For government facilities, being able to rapidly authenticate the digital identity credential of a person and determine whether they have permission to access a secure location are security requirements laid out under the FIPS 201 (Federal Information Processing Standard Publication 201) standard and Personal Identity Verification (PIV) specification. There are physical access control systems (PACS) available today that meet these requirements, but compliance with the specifications requires more than just installing any security system.
Compliance means the implementation of PACS systems that follow the Federal Identity, Credential and Access Management (FICAM) requirements for high-assurance identity verification, and systems that meet those requirements are included on the GSA Approved Product List. But what we’re seeing today is that those responsible for implementing PACS either don’t know there are requirements, or don’t understand them. And adding to the confusion, there are many different levels of government employees involved in procuring the system, making responsibilities unclear. All of these factors together have led to a number of non-compliant PACS systems being procured and installed at government facilities across the country, whether implementing in an existing or new facility.
When a new government facility is being constructed, or when a security specialist responsible for a specific location determines that a new access control system needs to be procured for an existing area, building or multi-building site, they begin the procurement process.
First, the general contractor or existing security specialist secures funding and contacts a procurement officer, who then posts an RFP to hire an electrical subcontractor or security vendor.
The general contractor typically delegates the procurement of an access control system, a seemingly small detail in the overall building construction, to the electrical subcontractor. The electrical subcontractor, who likely has never heard of PIV or FICAM may look to preferred systems that they’ve used elsewhere for non-government facilities, rely on PACS contractors for advice, or place a high priority on finding the system with the lowest cost. This often leads to procuring a PACS system that does not meet federal standards.
For existing facilities, the security specialist is often unaware of the FICAM requirements altogether, and is depending on the procurement officer and the security vendor to ensure the right system is implemented.
The story is similar for the procurement officer, who is either unaware or under-informed about the current standards or the GSA Approved Product List and often uses system specifications from previous procurements that may not be current with FICAM requirements. With the procurement officer’s primary responsibility about the procurement itself, compliance is often not a priority.
As a result, the burden (and risk) sits heavily with the security vendor who responds to the RFP bid. When placing their bid, the security vendor risks having their bid rejected if it doesn’t meet the procurement specification – even if their bid is FICAM-compliant. If the security vendor submits a non-compliant system called for in the RFP, it’s possible they will win the RFP and deliver a PACS system that meets the RFP specifications but not the federal government requirements for high-assurance identity verification.
With all of the confusion, the worst-case scenario, and the common end-result, is that the procurement is allowed to go through with non-compliant security systems that violate the requirements and policies, and government funds are spent on non-compliant systems.
So, who is responsible for ensuring PACS compliance? The short answer: everyone involved in the procurement and implementation of the system must be educated in making sure the right PACS is implemented for the facility.
To ensure that the appropriate equipment is procured and configured correctly the first time, training on specifying FICAM-compliant PACS is a must for any government contracting and procurement officer to increase awareness of regulatory requirements. This training provides best practices for efficiently and effectively planning and deploying a FICAM-compliant PACS in a government facility, and should help contractors and procurement officers to better understand:
- How access control systems are defined within the federal guidelines and standards established by NIST governing the use of government-issued PIV identity credentials;
- How PKI-based digital certificates are managed within the E-PACS system;
- How PIV/PIV-I credentials interface with the security system;
- How to order GSA tested and approved E-PACS hardware and software;
- And, how to set up, test and configure FICAM-compliant access control systems
Furthermore, there should be a written certificate of compliance submitted by every PACS bidder to make certain that only compliant equipment is sold into federal facilities and that every PACS bidder has the training to properly configure and install a fully compliant security system.
The Secure Technology Alliance provides E-PACS training and certification programs at its National Center for Advanced Payments and Identity Security in Arlington, VA. Click here for more information.
About the Author:
Randy Vanderhoof is the Executive Director of the Secure Technology Alliance. The Secure Technology Alliance is a not-for-profit, multi-industry association of over 200 member firms working to stimulate the understanding, adoption, and widespread application of smart card technology in North America and Latin America. The Alliance organization provides a forum for industry stakeholders to collaborate and educate others on the appropriate uses of technology for identification, payment and other applications and strongly advocates the use of smart card technology in a way that protects privacy and enhances data security and integrity.
