Broader implementation of HSPD-12 could boost PKI use

The Defense Department has issued more than 4 million Common Access Cards, but most Pentagon employees use the smart cards minimally.With all the legacy systems DOD uses, integrating digital certificate software is costly and difficult, said Carl Vercio, director of DOD’s Identity Protection and Management Program for Washington Headquarters Services.“Ninety percent of employees use their CAC to sign and encrypt e-mails or to get on the network,” Vercio said yesterday at the Identity Management Conference in Arlington, Va., sponsored by the Information Technology Association of America. “We are not taking advantage of the technology available to us today. We focus too much on people outside DOD.”And DOD is not alone in the underutilization of smart-card and public-key infrastructure technology. Most agencies find that smart cards end up being used as flash badges to gain entrance to buildings instead of being used for true physical and logical access. And PKI technologies, which agencies and vendors have been excited about for more than five years, have little penetration across agencies.“Authentication and identity management are the least-deployed technology to protect systems, networks and infrastructure,” said William Crowell, a security consultant and member of the Markle Foundation Task Force on National Security. “In 2003, PKI became a four-letter word. It is still the least-deployed and most-technical concept of all the technologies out there, including encryption.”But Vercio and others see the government’s implementation of as a key to more agencies using digital certificates.“We are retrofitting and adapting applications to meet the Personal Identity Verification standard [under ],” Vercio said. “We hope industry figures out ways to make the CAC useful.”Margie Cashwell, director of worldwide systems engineering for RSA Security Inc. of Bedford, Mass., said HSPD-12 will bring PKI and the federal bridge to life. “Agencies can use HSPD-12 to further single-sign-on capabilities across the enterprise or for Web applications or for federated systems,” she said.David Temoshok, the General Services Administration’s director of identity policy and management, said HSPD-12 also is an important piece of the e-government puzzle.He said the standard smart card will establish strong identification services for government employees to gain access to systems and services, and that will help promote e-government. “We have to have stronger authentication to support online services,” he said. “We are building a system that will help citizens gain experience using the services and see that the services are reliable.”