Federal agencies dedicate billions of dollars a year to cybersecurity, especially the security of data and devices within their buildings. Invest in technology to protect against internal threats, phishing scamsthreats from mobile applications Y Even the risks in their supply chains..
However, they must do a better job to ensure access to those buildings in the first place, According to a recent report from the Government Accountability Office. Since the George W. Bush administration issued a directive in 2004, agencies and contractors must comply with a federal standard for Safe and reliable forms of identification to obtain physical access to facilities controlled by the federal government and logical access to information systems controlled by the federal government.
The GAO report found that the Office of Management and Budget and the General Services Administration "have taken steps to help agencies acquire and implement 'Safe physical access control systems' (PACS), interoperable and approved by GSA for federal buildings. " However, it is clear that more needs to be done and that agencies face difficulties in deploying a secure PACS.
What are physical access control systems?
PACS are systems to "manage access to controlled areas within buildings" and "include Identification cards, card readers and other technology that electronically confirms the identities of employees and contractors and validate their access to the facilities, "says the GAO report.
Since 2004, the OMB has published several memos to clarify the responsibilities of the agencies with respect to the PACS. For example, in 2011, OMB issued a note citing the Department of Homeland Security's guidance that agencies "must update the existing PACS to use identity credentials before using the relevant funds for other activities."
However, the GAO found that OMB's oversight efforts are hampered because Lacks reference data on the implementation of PACS agencies. OMB can not guarantee that all agencies comply with PACS requirements "or track progress in implementing the federal PACS requirements and achieve the vision of secure and interoperable systems in all agencies" without such data, as The report.
The GSA developed a list of approved products, or APL, that identifies products that meet federal requirements for PACS Through a program of tests and evaluation. Agencies are required to use the products on the list to purchase PACS equipment. The GSA has also provided procurement guidance to agencies through its identity management website.
"The agencies have not made much progress, mainly because No one has been asking what they are doing, what they are buying, what efforts they are making to get information from the entire government to know who is buying what and what they are doing ", Lori Rectanus, director of the GAO physical infrastructure team, he told the Federal News Network. "We really do not know where the agencies are and what progress has been made, OMB has the key responsibility of supervising and enforcing this process, they are the supreme arbitrator of people's budgets."
What can the agencies do to improve the physical security of the facilities?
In fact, the report says that OMB staff told the GAO that they oversee PACS requirements as part of the normal process of reviewing agencies' budget submissions, but that OMB does not conduct oversight beyond that. "However, this approach does not allow OMB to identify or monitor the extent to which agencies are purchasing physical access control systems that meet the latest requirements or take action if agencies are delayed in this area," the report said. .
The GAO reviewed the PACS in five civil agencies: the United States Coast Guard within DHS, the Bureau of Prisons in the Department of Justice, the Transportation Security Agency in DHS, the Environmental Protection Agency, and the GSA.
Officials from the five agencies identified several challenges related to the deployment of PACS, "including cost, lack of clarity on how to acquire equipment and difficulty in adding new PACS equipment "To legacy systems," the report says.
"The OMB, GSA and industry officials not only confirmed that these challenges exist, they also told the GAO that they were probably present throughout the federal government," the report said.
The Committee on Inter-institutional Security, which is chaired by DHS and consists of 60 federal departments and agencies, develops safety standards for civil agencies. The GAO says that the ISC "is well positioned to determine to what extent the implementation challenges of PACS exist" throughout the government and to develop strategies to address them.
An ISC official told the GAO that the ISC has taken steps to do so, including the establishment of a working group to explore whether further guidance from PACS would be beneficial. The GAO recommends that the WBO "Determine and regularly monitor a reference level of progress in the implementation of PACS" and that the ISC "assess the scope of, and develop strategies to address, the challenges of the entire government to implement the PACS."
Officials from most of the five selected agencies, manufacturers of PACS and integrators interviewed by GAO said that the cost of purchasing physical access control systems approved by GSA using the APL and installing them "is a challenge in the budget environment current".
For example, TSA officials estimate that the agency will need more than $ 14 million per year to continue implementing physical access control systems approved by GSA using the APL in its 625 facilities, "an expense for which the agency does not receive additional funds".
However, OMB noted that agencies have had 13 years to replace PACS technology "with products that meet federal requirements," and that the problem may be training and agency planning rather than cost. " The OMB hopes that, over time, the agencies Implement PACS using teams that were exclusively from the APL. and complies with federal information processing standards.