In August 2004, not long after the Department of Homeland Security was formed, the Bush administration issued Homeland Security Presidential Directive 12, or HSPD-12. The directive noted the wide variations in security and identification capabilities among agencies, and it set out to create standards for managing the identities of government employees and federal contractors and their access to both physical facilities and data systems. Like most identity management projects, the concept is simple and straightforward: Put some biometric data on cards, issue the cards to everyone who needs any form of access to federal facilities and systems, and in the process enable better sharing of data while taking an important step toward keeping the truly bad guys out.

The goal was to develop HSPD-12 standards in months, and then implementing them throughout the government, again in months. As anyone who has endeavored to implement a massive federated identity management system can tell you, the directive's timetables were, to say the least, naive.

The various departments had varying degrees of interest and budget to actually implement the directive. The technology was immature, particularly in the face of the millions of federal employees and contractors who would be subject to it. And everything from doorways to databases and applications all had been previously conceived with no thought of a unified identity management system--meaning virtually all required a retrofit.

By October 2007, anyone with fewer than 15 years on the fed payroll was supposed to have an ID card. Not a single agency met that deadline. The Office of Management and Budget and the General Services Administration got more serious about the program and by mid-2008 reported that 97% of the more than 5 million employees and related contractors had their cards. Agencies have since been retrofitting and conducting background checks.

HSPD-12 offers some important lessons for private-sector companies. First, success requires both top-level buy-in and IT-level commitment. It took cooperation between the OMB and GSA to jump-start the program for many federal departments. Second, there's a fundamental value to thinking big here. Our surveys show that private-sector companies have some form of identity management--66% have it for employees--but we tend not to do much with it once we have it. For instance, only 28% use their identity management systems for cryptographic signing of e-mails, and just 32% show any interest in digital rights management--the uses that can substantially improve your risk management posture.

The other lesson to take from the feds is that while a grand vision is needed, the rollout of the technology will take a good bit of department-by-department hand-holding. In an environment where more and more critical and sensitive data is being accessed ever more broadly, for a variety of legitimate business uses, the granularity of control provided by a solid identity management system will often prove indispensible.

Art Wittmann is director of InformationWeek Analytics. Write to him at awittmann@techweb.com.

To find out more about Art Wittmann, please visit his page.

Register to see all reports at InformationWeekAnalytics.com.