There’s no doubt your national defense or security agency has heard of Homeland Security Presidential Directive 12. In fact, you’ve likely already felt some of its implications as compliance deadlines have come into full force and as others loom on the near horizon.
However, closing the gap between launching your Personal Identity Verification (PIV) card system and actually making it an error-proof process is not an easy feat for any federal security agency – including yours.
HSPD-12: A Recap
Much like other policies designed to mitigate insider threat, HSPD-12 establishes a government-wide standard for all federal agencies in order to protect facilities and IT systems. The directive requires every government agency to implement a PIV card system that meets specific federal information processing standards.
HSPD-12 specifically details that federal agencies perform a proper background investigation and an adjudication of the investigative results prior to issuing the PIV card to eligible employees and contractors.
Learning From Others’ Mistakes
As various federal agencies roll out their new PIV card policies, systems and processes, you have the opportunity to learn from their successes and mistakes so you don’t repeat any of the same errors yourself.
For example, a recent audit from the inspector general of the Department of Health and Human Services (HHS) revealed that their PIV smart card system had six major shortcomings, with five of them deemed “high risk.” And when you consider that the HHS has already issued more than 109,000 PIV cards, the potential for an insider threat scales up quickly.
One glaring gap was the failure to deactivate cards in a timely manner when employees left the agency. Other shortcomings in the report included a lack of system security for PIV information as well as not properly training employees who were responsible for distributing the cards.
Other agencies have not been immune from gaps either: A 2012 Energy Department audit revealed that the DOE still wasn’t HSPD-12 compliant even after a seven-year, $15 million effort. Furthermore, a 2011 report from the Government Accountability Office discovered that most security agencies had an uneven implementation of PIV cards and HSPD-12 policies.
Error-Proofing Your Agency’s HSPD-12 Compliance
So how do you prevent your agency from making the same mistakes? Here are two actions you need to take:
Start by using data visualization tools to quickly comb through your agency’s data and accurately scope the mandate-affected population within your organization. Ensure that your data analysis tools clearly depict any financial and operational impacts that you anticipate from HSPD-12 changes, and determine where any gaps exist in your compliance. With these gaps in mind, prioritize your tasks based on risk and available resources.
Consistent, Automated Policies
Next, you need to establish consistent policies with a clear line of authority. Since HSPD-12 compliance is new for many defense and security agencies, you need to be sure all employees are on the same page with expected policy and practice. After identifying potential compliance gaps from your data analysis, make all new process steps explicitly clear and don’t leave any steps to the discretion of the front-line employee. Then, implement an automated system that follows up on all processes to ensure complete error proofing.
Navigating the world of HSPD-12 compliance is a difficult process, even for the most organized defense or security agency. Yet, by learning from the mistakes of others and leveraging your data into consistent policies and practices, you’re significantly more prepared.
Are you expected to achieve perfect HSPD-12 compliance while also dealing with budget cuts? Need to add a new program or initiative but lack the budget to support it? Click below to register for a webinar from Big Sky Associates and learn a process improvement approach that helps your federal agency do more with less.