First Responder Credentialing: Still a Secondary Priority

As the October 2008 deadline looms for implementation of Homeland Security Presidential Directive 12 (HSPD-12), which requires federal agencies to issue new “smart” identification cards to their employees, many agencies are now working tirelessly to comply with that mandate. So-called “Smart Cards” – which incorporate photos, biometric data (fingerprints), a personal identification number, and individual access rights – are designed both to facilitate secure access to buildings and computer networks and to create a standard government-wide mechanism for identity verification and management.

Complementing this effort, several state and local public safety agencies have piloted the use of First Responder Authentication Credentials (FRAC) cards, which are designed to be used in the field by incident commanders to quickly identify responders at the scene of an incident. The FRAC cards interoperate with the HSPD-12 infrastructure, enabling authorized personnel across all levels of government to support an incident response.

The need for more effective credentialing was one of the principal lessons learned during the response to the 11 September 2001 terrorist attack on the Pentagon. Immediately after the attack, first responders from numerous federal, state, and local agencies converged on the incident scene to assist – and encountered several credentialing-related problems. Because of the intensity of the attack and the widespread havoc that followed, most of the responders who reported to the scene – either on their own or as members of a team – were allowed entry without restriction. However, an unauthorized person could have gained access to the scene, it later was realized, and might even have driven away with a fire truck.

Difficulties, Complications, and Other Problems

At certain other checkpoints, though, legitimate local, state, and federal responders were denied access to the scene. Another quickly noticed complication was that the incident commanders on the scene were frequently unaware of the specific skills and abilities of the many responders at the scene from other agencies, and that lack of background information made the efficient use of personnel considerably more difficult.

In March 2007, Arlington County, Virginia – which has incident command responsibility for the Pentagon – became the first agency to deploy FRAC cards, issuing them to 1,400 of its own emergency service workers. Those cards, paid for by a $750,000 Virginia state grant, were intended to be used to test a new common infrastructure for field-level credentialing and identity verification that had been developed for use by local, state, and federal agencies responding to an incident scene in the greater Washington, D.C., area.

Although the FRAC cards have successfully demonstrated the potential capability of HSPD-12 systems, their relatively high cost remains what is perhaps the largest obstacle to full implementation of the HSPD-12 directive. In today’s economic environment, many state and local agencies simply do not have the funding necessary to acquire and maintain a FRAC system of their own. In a time of frequent budget cuts, FRAC represents what many officials consider to an unfunded mandate imposed by the federal government on state and local agencies. In Arlington County, for example, because of funding constraints, no FRAC cards have been issued to new employees since March 2007.

Operational Concerns and Both Good and Bad News

There also are some operational concerns blocking full implementation. A firefighter arriving at an incident scene in full “turnout gear,” for example, is unlikely to be able to present a FRAC card quickly or easily at a control point. Moreover, private and commercial wireless (and wired) network access may be interrupted during a significant incident, making real-time identity verification extremely difficult if not impossible.

The good news is that efforts to demonstrate FRAC capabilities have resulted in updates to many regional personnel-management systems that have facilitated low-tech solutions to the problems of identity verification, particularly in response to field incidents. Although not as efficient as quickly swiping a card through an electronic reader, the use by incident commanders of up-to-date lists (even in hard copy form) of emergency personnel and their skill sets could go a long way toward avoiding the problems experienced at the Pentagon following the 11 September attack.

Clearly, much work remains to be down to streamline identity management and verification throughout the nation’s public safety community. Not quite seven years after the 9/11 attacks, many command-level responders still carry with them more than a half dozen of the cards needed to gain access to incident scenes, high-security facilities, and various computer and communications networks. The development and distribution of a single totally secure identification card remains an important goal, therefore, but hard deadlines will not necessarily ensure success, even among and within the federal agencies required to both set and implement the deadlines mandated by HSPD-12. As of June 2008, to consider but one example, the Department of Justice (DOJ) had issued 1,014 smart cards to its employees and contractors – leaving only 105,723 to go by October 31.