The right choice for PIV deployment: In-house, managed services or outsourcing
White Paper
by Robert Brandewie
SVP Public Sector Solutions ActivIdentity
Over the past five years, it has become increasingly apparent that some people simply aren’t who they say they are. And while that might spell significant dollar loss for a financial institution or an irritating predicament for an online dating enthusiast, it could produce catastrophic results for a government agency, leaving valuable assets – physical, cyber and human – vulnerable to those intent on doing ill will.
With identity verification growing more urgent and deadlines passing rapidly to comply with the HSPD-12 mandate, it is more important than ever that the security-minded government agency marshal its resources to develop a solid strategy for issuing and managing Personal Identity Verification (PIV) cards. “The idea of ensuring the identification of a person accessing resources is not new. What is new is smart card authentication technology and secure digital credentials,” says Jason Hart, CEO, ActivIdentity.
While all agencies have equal concern about identity verification – and cross agency verification is a real issue for everyone even with NIST interoperability standards in place – the agencies themselves are not created equal,
nor are the PIV deployment solutions available to them. In fact, whether an agency selects an in-house solution, a managed service or an outsourcing approach depends in large part on the size of the agency, the number of locations,
its budget and security philosophy as well as its culture and business practices. The right decision could make a big difference in the ease of implementation, its cost, and ultimately its success. What strategy for PIV deployment an agency picks depends on certain criteria.
Keeping it in-house
For the larger agency like Commerce or NASA that is relatively concentrated and not evenly distributed throughout the world, in other words, one which has fewer remote locations, an in-house solution may be the wisest choice. That is especially true if the agency has a sophisticated technology team. For NASA, keeping a PIV strategy in-house was a no-brainer. The agency had already been heavily involved in standards development and had invested in infrastructure that would support an in-house solution.
An agency suited for an in-house scheme often has authentication and security already embedded in its infrastructure and there is a tendency to hold personnel information close to the vest. Those agencies may find that budget is an issue though. While an initial in-house approach, generally counted as capital expenditures, could prove cheaper, there are more technical risks that can drive up costs.
Managed services
Smaller agencies and those that are more geographically dispersed, such as the U.S. Postal Service, will likely find a managed services approach, offered by the General Services Administration (GSA), a better fit with their requirements. Those agencies generally are concentrated on core business processes and don’t want to start training their focus on technology details and the carry-ons needed to support a secure credentialing program.
Mike Butler at GSA believes that shared services helps agencies keep costs down and lets them “concentrate and spend on [much-needed] applications.”
This approach means that the agency won’t have to invest in infrastructure only to find themselves locked into a dead-end. Instead, they buy into a solution that is future-proof and doesn’t require them to keep up with technology and changes in the standards, or the security and technical environment. “For most agencies still looking today, investment in infrastructure is not an [option]. You are talking at least a $2 million backend investment,” says Butler.
Take it outside
Much like an in-house strategy, outsourcing PIV deployment is aimed at the larger agencies, particularly the ones that want predictable and stable costs, which generally fall under the organization’s operational budget.
”It’s a smart idea for government agencies in a marketplace where there’s not enough skilled labor to cross all agencies,” says Dallas Bishoff, of AuthSec, a consultancy that worked with the VA and other agencies to develop their PIV strategies.
Mix it up
Because HSPD-12 has many different components, a combination of the three
approaches might work best for some agencies, depending on their overall level of readiness. This is especially true for those organizations that have big headquarter operations as well as diverse field offices.
The ActivIdentity difference
No matter which path an agency chooses for PIV deployment, ActivIdentity can help it achieve compliance with HSPD-12 and keep in step with NIST’s FIPS 201 standard for interoperability. Not only does the company offer a Smart Employee ID for PIV solution that includes the ActivIdentity market-leading ActivClient® middleware and ActivID™ Card Management System (CMS), ActivIdentity is an acknowledged pioneer in the arena of secure identification.
From its early work with the Department of Defense to its broad appeal with more than 4 million U.S. government employees across 25 agencies using its smart card solutions, ActivIdentity has gained intimate knowledge
about the needs and challenges that those agencies face. And the company has developed solutions and support services that ensure that the end user is insulated from changes in technology and standards.
“We know what CIO's are concerned about – their real need to meet the HSPD-12 mandate is tempered by cost and their agency’s capabilities,” says Hart. “They need to focus on other issues around PIV and let managed services handle the details of card issuance.”
Robert Brandewie has more than 30 years of identity strategy and policy development experience. Prior to joining ActivIdentity as SVP Public Sector Solutions, Robert served as Director of the Defense Manpower Data Center (DMDC) and was architect of the Common Access Card system (CAC) for the Department of Defense.
More information
HSPD-12: Does PIV work for you? On-demand webinar
- Get a fresh perspective on Identity challenges and HSPD12, and learn about ways to use PIV cards that achieve greater security. View this on-demand webinar
Contact ActivIdentity Sales
Related PIV / HSPD-12 solutions
Related Products
Register for the
