Homeland Security Presidential Directive 12 Cost Justification and Benefits – Information Technology Essays
The problem with today’s authentication is the ability to electronically prove and provide confidence in a person’s identity. Authentication focuses on confirming an individual’s identity based on reliable credentials.
Homeland Security Presidential Directive 12 (HSPD) was created to solve this problem and provide better identity management security at federal agencies. The HSPD 12 directive requires the development and agency implementation of a mandatory, government-wide standard for secure and reliable forms of identification for Federal employees and contractors. This directive signed by President Bush in August 2004 established an official federal government policy for the issuance of a common identity verification standard. The purpose of this paper is to discuss how agencies justify the costs involved in complying with the HSPD 12 mandate, what benefits agencies expect in return for their investment, and the risks associated with identity management.
The National Institute of Standards and Technology (NIST) determined that secure and reliable forms of identification need to be both physical and logical for entry into federal buildings and technology data centers. NIST decided the standard would include the use of smart cards with embedded biometric fingerprints, and public key infrastructure (PKI) that links an individual to a specified public key for electronic signing (See Appendix A). NIST created the Federal Information Processing Standard Publication 201 (FIPS 201) and Personal Identity Verification (PIV). According to NIST, the FIPS 201 includes two parts called PIV I and PIV II, and states the following (See Appendix B):
The requirements in PIV I support the control objectives and security requirements described in FIPS 201, including the standard background investigation required for all Federal employees and long-term contractors. The standards in PIV II support the technical interoperability requirements described in HSPD-12. PIV II specifies standards for implementing identity credentials on integrated circuit cards (i.e., smart cards) for use in a Federal system. FIPS 201 requires agencies to:
1. Establish roles to facilitate identity proofing, information capture and storage, and card issuance and maintenance.
2. Develop and implement a physical security and information security infrastructure to support these new credentials.
3. Establish processes to support the implementation of a PIV program. (GSA, 2005a)
The notion behind these standards is to provide enhanced security at Federal facilities and information systems.
Cost Justifications:
One way an agency can justify the cost of identity management is the fact that it enhances security by safeguarding access to buildings, secure areas, and electronic systems. Conventional authentication can be easily forged, stolen or altered to gain unauthorized access. This type of security breach can lead to identity theft that has the potential to cost individuals and agencies large financial losses. The Federal Trade Commission in 2004 conducted 4,057 interviews with individuals who incurred losses associated with identification theft and estimated the costs to them. The loss estimates were compiled from the data gathered from the interviews and was said to cost nearly $10,200 per incident and $33 billion total for agencies, businesses and financial institutions. The frequency of these incidents indicates a growing problem of theft and loss. Examples of compromised records include 1.4 million credit card numbers from DSW Shoe Warehouse, 200,000 client files from Ameritrade, records for 30,000 students and staff at George Mason University, 59,000 student records at a California University, Bank of America tapes with information on 1.2 million government employees, University of California laptop stolen with 100,000 identities, 280,000 possible victims at LexisNexis, 145,000 social security numbers at ChoicePoint, (FTC, 2003) and most recently the social security numbers of 26.5 million veterans.
The use of smart cards developed pursuant to the NIST PIV II standard would provide enhanced security authentication. What a smart card offers is a plastic device about the size of a credit card that contains an embedded hardware computer chip that is separate from the computer. (See Appendix C). If a compromised computer is infected, the smartcard itself would not be affected. Smart cards operate in their own separate space, which make them less susceptible to being compromised, thus making them a more robust method for authentication as well.
A second way government agencies can justify the cost associated with smart cards is that they provide the hardening of logical security. This could prevent thieves from unauthorized access and help address the concerns associated with identity theft. The unique advantage that smart cards have over traditional cards with simpler technologies like magnetic stripes or bar codes is that they can exchange data with other systems and process information. (See Appendix D). Older card versions were static and could not exchange data. By securely exchanging information, a smart card can help authenticate the identity of the individual possessing the card in a far more thorough way than is possible with traditional identification cards. A smart card’s processing power also allows it to exchange and update many other kinds of information with a variety of external systems, which can facilitate applications such as financial transactions or other services that involve electronic record-keeping. (GSA, 2005b) This enhanced security reduces the risk of identity theft and financial losses.
A third way government agencies could justify the costs associated with smart cards would be through enhanced security for remote authentication. (See Appendix E) Most agencies have developed systems to allow remote access even though it provides an alternative method for non employees to gain access. Normally, controlled computer environments like those found at federal agencies, banks, financial institutions and physical stores have security measures in place to stop malicious behaviors. This is not always the case when people work at home using their own computers. These computers are usually directly connected to the internet and are outside controlled settings. Because of this, the potential risks are significant when data is left unprotected.
Using PKI public key cryptography can help solve the problem with unprotected data. This encryption technology stores a person’s digital certificate and has the ability to thwart thefts by safeguarding identities. Many agencies have looked at smart cards and the PKI model to include key management. When a certificate is created, there is a multistage process involved. Typically, for authentication and digital signature key pairs, the keys are generated locally on the smart card. The private key never leaves the smart card, while the public key is exported for inclusion in a certificate request. There are four key components for PKI to be successful:
1. Registration/Enrollment: To create a digital certificate, PKI systems require a secure process for verifying the person’s identity. PKI products supported multiple methods of making sure that applicants for certificates were legitimate and actually were who they were claiming to be. The same secure registration process is needed for granting access to customer identity information.
2. Repository: PKI required both a trustable public repository for public keys and a secure repository for backup of private keys. Protecting stored identity information requires a secure repository, as well.
3. Revocation: For digital certificates to be meaningful, a process was needed to inform those relying on certificates that a certificate had expired, had been revoked or was, for whatever reason, no longer valid. Revoking access to customer identity information when that access no longer has business justification is a critical requirement.
4. Reliability: PKI systems included mechanisms for archiving and backing up encryption keys, had guidelines for protecting the PKI infrastructure, and had auditable mechanisms (defined in certification practice statements) for defining the security processes that would be employed to maintain the trust of the entire PKI. Systems that handle sensitive identity information should have standard formats for documenting similar assurances. (Pescatore, 2005a)
Using the public key infrastructure (PKI) components described above has the ability to save government agencies time and money by mitigating the risks associated with identity theft. (See Appendix F)
The recent incident involving the Department of Veterans Affairs (VA) that compromised the identities of up to 26.5 million veterans and some spouses provides plenty of justification of the cost for better identity management security. Gartner research evaluated costs related to identity thefts similar to the ones being publicly announced. They estimated that data breaches will cost companies 50 percent more than data protection will. Gartner states the following:
A company with at least 100,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined. These unit costs will be reduced drastically if these strategies are applied to protecting millions of customer accounts. This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach. Likewise, these costs may escalate dramatically if proposed legislation mandating fines up to $11,000 per exposed and damaged customer account is imposed. (Pescatore, 2005b)
According to Gartner research, nearly all data theft attacks could have been prevented if the sensitive data was encrypted and the encryption keys were properly protected. For large environments such as government agencies with over 100,000 records to safeguard, Gartner estimates the costs associated with equipment, integration and maintenance to be about $6 per person in the first year. The estimates of using PKI encryption would decrease each year and cost approximately $1 per account per year in recurring costs. Gartner research’s evaluations show there are significant losses associated with not protecting data. Their cost estimates for data encryption show a cost savings in comparison, and should help agencies decide whether to move forward with this technology.
Benefits:
One of the benefits of this technology is the ability to consolidate personal identity requirements. Consolidating logical and physical security controls into a single, card connected system has the potential to save money and reduce security costs by 40 to 60 percent over traditional approaches, while enabling an agency to control a greater percentage of its access points. A single system eliminates the costs of installing and wiring traditional access points. It also reduces the considerable expense of traditional architectures and system for access control at remote locations. These savings would allow agencies to expand the number of locations and systems that are electronically secured.
Agencies can also benefit from using a single interface to control both wired and card-connected access points. This would allow administrators to manage a large number of users and locations more efficiently. Each smart card credential securely carries the roles and privileges of the individual from wired to standalone access points, creating a card-connected environment. The benefit is realized when the cardholders become an extension of the physical access network, and their cards carry information to and from the readers. By following this model, security is increased significantly at a fraction of the normal cost. For example, if an employee leaves the agency, rather than replace door locks and wiring (at a cost of $5,000 each, as well as time delays), the card permissions can be immediately revoked and the employee can no longer access the facility or information networks. (“Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard: GAO-06-178”, 2006)
A second benefit of this technology is electronic authentication. This provides simpler access to multiple agency applications through the re-use of credentials and established identities. Using a single central credential permits access to multiple systems without having to key in multiple passwords. An example of an industry leader providing easier access to multiple systems is UBS, a global financial company headquartered in Switzerland. They accomplished identity authentication by the successful implementation of PKI. This company implemented the use of digital certificates that linked their employees to a specified public key for electronic signing. They used the PKI security architecture as a method to address efficient and secure authentication. UBS concluded that the processes and technology that had worked in a centralized environment were no longer effective in a decentralized one. Major concerns were increased inefficiency, rising costs and the reduced ability to control risk. Their problems included the following:
1. The network of open production systems could be reached from anywhere, putting critical data at significant risk.
2. Existing applications were not designed to function within such an environment. User authentication by “plain old passwords” was increasingly seen as providing an unacceptably low level of protection against illegitimate access in such an environment.
3. The bank had almost half a million different passwords in use: The average user had to remember at least 15 passwords, making it inevitable that many users would write down their passwords. Additionally, significant help desk resources were devoted to resetting forgotten passwords. (Noakes-Fry, 2005b)
The technologies and processes that were in place prior to moving towards PKI could not eliminate or reduce the three problems indicated above. The company predicted the problems would only worsen as the network continued to grow. UBS decided it needed to change in order to provide a strong, reliable, and human-accessible user authentication to information resources.
Identity authentication objectives at UBS were defined by a single sign-on process. This allowed each user to only remember a single PIN and authenticate once per login session to access all systems. The company used smart cards that permitted user access to the computer and authentication to additional systems. The public-key infrastructure (PKI) was the key component to support stronger user authentication and identity management in the environment. Cost savings were realized because UBS was able to reduce the number of help desk calls for password support. According to UBS, many hours were spent each retrieving or resetting users’ passwords which resulted in the loss of productivity. Since implementing single sign on the company has increased security, improved functionality and reduced help desk expenses.
A third benefit of this technology is the ability to move away from paper signatures and towards public key digital signatures. This move has the potential to reduce the amount of time normally spent processing paperwork and transform business electronically. Moving away from paper records and towards electronic forms supports the Government Paperwork Elimination Act (GPEA). This act recommended that federal agencies establish electronic forms to provide immediate feedback from data submitted online. It stated that forms should be electronically fill-able, file-able, and signable, and a model of user friendliness and efficiency. Signed records can be stored and retained for the purposes of retrieving them for later use, either as part of a related business process or a legal proceeding. Some records may be retained for decades.
This move was successful in the case of a student loan company with a portfolio of more than $2 billion that implemented an online application process for consolidation loans using digital signatures. According to Gartner research, the company met its goal of having electronically fill-able applications in place before the huge wave of applications began arriving in June. These electronic applications were signable with digital signatures and received immediate acceptance from borrowers. Gartner noted that the company experienced a significant reduction in cost and reduction in turnaround time for each application:
• It previously cost $12 to send an application via FedEx (and including a prepaid FedEx envelope cost another $12), but it now costs $1.35 to send.
• Under the old system, the company received 35 percent of the applications back with signatures; 65 percent of electronic applications are returned with digital signatures.
• Using previous delivery methods, it took 10 days to get the application back; with digitally signed electronic applications, turnaround is one day. (Noakes-Fry, 2005a)
Risks:
There are several risks involved with implementing HSPD 12. These risks include the cost and the looming October 2006 deadline for agencies to meet compliance. Cost is always a big concern at federal agencies, and implementation can be prohibitively expensive for any one agency to bear all of the expenses. Many federal agencies and contractors are already stretched for funding and resources. HSPD-12 is an initiative that requires interoperability between complex federal government systems, the reevaluation of business processes, and unprecedented collaboration between IT, human resources, and physical security staffs. Looking at the requirements for PIV card use, the implementation includes digital certificates, the PIV Cards, printing, middleware software, IDMS, a card management system (CMS), and an OCSP capability. These costs were estimated using models identified by the Office of Management and Budget (OMB):
Larger departments estimate that the first year costs per person are between $90 – 110. It is anticipating that out years costs at larger departments will decrease to approximately $60 for initial year based on deployments exceeding 500,000 users. It is anticipated in time these cost will decrease even further. (GSA, 2005a)
The recommendation from OMB states smaller agencies need to align themselves with larger federal agencies to lower the total costs of ownership. Moreover, there are a number of costly infrastructure components and processes that an agency may be required to purchase. This would include the expenses associated with physical access control systems that can link multiple agency locations together. These costs may exceed the amount agencies can afford and can absorb by themselves. The concern arises if a single agency were to out source the entire implementation to commercial vendors with its current employees and contractors. If this were to occur, OMB says the costs per person could easily exceed $200. The guidance from OMB proposes waiting until the larger agencies such as the Department of Defense implement smart card use. This way smaller agencies can align themselves with other large volume agencies to take advantage of volume discounts.
The United States Government Accounting Office published key findings in the February 2006 report entitled, “Agencies Face Challenges in Implementing New Federal Employee Identification Standard.” This report provided guidance about smart card technology planning and budgeting activities. There were several concerns raised in the report with regards to the smart card technology. The concerns involved the time frame for effective planning, information gathering about risk, and cost benefit information. The GAO noted the following:
As part of the annual federal budget formulation process, agencies are required to submit their budget requests 1 year in advance of the time they expect to spend the funds. In addition, in the case of major IT investments, which could include new smart-card based credentialing systems, OMB requires agencies to prepare and submit formal businesses cases, which are used to demonstrate that agencies have adequately defined the proposed cost, schedule, and performance goals for the proposed investments. In order for agencies to prepare business cases for future funding requests, they need to conduct detailed analyses such as a cost benefit analysis, a risk analysis, and an assessment of the security and privacy implications of the investment.
However, agencies have lacked the information necessary to conduct such reviews. For example, agencies have not had reliable information about product costs and cost elements, which are necessary for cost-benefit analyses. In addition, without FIPS 201 compliant products available for review, agencies have been unable to adequately conduct risk analyses of the technology. Most importantly, the lack of FIPS 201 compliant products has inhibited planning for addressing the investment’s security and privacy issues. (“Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard: GAO-06-178”, 2006)
The GAO did provide three recommendations that would be helpful in addressing the concerns and enable agencies to move forward with the HSPD 12 mandate. The report discussed the following key activities regarding the compliance standard and recommended the following three actions:
1. Provide specific deadlines by which agencies implementing transitional smart card systems are to meet the “end-point” specification, thus allowing for interoperability of smart card systems across the federal government;
2. Provide guidance to agencies on assessing risks associated with the variation in the reliability and accuracy among biometric products, so that they can select vendors that best meet the needs of their agencies while maintaining interoperability with other agencies, and
3. Clarify the extent to which agencies should make risk-based assessments regarding the applicability of FIPS 201 to specific types of facilities, individuals, and information systems, such as small offices, foreign nationals, and volunteers. The updated guidance should (1) include criteria that agencies can use to determine precisely what circumstances call for risk-based assessments and (2) specify how agencies are to carry out such risk assessments. (“Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard: GAO-06-178”, 2006)
Conclusion:
With little more information than a social security number, an identity can be stolen. As the Federal Trade Commission (FTC) points out “Social Security numbers play a pivotal role in identity theft. Identity thieves use the Social Security number as a key to access the financial benefits available to their victims.” (FTC, 2003) Identity theft is growing rapidly and has become a serious threat. It is easy to open fraudulent lines of credit in the name of some unsuspecting victim. The FTC statistics for 2004 indicate that credit card fraud (28%) was the most common form of reported identity theft, followed by phone or utilities fraud (19%), bank fraud (18%), and employment fraud (13%). Other significant categories of identity theft reported by victims were government documents/benefits fraud and loan fraud. (FTC, 2003)
Congress is considering several measures to prevent the crimes identified by the FTC and among them is the Personal Data Privacy and Security Act of 2005. Senate Judiciary Committee Chairman Arlen Specter (R-PA) introduced the bill. He wanted the measure to require a review of federal sentencing guidelines to allow a maximum penalty to be imposed on identity thieves and impose financial penalties on data brokers for allowing data breaches to occur. The bill also outlines procedures for data brokers and consumers to follow to correct incorrect information contained in personal records, and increases criminal penalties for computer fraud involving personal data, unauthorized access to personal information. It also makes it a crime to intentionally conceal a security breach involving personal data. (Moye, 2006)
The HSPD 12 implementation requires Federal agencies to make investments for secure and reliable forms of identification. HSPD 12 was formed to resolve problems associated with identity management and provide enhanced security at federal agencies. Government agencies will be asked to justify the costs involved in complying with the HSPD 12 mandate and understand what benefits it can expect in return for their investment along with the associated risks. Moving forward with the mandate will involve both logical and physical changes. These changes will most likely include costly infrastructure components and smart card readers for computers logging onto the network. Additionally, desktop computers will need to be equipped with smart card readers for logging onto the network and for accessing network resources. Moreover, the badging process will require additional physical security for buildings and secure areas.
The conventional method of proving your identity will need to change to accommodate the enhanced public key infrastructure (PKI) components. Authentication to agency resources will involve the combination of biometrics, digital certificates, and passwords for single sign on capabilities. The technology has the ability to provide simpler access to multiple agency applications through the re-use of credentials and established identities. It also allows each user to only remember a single PIN and authenticate once per login session to access all systems. This will provide a relatively high level of security because it relies on multiple layers of specific information prior to authentication. The benefit to the user results in eliminating the need for multiple cards, remembering multiple PINs and login information. Like insurance, the real value can be measured against the cost and impact of the bad things that could happen if you do not protect yourself.
Electronic Government: Agencies Face Challenges in Implementing New Federal Employee Identification Standard: GAO-06-178. (2006). GAO Reports, 1.
FTC. (2003). STATEMENT OF ASSISTANT SECRETARY FOR FINANCIAL INSTITUTIONS WAYNE ABERNATHY ON THE FEDERAL TRADE COMMISSION’S IDENTITY THEFT SURVEY REPORT, FDCH Regulatory Intelligence Database.
GSA. (2005a). Federal Identity Management Handbook: GSA.
GSA. (2005b). GOVERNMENT SMART CARD HANDBOOK: GSA.
Moye, S. (2006). Congress Assesses Data Security Proposals. Information Management Journal, 40(1), 20-22.
Noakes-Fry, K. (2005a). Case Study: Loan Company Uses E-Signatures to Cut Costs and Save Time. Gartner Research(G00129945).
Noakes-Fry, K. (2005b). Case Study: UBS Manages IDs with PKI-Based Smart Cards to increase Security and Reduce Costs. Gartner Research(G00130280).
Pescatore, J. (2005a). Apply the Lessons of Public-Key Infrastructure to Protecting Customer Information. Gartner Research(G00126768).
Pescatore, J. (2005b). Data Protection is Less Costly than Data Breaches. Gartner Research, G00130911.