WASHINGTON, May 10 (UPI) -- White House plans to implement a single, interoperable identity credential for millions of federal employees are floundering because of a lack of leadership, according to government procurement analysts.
"What everyone is struggling with is the lack of clarity," former senior federal information security official Bruce Brody told United Press International.
He predicted that unless deadlines were moved back there would be what he called "an expensive train wreck," and "widespread non-compliance of varying degrees" from federal agencies.
The plan, dubbed Homeland Security Presidential Directive, or HSPD, 12, envisages that by October this year every agency in the federal government will have begun issuing new, more secure identity cards, possibly including biometric data like fingerprints, that will control access to both physical premises like government buildings and log-on access to government computer networks.
Agencies can phase in the implementation but the challenge is considerable, especially for the 80 percent of federal employees that work outside Washington.
Brody, who has been involved with the plan since its inception in August 2004, said overly tight deadlines, the tardy or non-completion of technical standards and the failure to make key decisions had left federal chief information officers facing an uphill battle.
"If you are a program manager sitting in a federal agency, facing these incredibly aggressive deadlines, what you need is clear guidance on implementation," Brody said, "That's not happening."
He said resources were also a problem since the White House Office of Management and Budget had decreed that little additional funding would be made available to agencies.
"It's easy to say (to agencies), 'you should have been doing this anyway, take it out of hide,'" said Brody, using a budgetary slang expression meaning the costs must be met through savings or cuts elsewhere.
"It's very easy to say, but very hard to do."
Brody said the lack of clarity on key issues -- such as the use of biometric data -- made it hard for the officials responsible for implementing the plan to make their argument for the funds they needed.
"If you are trying to work out cost schedules and performance thresholds and trying to put together a business case to justify your budget requirements, you need clarity and stability," he said, adding that the Office of Management and Budget had moved deadlines and changed its mind about key issues.
No one there was available for comment Tuesday afternoon, but two former officials defending the administration told UPI that the agency was doing everything it could to meet the deadlines, adding that there were always complaints whenever deadlines were set.
Brody, who was in charge of cyber-security at the Department of Energy until January, is now a consultant for Reston, Va.-based, government procurement market analysts INPUT. In a report to be published Wednesday, INPUT says that the lack of clarity means that even those agencies which had identified budget dollars they could spend on the project are reluctant to move forward with purchases.
"Even those agencies that have been proactive in identifying funds for ... implementation are holding back on large-scale acquisitions ... until clear direction is received," the company said in a press release about the report.
Brody said the conclusions were based on his own experience at the Department of Energy and his contact since with key officials still grappling with the problem.
"This came out of nowhere," he said of HSPD-12. "From an implementation standpoint, it wasn't thought through, nor did they consult any practioners that I'm aware of."
Because the plan was prepared without sufficient input from the people who would actually have to put it into action, he said, it was too ambitious.
"The technical part of this," he said of the need to create standards that would allow dozens of different agencies to produce cards that could be read by each others machines, "while complex and expensive, is not as hard" as the business process piece," getting (information technology), physical security and (human resources) elements all working together."
He said the deadlines needed to be moved back, and there needed to be "some really serious thinking" about implementation.
If that did not happen, he said, there would be widespread failure to comply with the new rules in October. "Some (agencies) will do the minimum they need to to comply, some will more or less openly just say, 'we can't do this,' it will vary," he told UPI.
