Vendors bank on HSPD-12 mandate

Federal Identity Management Handbook

Smart card manufacturers and information security companies say they hope to see their businesses grow in 2006 as federal agencies prepare to issue secure identity credentials to employees and contractors.

The deadline is approaching fast. By Oct. 27, 2006, agencies must begin using new identification badges that are resistant to fraud, tampering, counterfeiting and terrorist exploitation.

The new requirement derives from an executive policy known as Homeland Security Presidential Directive (HSPD) 12, which President Bush signed in August 2004. "It is a sea change in public policy that is having a huge effect on technology," said Daniel Burton, vice president of government affairs at Entrust.

The governmentwide mandate and deadline have sped advances in the smart card and biometric industries and created new business opportunities for information security companies, Burton said. Entrust is one of a growing number of vendors that say they will focus on HSPD-12 in 2006.

Others include SafeNet and ActivIdentity. Each major division in SafeNet, which sells network security products, has an executive-sponsored working group committed to HSPD-12.

"It's front of mind right now in terms of how we engage with the government," said Andy Solterbeck, SafeNet's vice president of products and marketing.

HSPD-12 standards are a welcome example of the U.S. government offering technical leadership to the rest of the world, Solterbeck said. "The applicability of these standards is broader than the North American government or we wouldn't be making these investments," he added.

Complying with HSPD-12 is the No. 1 engineering concern at ActivIdentity, said Craig Reichenbach, vice president of the company's government division, which recently changed its name from ActivCard.

Other big-name companies, including Adobe Systems, Hewlett-Packard and RSA Security, have announced plans to pursue HSPD-12 contracts.

The General Services Administration will set the terms by which companies will compete to provide HSPD-12 products and services. As the executive agent for HSPD-12 acquisition activities, GSA is authorized to develop lists of approved products, which will be based on compliance and interoperability tests.

Some companies that plan to offer products and services that comply with HSPD-12 say the October 2006 deadline has forced them to focus simultaneously on sales and certification issues. "Sales and [product] development are hand in hand here," Burton said.

Before smart card manufacturer Axalto can compete, the company must submit its cards for independent testing against two federal information processing standards: the FIPS 140-2 cryptographic standard and the FIPS 201 personal identity verification standard.

Axalto will base its sales strategy on its track record of supplying smart cards for the Defense Department's successful Common Access Card program, said Neville Pattinson, Axalto's director of technology and government affairs. Under HSPD-12, Axalto will offer smart cards, middleware and applets.

ActivIdentity will submit middleware and applets for certification when GSA-approved labs begin independent testing in the next month or two, Reichenbach said. "It's been more of an educational process than a sales process," he added.

That educational process has included meetings with Karen Evans, administrator of e-government and IT at the Office of Management and Budget, to discuss whether federal agencies have sufficient money in their budgets to pay for complying with HSPD-12. "She believes the budgets are out there in most of the agencies," Reichenbach said. But he and other company officials say they are concerned that agencies will lack adequate funding and they are developing their business strategies with that in mind.

Adobe, ActivIdentity, Entrust and SafeNet say they have agreed on a strategy to pre-integrate their products as a way of lowering agencies' costs. Pre-integration will also help agencies meet deadlines, said Jacques Francoeur, an e-business assurance official at Adobe.

Process automation will play a big part in what Francoeur said must be a low-cost, reliable infrastructure for managing the life cycle of HSPD-12 cards, from their issuance to their revocation or renewal. "There must be checks and approvals and verifications of authenticity along every step of the way," he said.

With HSPD-12, the federal government has created a new marketplace with high barriers to entry, Solterbeck said. "The hurdles you have to jump to be a viable player are significant," he added.