again, and have a top
secret clearance, you then move to Homeland Security and
Homeland Security asks for a new investigation, that would be
denied. We would reject Homeland Security's request because a
sufficient investigation is on file that supports you being
reciprocally moved, accepted into another agency.
Mr. Towns. Let me move then to you, Mr. Sade. The FIPS 201
card relies mainly on integrated circuit chip for security.
This chip stores data and communicates with the card readers.
Isn't it true that chip can be imperceptibly destroyed by
kinking it with a sharp object, even your fingernail? I would
also like to hear also from you, too, on that, Ms. Evans. Is
that possible?
Mr. Sade. If the card is left exposed, I believe that is
possible, but all the cards are issued with a card holder to
protect it.
Ms. Evans. Well, I mean, I don't have anything other than
what you have said. I mean, technically that could happen. You
could destroy the card. You could mess up the way the card
works. You can do that now on a credit card by putting two
magnetic strips together. You can do that on a whole lot of
technical cards. I mean, we do take the precaution by making
sure that there are protective covers associated with the card
so that you can slide them in and out and be able to read them
appropriately and put them into card readers, so that can
happen, but that can happen on any technical device or any type
of card.
Mr. Bilbray. Mr. Chairman, I want to go home and put all my
wife's credit cards together. [Laughter.]
Mr. Towns. Good idea.
Mr. Bilbray. But, I guess, to followup on it, is this very
much different than the technology that has been used in the
Metro for over 15 years, and that is the electronic reading
capabilities that they had there? Do you know?
Ms. Evans. It is enhanced. There are several things that
are on the card, and that is what is outlined in what we call
the FIPS, the Federal Information Processing Standard, so there
is a lot more information, but it does have a strip, so it is
using something similar but there is a lot more information
that is encoded on the card.
Mr. Towns. Let me thank you very, very much, of course, for
your testimony. I see we still have a long way to go, and of
course we have I think the question that I really want to
raise: is it the lack of resources? I mean, what else do you
see that might be a problem here as to why you are not being
able to have more? Is it 3 percent?
Mr. Bilbray. I mean, you have to worry about why aren't the
readers out there, and you say because we only have 3 percent
out there. Then the problem isn't that the readers aren't out
there; the darned cards aren't out there.
Mr. Towns. Yes. So what do you see that needs to be done?
Is there anything that needs to be done to sort of help
facilitate this?
Mr. Bilbray. And to back that up, do you want to comment on
the GAO's recommendation that you set reasonable limits and
have your Departments articulate how they are going to fulfill
those goals?
Ms. Evans. First, on the GAO report, I would say that most
agencies would argue that we have set really aggressive dates,
and the public would say we set really aggressive dates. I
would concur with you that the dates aren't aggressive enough.
However, as far as setting milestones out into the future,
again, we are working with the agencies on a case-by-case
basis, so where you could help and how we are talking about
this is that it is hearings such as this and then going back
and asking the agencies about the risk and how they are
assessing the risk and what is their overall security posture
of what they want within their departments and their agencies.
This is one thing that makes it a little bit more
difficult. This is where a Secretary is willing to live with
how much risk, and when you know that, then OMB can work and
aggressively help that agency achieve that.
We are looking at all of the security initiatives across
the board, the information security ones as well as the actual
systems. And when I see an agency that doesn't have a good
report in from its Inspector General on certification and
accreditations related to how they assess risk, I am putting my
efforts into how are you doing that, because then I really am
going to have the agency waste taxpayers' dollars if they are
just trying to be compliant with OMB mandates and hitting
milestones.
Mr. Bilbray. Well, in that GAO report they specifically
gave you a vehicle that businesses used all along, and that is
a detailed explanation of how you are going to reach your
goals, with a specific plan, rather than just having arbitrary
numbers, this is our goal, this is how we are going to do it.
Ms. Evans. We have those.
Mr. Bilbray. Those plans, in fact, can warn you that maybe
you don't have the right goals.
Ms. Evans. But we do have those plans, and we have the
plans for all the security initiatives across the board, and we
are looking at those. The GAO report is looking at HSPD-12 in
isolation and it is not looking at the security posture of the
agency as a whole, looking at the other types of activities and
the other guidance that we have put in place, like our data
breach guidance that looks at both physical and logical and
says, When are you going to have encryption, and when are you
going to have the two-factor authentication, and when are you
going to meet all of these types of activities. This is a key
initiative, and if you are not going to have encryption in
place until 2010 and you will have these in place, and then you
are not going to be sure who all is in place, we are looking at
all of those across the board.
Mr. Bilbray. I understand that, Ms. Evans, but, to use the
analogy I started off this hearing with, that would be like the
Army saying you are right, we need more body armor in the
field, but we are also looking at now the armored Humvees, and
that is something we have to consider when we are talking about
the body armor.
The fact is that the crisis, the fact that there has been
so little movement done that there needs to be some priorities
made here. And this was a very simple one that was laid out not
just by the President, but by the men and women that studied
the 9/11 situation and said this is our No. 1 Achilles heel in
the United States. It doesn't say there wasn't enough cops,
enough bombs, enough tanks; it said enough IDs and a secure
identification system for this country is absolutely essential.
Ms. Evans. Sir, I am not disagreeing with you, sir. I agree
with you. But it is not the actual card issuance that is the
measure of that, it is the business process prior to issuing
the card. So OMB is very sensitive to when we establish
milestones, that we want to make sure that agencies just aren't
complying and doing volume without really achieving the goal of
the improved security, as you stated.
Mr. Towns. Is this equipment widely available for purchase?
I am getting the feeling that something else is going on here.
Is it?
Mr. Sade. As I mentioned, we had the shared service model
for those 70 agencies that are going through us, and we are
still in the process of deploying the 225 enrollment stations.
But part of the service we provide, part of the General
Services Administration, we have what we call the GSA schedule
contract, Schedule 70, which is for information technology. We
have gone through, working with NIST, and tested anybody that
wants to put their equipment and make it available for sale
across the Federal Government, and they put that equipment on
their scheduled contract, and we test it before it goes on. I
believe Ms. Evans in her testimony mentioned the 300-plus
products that are available today on those schedules.
I would also note that those schedules not only are
available for use by the Federal Government; they are also for
use by State and local. So if State and local governments want
to buy complying equipment, it is available to them, as well.
Mr. Towns. Let me ask you this, Mr. Wiesner. Several
Federal agencies, including the Department of Labor, have opted
not to use GSA service for complying with HSPD-12. Labor told
our staff they were not convinced that GSA would be able to
meet OMB's deadlines; however, GAO reports that Labor is not in
good shape to meet OMB's deadline, either. So is Labor equipped
to comply? I just don't know what is going on here.
Mr. Wiesner. Well, we went out on our own. As I said in my
testimony, we did not have an identity management system at the
Department of Labor prior to HSPD-12. We had a simple data base
that issued a dumb badge for Federal employees. We had a hard
time managing contractors, etc. You saw the added dollars to
build out an identity management infrastructure to pay benefits
not only for HSPD-12 for cards, physical access, logical
access, but integrated into some future planned initiatives
like our H.R. system, so we could make it part of the hiring
process as well as the determination process, strengthening our
contractors and knowing who our contractors were and who had
clearances. So we saw that investment back in April 2006.
We are very serious about meeting the first October goal
from OMB which said you have to issue at least one card by
October 27, 2006, so we took that very seriously and looked at
how we were going to meet that and in April 2006 we had to make
a decision to go to shared service provider or build out this
infrastructure, and as I mentioned we treated this as an IT
investment, looking at the whole benefits of the dollars we
were about to spend and made the choice that it was worth the
investment to build out our own infrastructure and start
issuing cards to meet the OMB mandates in October 2006, as well
as the subsequent milestones that have been laid out upon us.
As I also testified then, since GSA has now made readily
available many enrollment and issuing stations around the
country, perhaps upwards of 15 percent of employees will go to
a GSA shared service center.
Mr. Towns. What percent?
Mr. Wiesner. About 10 to 15 percent. We are at 60 percent
now. We have issued as of early this week over 11,000 badges to
our 15,000 employees. We are well over 67, 68 percent. As you
go out to the smaller locations, it becomes cost prohibitive
for us to do this on our own. That is when we will go to GSA
and go through the GSA process and pay the card fees associated
with the shared service model. We fully intend to use that
model where it makes financial sense, as well as to get to
those employees that need a card. We are targeting to be as
close to 100 percent as possible by October of this year.
Mr. Towns. You have the funding?
Mr. Wiesner. Through fiscal year 2008, yes.
Mr. Towns. Let me thank all of your for your testimony. We
look forward to working with you to try and move forward. You
know, 3 percent is not impressive. I guess you know that. I
think my colleague mentioned about three or four times 3
percent. I think that isn't right. That is not acceptable. I
think we have to move much more aggressively. Just 3 percent?
Anyway, thank you so much for your testimony. We appreciate
the work that you are doing. Thank you.
Our next panel consists of Robert Zivney, vice president,
marketing, Hirsch Electronics, representing the Security
Industry Association. Welcome.
We also have Mr. Benjamin Romero, Chair of the Information
Technology Association of America Security Clearance Reform
Task Group, representing the Security Clearance Reform
Coalition.
It is a longstanding policy of this committee that we
always swear in our witnesses, so will you please stand and
raise your right hands?
[Witnesses sworn.]
Mr. Towns. Mr. Zivney, you may start. What we do is that we
allow the witnesses 5 minutes to sum up, and then we would have
a question and answer period after that, so if you could make
your statement within 5 minutes, we greatly appreciate it. We
have a light that starts out with green and then goes to yellow
to let you know that your time is almost up, and then when it
comes to red that means your time is up.
You may start.
STATEMENTS OF ROBERT ZIVNEY, VICE PRESIDENT, MARKETING, HIRSCH
ELECTRONICS, REPRESENTING THE SECURITY INDUSTRY ASSOCIATION;
AND BENJAMIN ROMERO, CHAIR, INFORMATION TECHNOLOGY ASSOCIATION
OF AMERICA SECURITY CLEARANCE REFORM TASK GROUP, REPRESENTING
THE SECURITY CLEARANCE REFORM COALITION
STATEMENT OF ROBERT ZIVNEY
Mr. Zivney. Chairman Towns, Congressman Bilbray, members of
the subcommittee, thank you for the opportunity to testify
about the implementation of Homeland Security Presidential
Directive 12. My name is Rob Zivney. I am the vice president of
marketing for Hirsch Electronics, headquartered in Santa Ana,
CA. Hirsch Electronics is a manufacturer of physical access
control systems for non-residential markets, including the
Federal Government.
I am honored to testify today on behalf of the Security
Industry Association [SIA], which represents 400 manufacturers,
integrators, and dealers of electronic security equipment. SIA
members provide solutions for physical security to protect
people and property of America in their schools and hospitals,
their airports and seaports, their factories and offices, and
especially their buildings of government.
SIA members are committed to offering assistance to ensure
the successful implementation of this directive in all Federal
agencies.
Mr. Chairman, HSPD-12 and the associated standards
developed by NIST, specifically the identity vetting process,
forms a far stronger foundation for security than we have ever
seen.
Routine access transactions are enhanced by the use of the
credential bearer's fingerprint templates derived from the same
fingerprints used in the background check process. However, SIA
believes that cost and time required for implementation of
HSPD-12 were underestimated by OMB. Traditionally, the
functions of authentication and authorization resided with the
administrator of a local physical access control system [PACS].
As a result of HSPD-12 and FIPS 201, the accountability for
authentication now resides with the credential issuer, while
authorization remains a function of the PACS.
The development of this new shared infrastructure presents
a significant learning curve for us all.
Mr. Chairman, implementation of HSPD-12 is a true
pioneering effort. It requires those responsible for human
resources, information technology, and security to cooperate on
an unprecedented level. Although HSPD-12 may not draw the
attention of our Nation's major media outlets, the world is
watching. In spite of technical and procedural challenges, our
own success has attracted the scrutiny of other nations and
local governments and private industry.
In our view, an identity credential that uses fingerprints
and public key infrastructure [PKI], will revolutionize global
standards for security, and promises to, over time, conserve
taxpayer dollars. However, absent clear guidance and
specifications for systems that use the PIV card, some
manufacturers are absorbing substantial development costs to
produce next generation systems that use the card. That work is
being conducted without access to operational PIV credentials
necessary to develop and test associated products.
Mr. Chairman, this situation is exacerbated by the fact
that GSA has had to design a specification for the credential
readers while developed product and service evaluation
programs, a role it has never undertaken in the past.
The GSA approved product list is inferred from NIST
documents which are substantially silent on the use of access
control systems. Unfortunately, GSA restricts the approved
products to being procured from GSA Schedule 70, an information
technology schedule. This is unfortunate because physical
access control systems and components are assigned to Schedule
84, where they have always been.
Multiple schedules make it difficult, both for the
manufacturers developing and submitting products and the
Government purchaser attempting to assemble the systems. HSPD-
12 products need to be available from both Schedule 70 and
Schedule 84.
Despite challenges, some agencies are doing an exemplary
job of providing credentials for employees and upgrading their
infrastructure to meet the requirements of HSPD-12.
In conclusion, SIA offers the following recommendations:
SIA encourages this subcommittee to direct OMB to
establish, within its Office of E-Government Information
Technology, a dedicated team of professionals who possess
substantial knowledge of physical security technologies and
applications. This team would support the ongoing efforts of
the Interagency Security Committee [ISC], which is charged with
developed physical security policies, standards, and
strategies.
We also recommend that OMB establish a policy for
implementation of physical security similar to its policy
establishing guidance for the processes leading up to the
issuance of the PIV II credentials. The policy must recognize
that the PIV card is not compatible with most installed base
packs currently in use, and the packs will have to be, at a
minimum, upgraded, and most likely replaced.
Finally, we encourage you to consider SIA as a resource for
the effective use of the PIV credential with physical access
control systems.
Thank you for the opportunity to testify today.
[The prepared statement of Mr. Zivney follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very much.
Mr. Romero, 5 minutes.
STATEMENT OF BENJAMIN ROMERO
Mr. Romero. Good afternoon, Mr. Chairman, ranking member,
my name is Ben Romero, and I speak to you as the chairman of
the Intelligence Committee of the Information Technology
Association of America and on behalf of the Security Clearance
Reform Coalition.
Thank you for this opportunity to discuss a reform of the
current granting process. In addition to these oral comments, I
ask that the committee accept our attached written
recommendations that expand upon the issues we feel are
critical to addressing this persistent problem.
Industry has used a simple mantra to explain what we
believe will bring about transformation of the clearance
granting process. One application, one investigation, one
adjudication, and one clearance. We seek an internet-based
application that collects information electronically and forms
the basis for an end-to-end digital process that creates a
record that can be amended by investigators, adjudicators, and
security officers for the life of the clearance, an
investigation that would be timely, uniform, and thorough in
its processed end product, an adjudication where an applicant
is judged using updated, viable, post-cold-war criteria, and a
clearance that is accepted across the Federal Government with
minimal additional vetting.
In looking at the clearance granting process and its
effectiveness, the committee should examine the reports of the
industry-led working group of the National Industry Security
Program Policy Advisory Committee, which recently analyzed
actual results from clearance processed through DSS and DISCO.
This task force found that, on average, secret clearances took
more than 200 days, top secret clearances took more than 300
days to process in 2007. This was an end-to-end analysis
measuring from the time an applicant was given access to
complete the online SF-86 provided on the electronic
questionnaire for investigative processing Web site, e-QIP, to
the point when the adjudicators determine whether or not a
clearance was granted.
Even more alarming is the finding of the working group
regarding investigations for top secret clearances, where the
trend line has grown to more than a year, and currently tops
out at 540 days.
There are a number of conditions that bear mention because
they are impacting the effectiveness of the end-to-end process.
These include an inability to accurately forecast budget needs
in some agencies, an inability in most applications to accept
electronic attachments like release forms and digital
fingerprints, an inability to identify additional case codes
that frequently cause a case to be reopened for further
investigations and the out-of-sync applications used in e-QIP.
Industry believes that many of the problems that cause
delays with the current process are rooted in the investigative
stage. These include the ineffective marriage of e-QIP
applications with fingerprint cards and release forms, too much
touch labor in the investigative stage of the process,
including printing of electronic records, because PIPS is
incapable of saving attachments like criminal or electronic
records--they bar code and scan documents rather than use two
electronic records--and the mailing of investigative files back
and forth between OPM and their field investigators.
The subcommittee has highlighted today an issue industry
has long noted with concern. While we fully support HSPD-12 and
the effort to create greater assurance for all Government
employees and contractors through new identification measures,
we have been concerned about the sapping of resources for the
underlying investigations. HSPD-12 background checks are
national agency checks with local agency checks, very similar
to the level of commitment of resources for secret clearances.
We have been concerned that this would be insufficient
Government resources to adequately devote to the HSPD-12
checks, while working to improve the clearance process.
It is our hope that all those holding current positions of
trust that require the NAC check or greater will be approved
under that portion of HSPD-12.
We are cognizant of what is going on in OSD, OPM, ODNI as
they try to revamp the clearance. We are behind it 100 percent.
The nine associations of the Security Clearance Reform
Coalition again thank the subcommittee for the opportunity to
highlight our perspectives in these deliberations, and we hope
that 2008 will finally be the year that we see solutions
implemented.
Thank you, sir.
[The prepared statement of Mr. Romero follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Towns. Thank you very, very much for your testimony.
Let me begin with you, Mr. Zivney. You propose that OMB
establish a dedicated staff of security professionals to
coordinate with the private sector on HSPD-12. The report from
GAO leads me to think that OMB does need some help. Can you
describe what advice you would give OMB right now in order to
get the most out of HSPD-12 moving forward?
Mr. Zivney. I think the focus has perhaps been on the hard
part, and that was to get the cards out, get the infrastructure
in place to issue the cards, and now we are really moving into
phase two, and that is using the cards. If we are going to use
the cards in a physical access control system, this takes
skills that go beyond what you might often find in e-
authentication or in focus group. And I know they are focused
on issuing the card.
The disciplines of physical access control systems are
different. I know there was some talk of authentication
factors. We typically think of a card or a pin you type in on a
keypad or a biometric as an authentication factor, and we see
PKIs an enhancement to that, but we need to make sure that,
from a physical security point of view, we normally have a
threat level adjustment. We just want to add more factors and
have that scaling.
Currently, FIPS 201 is silent on all the physical access
control systems. We think that someone needs to provide a
little better insight in there, and we need some focus. SIA
would be glad to assist with some of that guidance, but if we
are going to apply it and use it in physical access control
systems, we need to have skill sets and disciplines and
knowledge of those techniques.
Mr. Towns. All right. Thank you.
What do we do? What can we do to speed this up? I mean, I
think that is what I am asking.
Mr. Zivney. We are disappointed it has taken so long. I
don't believe that there is a lack of urgency with anybody. I
think it was a very bold move. As we said earlier, I believe,
that NIST rushed out those specifications in 6 months. Perhaps
we went too fast at times.
If we can involve more industry some time before specs are
released, if we have comment periods that really seek to
understand the comments of industry when they submit them, and
more dialog at this point, we build on what we have laid on a
foundation. I think we can move faster by slowing down a little
bit at this point. I think someone made that statement. This is
a good time to do an assessment and really focus on usage next
while we are continuing to issue the cards.
Mr. Towns. Thank you very much.
Mr. Romero, it is clear that you consider security
clearance reform to be an urgent issue and that it requires
immediate attention. You described some changes that you say
could be made quickly, changes that have already been made in
some agencies, as you indicated. What are some of those
possible changes? What are you talking about?
Mr. Romero. Well, sir, I believe that the biggest thing we
can do, the best thing we could do, is scrap the process that
we have right now and come out with one that really, truly uses
IT. We are trying to use something that has been in existence
for so many years that what we are doing is taking baling wire
and trying to keep it together so that it continues to process.
When you go out and take fingerprint cards, scan them, then
send them across ether and say that you are doing IT in today's
world, we are not. We are still operating in yesterday's IT
environment, or whatever the environment was.
I picked up my clear card here recently. My fingerprints
were taken, my eye was taken. That can be used as things go
forward. As we are looking at the checks, as we are improving
the security clearances, there is all kinds of information that
is out there available that is used by just about everybody
else except the Government to find out if you are even
qualified to hold a security clearance. They check all of us.
All our information is out there available to be checked,
whether they are insurance records, whether they are Government
records, whether they are tax records. All of those are
accessible, but we don't touch those. We go out and ask
questions that were asked and based on cold war era, asking my
neighbor if I am a trustworthy American. I might not have
talked to my neighbor but once in the past year because of the
types of hours a lot of people hold.
That is the gist of what I am talking about, sir, where we
are still operating in the past.
Mr. Towns. So basically you are saying that one size should
fit all. Is that what you are saying?
Mr. Romero. Not necessarily. One size can fit all to start,
and then you can add to it. If you have a basis, if you take
the NAC as a basis and find out, hey, does that person have a
drinking problem, hey, has his bank account really rapidly
grown, those types of things that can be done very simply and
easily to start with might grant you at least the initial level
of clearance. Then, as you need more because you are going to
be working--and I worked as an intelligence officer for most of
my life--then they start asking additional questions and
finding out more about your background to go from there.
Mr. Bilbray. Mr. Chairman, can I be recognized?
Mr. Towns. I think it is your time now.
Mr. Bilbray. I think the point is that maybe one size
doesn't fit all, but the shoes all should be built in the same
basic form, and then if they need to be used for duck hunting
you modify them a little bit for this, or for deer hunting
here, or for tennis you do this. So, in other words, there
needs to be sort of a general production line that is upgraded
that we are not going back and using some antiquated concepts.
That is a real concern I have.
I saw how far California went in the 1970's by going to the
Cal ID and getting digital readings of everybody that got a
driver's license, which made huge breakthroughs, and so I am a
big supporter of this. But the problem is getting them to get
out of the paper and into electronic.
I have no real questions except for a comment. If there is
anything that you guys see that we are not doing working with
the private sector on this issue, we need to know about it,
because we have seen what everybody else is doing.
I was appalled, Mr. Chairman, when we had the breach of the
disc on our nuclear defense strategy disappear, and I was
absolutely blown out that you could actually go in to
Livermore, pull it off the shelf, and there was no record of
who was in the vault and there was not even an electronic
reader telling you when the disc was taken out of the vault.
When that disc leaves that shelf, that slot, it should say it
is gone as of this time, and we should have a record of who is
in the vault because they used electronic access that showed
them in there. That would have been the most simple thing in
the world to take care of if we had the right data bases and
the right type of inventory control using electronics rather
than depending on antiquated World War II technology.
Thank you very much. I actually think that this issue goes
a lot farther. I have been discussing with the White House why
all Federal identification in the United States is not upgraded
to the real ID standard that we set for the others, including
the Social Security card.
If there was going to be an embarrassment, Mr. Chairman,
explaining to your children or your grandchildren why we are
still using a piece of paper and a number as our No. 1 ID for
employment in this country, that has not been upgraded since
1937. I sure tell you I start understanding why people think
there is a conspiracy in this country not to protect us because
how do you justify that. I can't think of a State or a private
sector that would justify having a piece of paper and a number
as its foundation of identification.
Any comments before we relieve you gentlemen? Does the
chairman have some more questions?
Mr. Towns. No. I am actually finished, just to say to you,
though, that when you say Social Security, you would be amazed
at how many people are walking around that do not have one and
have not had one in many, many years. I think you would be
amazed.
Mr. Bilbray. I am not. I haven't had once since I was a
lifeguard.
Mr. Towns. How many people in the room have a Social
Security card in your pocket? Raise your hand.
[Show of hands.]
Mr. Bilbray. By the way, they recommend you never, never
carry your Social Security card around. Never. That is the No.
1 no-no, because you have your credit cards, your ID, and your
social. Forget it.
Mr. Towns. Just remember your number.
Let me thank you. I really appreciate your coming in. Your
entire statement will be placed in the record. Of course, if
you have any other suggestions or comments, we would definitely
appreciate it.
I agree with you. I think that there is a desire to move
forward. I don't question the witnesses that were before us
today in terms of their commitment and their dedication. But
something is wrong that we can't move forward. I am not sure
what it is. That is the whole thing.
I think you helped us some, because when you look at the
fact that we only have 3 percent, and I think the commitment
and dedication is there, but something else is missing. Maybe
you guys can help us figure out what that is and be able to
move it forward.
I want to thank you again for coming. We appreciate your
testimony.
The hearing is adjourned.
[Whereupon, at 3:45 p.m., the subcommittee was adjourned.]
�