Information about http://fips201ep.cio.gov/documents/GSA_HSPD-12_Acquisition_Guidance.pdf

GSA Federal…

Tags: acquisition officers, biometric data, chief information officers, cryptographic algorithms, executive agent, federal acquisition service, federal employees, general services administration, gsa federal supply service, homeland security presidential directive, homeland security presidential directive 12, hspd 12, information technology products, key sizes, national institute of standards, national institute of standards and technology, office of management and budget, personal identity, service subject, special publications,
Pages: 3
Language: english
Created: Thu Aug 11 11:00:12 2005
Display cached document
Page 1
image
Page 2
image
Page 3
image
                                                      GSA Federal Supply Service



August 10, 2005

MEMORANDUM FOR CHIEF FINANCIAL OFFICERS
               CHIEF INFORMATION OFFICERS
               CHIEF ACQUISITION OFFICERS

FROM:                   BARBARA L. SHELTON
                        ACTING COMMISSIONER
                        FEDERAL ACQUISITION SERVICE

SUBJECT:                Acquisitions of Products and Services for Implementation
                        of HSPD-12


Homeland Security Presidential Directive-12 (HSPD-12), "Policy for a Common
Identification Standard for Federal Employees and Contractors" requires
agencies to use only information technology products and services that meet this
standard. The Office of Management and Budget (OMB) has designated the
General Services Administration (GSA) as the Executive Agent for government-
wide acquisitions in a July 5, 2005, letter from Joshua Bolton. This memorandum
specifies the procedures for ordering goods and services in compliance with the
directive.

Background

HSPD-12 establishes the requirement for a mandatory Governmentwide
standard for secure and reliable forms of identification issued by the Federal
Government to its employees and contractors. OMB has directed Federal
agencies to purchase only products and services that are compliant with the
Federal policy, standards and numerous supporting technical specifications,
including:

   ·   Federal Information Processing Standard 201, Personal Identity
       Verification of Federal Employees and Contractors;
   ·   National Institute of Standards and Technology (NIST) Special
       Publications (SP) 800-73, Interfaces for Personal Identity Verification, 800-
       78 Cryptographic Algorithms and Key Sizes for Personal Identity
       Verification, and 800-79, Guidelines for the Certification and Accreditation
       of PIV Card Issuing Organizations; and
                                       -2-

   ·   Special Publication 800-76, Biometric Data Specification for Personal
       Identity Verification (Pending).

To ensure standard compliant products and services are available, NIST will
issue test suites in SP 800-85 - PIV Middleware and PIV Card Application
Conformance Test Guidelines (SP800-73 Compliance), and will publish National
Voluntary Laboratory Accreditation Program (NVLAP) accredited validation
services for demonstrating conformance for products. Providers of products and
services that are determined to conform to the standard will be eligible to offer
approved products and services on a new GSA procurement vehicle established
to align all agency acquisitions with policy.

The Smart Access Common ID Governmentwide Acquisition Contract (GWAC)
has been the primary acquisition vehicle for smart cards, smart card readers,
associated card management systems, related products and services. This
GWAC currently requires smart card products and services to conform to the
Government Smart Card Interoperability Specification (GSC-IS), as updated (i.e.,
GSC-IS v.2.1). While the full set of FIPS 201 requirements are in the process of
being added to this GWAC, it will be allowed to expire on May 17, 2006, without
the exercise of options. Only those established task orders that adhere to the
guidance below will be allowed to continue beyond the expiration date.

GSA will replace GWAC with a Blanket Purchase Agreement (BPA) for smart
card systems and related products and services under a recently established
Special Item Number (SIN) 132-60 within IT Schedule 70. This BPA will be in
place before the expiration of GWAC and will serve as the replacement vehicle
for acquisition of approved, FIPS 201 compliant products and services for
Federal agencies.


Guidance for Procurements

Federal agencies are required to purchase only approved products and services.
GSA will make Federally approved products and services available that are
compliant with FIPS 201 and associated specifications to agencies.

   1. Agencies that have not begun deployment of smart (i.e., integrated circuit)
      cards as identity badges for employees and contractors should not begin
      or make procurements until End Point products, as defined in NIST
      Special Publication 800-73, are available. End Point products employ a
      unified card edge interface that is technology-independent and compliant
      with current international standards. Full technical specifications for these
      products can be found in SP 800-73.
                                      -3-

   2. Agencies that have initiated a large scale deployment of smart cards as
      identity badges prior to July 2005 may acquire Transitional products and
      services, also defined in NIST Special Publication 800-73, as part of a
      migration strategy. In so doing, these agencies should weigh benefits and
      costs of such a strategy over moving directly to an End Point smart card.

   3. All new GWAC Task Orders (T.O.) on the existing GWAC will be reviewed
      and approved by the GSA, Office of Governmentwide Policy (OGP) to
      determine and ensure that each includes language that ensures
      compliance with FIPS 201. In addition, GSA will review each T.O.
      document to ensure it has a clear migration path; this information should
      also be reflected in an update to the requesting agency's implementation
      plan.

   4. All current GWAC T.O.s will be reviewed by GSA. The Office of
      Governmentwide Policy (OGP) designated a Deputy Associate
      Administrator to ensure these T.O.s are compliant or can be modified to
      ensure compliance with FIPS 201. If not, the T.O. will be allowed to expire
      without renewal. GSA requires that all T.O.s in effect beyond December
      31, 2005 be modified by March 2006 to include language that ensures
      compliance with FIPS 201 and is in accordance with Federal Acquisition
      Regulation.

Effective the date of this memorandum, GSA procedures will ensure Federal
policy and standards are met whenever acquisitions through the Smartcard
GWAC or replacement BPA are used. As the designated authority for FIPS 201
compliant procurements, GSA will report to OMB on agency acquisitions
pertaining to the standard. All FIPS 201 related acquisitions are subject to OMB
review.

GSA will release additional information on the time-frame for BPA availability on
the following website: http://www.smart.gov/. Please direct acquisition questions
to Michael R. Brooks, Director, Center for Smart Card Solutions, Federal
Acquisition Service, phone 202 501-2765, Fax 202 208-3133, or e-mail
mike.brooks@gsa.gov.