Federal smart-card rollout continues S-L-O-W progress.

When President Bush signed a directive in August 2004 requiring federal government agencies to roll out secure smart-card ID credentials to all employees and contractors within four years, many predicted the effort would take a whole lot longer than that.

Based on a recent status update from the White House's Office of Management and Budget (OMB), it would appear that they were spot on.

As of March 1, only 3.3% of all federal employees have been issued the required credentials, while just 2.9% of contractors have gotten one. According to the OMB update, the Personal Identity Verification (PIV) smart cards need to be issued to a total of more than 4.3 million federal employees and 1.2 million contractors. So far, cards have been handed out to only about 143,000 employees and 36,000 contractors.

The situation is considerably better when it comes to the comprehensive employee background investigations that are also mandated under Bush's directive, which is formally known as Homeland Security Presidential Directive-12 (HSPD-12). Federal agencies thus far have completed the so-called National Agency Check and Inquires (NACI) for almost 60% of their employees and 42% of contractors.

Agencies that appear to have made the most progress in implementing HSPD-12 include the Department of Labor, which has issued PIV cards to 66% of its 15,400 or so employees, and the Department of State, which has given cards to just under half of its 19,000-plus employees. In addition, the Environmental Protection Agency has handed out cards to 52% of its more than 17,000 employees. Meanwhile, the apparent laggards include the Department of Veterans Affairs, which has issued PIV cards to just 3,846 employees -- or a meager 2% of the total number of nearly 245,000 workers requiring the credentials -- and NASA, which has equipped just 7% of its 20,000 employees with the cards.

To put the numbers in perspective: under HSPD-12, federal agencies were required to have begun issuing PIV-compliant credentials on Oct. 27, 2006; by the same date last October they were required to have completed their NACI background checks and issued PIV cards to all employees with less than 15 years experience and to contractors; they have until this October to complete issuing the cards.

Given the current rate of progress, the chances of making that deadline appear to be remote for several agencies. Even those that do are unlikely to have fully functional PIV cards that can actually be used for accessing both federal facilities and computer networks.

The situation isn't entirely unexpected, though. Right from the outset, those involved in the effort or those close to it have said that the various deadlines set under HSPD-12 were far too optimistic and aggressive. For starters, when HSPD-12 was announced, the National Institute of Science and Technology (NIST) had to first come up with the technical specifications for PIV cards before agencies could even begin thinking of rolling them out.

NIST delivered those specifications in near-record time: under a year. Since then, agencies have had the unenviable task of essentially trying to replace their existing physical and logical access infrastructures with the one required for PIV cards in what many people say is an unreasonably short time frame.

As Hord Tipton, a former CIO at the Department of the Interior told Computerworld several months ago, the technology itself isn't what's complicated, it's the required integration that takes time. Implementing HSPD-12 requires a level of cooperation between various groups, such as human resources, physical security and IT security that most federal agencies are simply unaccustomed to. According to Tipton, in addition to the internal issues, agencies also need to make sure their PIV card infrastructures are interoperable with those of other government agencies, which raises a whole set of other technology, standards, trust, control and political issues that agencies need to navigate.

How soon these issues can be overcome is anybody's guess at this point. The one thing that seems almost certain, though, is that very few federal agencies covered by HSPD-12 will meet the October deadline.

Those interested in seeing the full OMB status update can get it here.