U.S. federal officials are looking to outsource the IT infrastructure that’s needed to support a planned smart-card system for authenticating employees governmentwide. And the outsourcing plan makes sense, given the scale and complexity of the smart-card initiative, IT analysts said last week.
The U.S. General Services Administration (GSA) this month posted a brief document on its Federal Business Opportunities portal site clarifying requirements for outsourcing vendors seeking to deploy, operate and maintain the various systems needed for the smart-card program.
The outsourcing plan also includes business processes and covers functions such as employee registration, identity and card management, public-key infrastructure certification and card printing, according to the document.
The note updated a formal request for information, published on Dec. 13, in which the GSA asked outsourcing vendors to provide details on their ability to meet the implementation requirements of Homeland Security Presidential Directive 12.
Under HSPD 12, which is an unfunded mandate, all federal agencies are required to use smart cards to authenticate their employees for access to buildings and IT systems starting Oct. 27. Outsourcing Advantages
A decision to outsource the necessary infrastructure would significantly ease the compliance burden for individual federal agencies, said Gregg Kreizman, an analyst at Gartner Inc. “It is necessary, because they don’t have the people or the skills to do it on their own,” he said.
The sheer size of the IT deployment requires an outsourcing strategy, said Prabhat Agarwal, an information security consultant at Input Inc., a Reston, Va.-based firm that focuses on government procurement issues.
“You are talking about a massive approach that touches all agencies,” Agarwal said. “Because of the scale of this venture, it is almost automatic that [the government] would go to the private sector.”
The GSA didn’t respond to a request for comment on its plans last week. But according to the documents posted on its portal, the agency is looking at a shared-services model under which multiple agencies would use a common infrastructure to issue and manage smart cards to their employees.
Each agency would be responsible for conducting background checks and determining the eligibility of employees to receive one of the Personal Identity Verification (PIV) smart cards. Outsourcers would manage the IT infrastructure and the process of issuing and managing cards.
Outsourcing the smart-card systems is a good idea, but the work should be divided among multiple vendors, said Alan Paller, director of research at the SANS Institute, a security research and training firm in Bethesda, Md. He added that encouraging competition among vendors should provide service delivery benefits.
The Office of Management and Budget has already appointed the GSA as the governmentwide agent for acquiring products and services as part of implementing the HSPD 12 requirements.