The unfulfilled promise of HSPD-12: Why we need a true federal identity credential system

The unfulfilled promise of HSPD-12: Why we need a true federal identity credential system

Bobby Bermudez, the president and founder of Symposit, says it’s past time to have a centralized identity management system for agencies, contractors.

Bobby Bermudez

May 2, 2025 6:08 pm

5 min read

     

With the new administration’s prioritization of digital transformation and government efficiency, it’s time to revisit the original promise of Homeland Security Presidential Directive 12 (HSPD-12) — a uniform, interoperable identity management and authentication system for federal employees and contractors. The directive, issued in 2004, was meant to establish a common identification standard across agencies. Yet, two decades later, many of us working in federal IT still find ourselves juggling multiple Personal Identity Verification (PIV) cards, each with its own set of challenges, restrictions and inconsistencies. More than inconvenient, it hamstrings agencies from working together and with common security standards.

A look back: The early days of federal identity management

When I began my federal contracting career in 2008, the ID badge I received wasn’t particularly “smart.” It served primarily as a visual identifier — a way to flash my credentials at security checkpoints or occasionally unlock a turnstile. However, it lacked multi-factor authentication and digital certificates — features that are now standard on modern PIV cards.

By the time HSPD-12 began to take hold around 2010, federal agencies were rolling out PIV cards and Public Key Infrastructure (PKI) authentication in earnest. As an IT engineer, it was an exciting time to implement these technologies and watch the transition from basic badge access to a more secure, certificate-based identity system. The technical interdependencies of PKI fascinated me, and one of my key responsibilities was to replicate this authentication chain in offline environments to ensure system redundancy and resilience.

The present: A system of digital silos

Fast forward to today, and I now carry multiple PIV cards from different agencies — a situation that should never have happened under HSPD-12’s vision. Instead of one common credential, I juggle cards, PINs, certificate chains and middleware quirks from multiple agencies. Some cards work seamlessly with their agency’s VPN, while others require an exhaustive series of certificate updates and software installations just to function.

The irony? Each of these cards contains the same fundamental information about me: the same biometrics, the same background check and the same level of identity assurance, but different agency logos printed on the front.

In an attempt to break down physical security silos, we have created digital ones.

This fragmentation extends beyond mere inconvenience. Agencies struggle with cross-agency authentication, often treating credentials issued by another agency as foreign objects rather than part of a unified federal identity framework. I’ve sat through countless technical meetings where teams grapple with accepting PIV credentials from external agencies. Instead of building one unified system, we are constantly engineering fragile, makeshift bridges between disconnected islands.

The solution: A true federal identity credential

The solution seems painfully obvious: A single, interoperable federal identity credential that works seamlessly across all agencies. The technology, infrastructure and standards exist. What we lack is the will to break down bureaucratic barriers and fully implement the vision of HSPD-12.

The benefits of a unified identity management and authentication system are clear:

• Enhanced security: A single federal credential would simplify identity management and reduce attack surfaces, limiting the need for multiple, duplicative authentication systems.
• Operational efficiency: IT teams would no longer need to troubleshoot interoperability issues between different agency systems.
• User experience: Federal employees and contractors would have a streamlined, hassle-free authentication process, reducing downtime and frustration.
• Cost savings: Maintaining a single system is far more efficient than each agency developing and managing its own version.

How would this be accomplished?

We luckily have existing infrastructure in place that could be utilized. There are some obvious choices: Since the General Services Administration handles the federal civilian PKI infrastructure already, one idea would be that they issue a single PIV card (denoting whether you are a federal employee or a contractor) and GSA would work with agency security officers to load/unload certificates as appropriate for each agency. The certificates would be loaded and unloaded dynamically as users enter or exit the agency. This alone would reduce the number of PIV cards any single person maintains and would ensure centralized management and security. Essentially, it would be a single digital “passport” for federal employees and contractors, that have “visas” for each agency they are assigned to.

Additionally, another benefit would be that you could obscure the agency physically on the card itself, so an adversary would not know whether that PIV card was for the State Department or for the Smithsonian. With this obfuscation, we could better track unauthorized attempts of use, like trying to enter a different federal building.

If someone is terminated altogether from federal contracting or employment, they would only need to collect/invalidate one card instead of several. Which leads to one final point, we need to get rid of badge “flashing.” I still see this at many agencies where a quick visual by the security guard will let someone through. We need 100% scans of cards at every federal entrance. My ID gets scanned whenever I fly on a plane and entrance to a federal property should be no different.

As we continue advancing zero trust architectures and federal cybersecurity modernization, ensuring seamless identity authentication should be at the top of our agenda. The principles of HSPD-12 were sound. It’s time to finish the job and deliver on its full promise.

Until then, I’ll continue playing my daily game of ‘Guess Which PIV Card Works Today’ — a stark reminder of how far we’ve come, and how far we will need to go.

Bobby Bermudez is president and founder of Symposit, an 8(a) IT contracting company working in national security, transportation, aviation security and cybersecurity domains.

Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.