Physical Access Control Systems: Highlights From GSA’s Reverse Industry Training

GSA Reverse Industry Day 2018

On Sept. 17, the U.S. General Services Administration (GSA) held a physical access control system (PACS) reverse industry day training featuring remarks from industry, government and members and staff representing the Security Industry Association (SIA) and the Secure Technology Alliance (STA). The daylong event hosted at GSA’s headquarters in Washington, D.C., was designed to improve contract outcomes through more effective communication and engagement between government and industry during the acquisition life cycle as required to deploy and implement personal identity verification (PIV) with PACS in compliance with federal requirements.

More than 350 government personnel, including 200 acquisition specialists, attended the event, which kicked off with introductory remarks from John Andre and Jim Sheire of GSA highlighting GSA’s programs, including the Federal Identity, Credential and Access Management (FICAM) program, the Federal Information Processing Standard (FIPS) 201 evaluation program and the approved products list.

In the first session, “Basic Planning Prior to PACS Procurement,” Mike Kelley, principal ESS technical specialist at Parsons Government Services, discussed forming project objectives, the challenges of projects (including that no two projects are the same, moving targets and a tendency to work toward full compliance all at once), the structure of a project team, the project process, legal and regulatory requirements (including federal, state and local laws, agency regulations and requirements from other agencies), key project characteristics, risk assessments and mitigation and impact on procurements. His primary takeaway points were to 1) identify all the stakeholders at the onset of the project and ensure that their roles are clearly defined and 2) ensure the project characteristics and the risks to the facility are fully understood and documented before establishing a project’s scope.

In the second session, “Government-Approved Product Lists (APLs),” Roy Hayes, president and CEO of Systems Engineering, Inc., started by reviewing the U.S. Department of Defense (DOD) and GSA APLs, a few guiding policies from government, the definition of a PACS (“a matter of who, where and when…[that] determines who is allowed to enter or exit, where they are allowed to exit or enter and when they are allowed to enter or exit”), what a control space consists of, the problems with having multiple APLs and a proposed way forward to save time and money, simplify acquisition, reduce procurement and supplier confusion and ensure a consistent, vetted process in achieving the needed security to meet continually evolving threats faced by federal agencies.

Stafford Mahouz, manager of government and DOD programs at Software House, part of SIA member company Johnson Controls, then discussed GSA’s procurement guidance and APL, guiding policies, common issues seen that impact compliance and more. He stressed that federal agencies should assure that their requests for proposal and/or statements of work contain language for compliant systems and state integrator qualifications for bidding the project, integrator qualifications should be strengthened for qualified bidders/integrators and government agencies and DOD entities should assure in the pre-bid phase that there are strict pre-qualifications in place and proper vetting of bidders/integrators.

Rob Zivney, senior consultant at SIA member company IDentification Technology Partners, then discussed how many elements of physical security and complete PACS are “out of scope” for PIV requirements, the need for many expectations need to be specified, the physical components and key concepts of PACS, the “four As” (authentication, authorization, alarms and administration), the National Institute of Standards and Technology’s (NIST’s) guidelines for the use of PIV credentials in facility access, card authentication certificates and more. His key takeaways were that 1) while PACS are considered federal information systems, security is the primary purpose for a PACS procurement and 2) if you want security, you will need to “spec it.”

Tony Damalas, vice president of ICAM Professional Services, part of SIA member Convergint, then provided an overview of new construction considerations, including creating the plans and specifications, determining contract specifications, determining what is meant by “per plans and specs,” the project design team, construction/implementation teams and examples of conflicting specifications.

In the next session, PACS Procurement Resources, SIA board member Lynn de Seve, president of GSA Schedules Inc., led a series of skits along with SIA’s Jake Parker and Joe Hoellerer and Roger Roehr, director of identity management at SIA member company Integrated Security Technologies, Inc., highlighting problems and solutions to access control issues. She discussed how industry and government are cooperating to get the word out on requirements and direct agencies to resources for “getting it right the first time.” She highlighted mandates from the Office of Management and Budget, the FIPS 201 evaluation program for PACS, approved service providers, where to find approved PACS products and services on the GSA Schedules Contract, PACS solutions available on GSA Schedules 84 and 70 and her industry recommendations to government.

In the next panel session, Kelley, Roehr and Lars Suneborn, director of training programs at the STA, discussed “What You Know, What You Don’t Know and What You Should Know” regarding project planning. Roehr emphasized categorizing people and places, finding someone who understand what you are doing at a senior level and conducting public outreach, while Kelley suggested getting as much feedback as possible and knowing what assets you have, what spaces they are in, what you need to do to protect those based on the risks of those assets and what to do if an asset is compromised.

In the last session, Damalas discussed avoiding non-compliant configuration of APL-listed equipment. He highlighted how obtaining equipment listed on the APL does not necessarily achieve compliance, how APL-listed configurations remain compliant in the field, how PACS manufacturers are able to offer compliant and non-compliant configurations and how field conditions contribute to non-compliant implementations. He suggested considering cabling infrastructure for FICAM hardware compatibility, provisioning PACS from authoritative sources, ensuring PACS are configured and maintained in FICAM mode, engaging C-suite representatives early and using legacy credentials and non-FICAM mode operation only in a migration strategy and not as the end state.

Zivney and Damalas closed with a skit, “When the PIV Card Is Not the Center of the Universe,” advocating for shifting focus away from PIV to PACS as a security solution.

Watch the morning and afternoon sessions on GSA’s YouTube channel.