In the previous blog we addressed the main dynamics driving the HSPD-12 implementation. In this blog we will look at core components of a successful HSPD-12 Program.
The HSPD-12 Mandate provides a Common Identification Standard for Managing Access to Information and Services across Federal Agencies. In short, it mandates a common, interoperable identification standard for managing access to information and systems for, within, or among Federal agencies and departments. It also addresses interagency interoperability and compels Federal agencies to adopt stronger security standards and procedures. In addition, it provides consistency for issuing identity credentials to employees and contractors and addresses both access to physical facilities and logical assets.
Key Components
A Strong HSPD-12 Program includes the following components:
- Identify the “As Is” environment
- Provide an understanding of where process change is needed
- Determine which specific implementation model is best for the environment
- Build a communication plan for the organization
- Maintain the communication
- Develop/coordinate policy and guidance
- Evaluate plans
- Track implementation
- Provide training and awareness
- Assess compliance (C&A)
- Monitor compliance and identify change
Agencies implementing FIPS 201 must assign an individual to the role of PIV Senior Agency Official for Privacy and conduct Privacy Impact Assessment (PIA) on systems containing information in identifiable form (IIF). They shall consult with personnel responsible for privacy issues at the implementing agency/department while developing the PIV system and write, publish, and maintain a comprehensive “system of records” document for the PIV system. This also means maintaining appeals procedures for those who are denied a credential or whose credentials are revoked and establish consequences for violating privacy policies of the PIV system. Finally agencies need to assure that the technologies used in the department or agency’s implementation of the PIV system allow for continuous auditing of compliance with stated privacy policies and practices governing the collection, use, and distribution of information in the operation of the program.
The OMB underscored the need for privacy measures in PIV implementations. In April, the Office of Management and Budget released draft PIV implementation guidance that re-emphasized the necessity of adhering to the privacy goals of HSPD-12. Specifically, the guidance re-emphasized the following activities for implementing agencies:
- Develop, implement and post in appropriate locations (e.g., agency intranet site, human resource Ensure that personal information collected for employee identification purposes is handled consistent with the Privacy Act of 1974 (5 U.S.C. §552a).
- Prepare and submit to OMB a comprehensive Privacy Impact Assessment of the HSPD-12 program, including analysis of the information technology systems used to implement the Directive. The PIA must be reviewed and updated periodically.
- Update pertinent employee-identification systems of records (SOR) notice(s) to reflect any changes in the disclosure of information to other Federal agencies (i.e. routine uses), consistent with Privacy Act of 1974 and OMB Circular A-130, Appendix 1
- Adhere to control objectives in section 2.1 of the Standard
In order to meet Federal compliance requirement, a well-documented Certification and Accrediation (C&A) process has been identified as a core compoent of an HSPD-12 Program. The C&A is usually based on NIST 800-53 standards with emphasis on Access Control and Identification and Authenction Requiremenet.
Continue reading "What Components need to be included in a strong HSPD12 Program?" »
Recent Comments