During a performance audit from October 2017 to December 2018, the Government Accountability Office (GAO), the investigative arm of Congress, found oversight by the Office of Management and Budget (OMB) of the efforts of federal agencies to obtain and implement safe and interoperable general services. The Administration (GSA) approved the "physical access control systems" (PACS) for federal buildings that have been "hampered because they lack baseline data on the implementation of PACS agencies." And, "without such data," the GAO told the National Security Committee of the House of Representatives. Subcommittee on Management Oversight and Efficiency, "OMB can not fulfill its responsibility to ensure that agencies comply with PACS requirements or track progress in the implementation of federal PACS requirements and achieve the vision of safe systems and interoperable in all agencies. "
"PACS systems are designed to manage secure access to controlled areas within federal buildings and include identification cards, card readers and other technology that electronically confirms the identities of employees and contractors and validates their access to the facilities."
As GAO noted, "In an effort to increase the security of federal facilities and information systems where there is a possibility of terrorist attacks such as those that occurred on September 11, 2001, Directive 12 of the National Security Presidency (HSPD) -12) established the requirement for a mandatory government-wide identification standard for federal government employees and contractor personnel in August 2004. "
This standard identified the technical requirements for physical access control systems to "issue secure and reliable identification credentials to federal employees and contractors to gain access to federal facilities and information systems."
To comply with this standard, government agencies "have begun to implement improved physical access control systems to control the access of employees and contractors to buildings" using systems that are based on "personal identity verification (PIV) cards. that operate with physical access control systems in the network ". Agencies can ensure that employees and contractors are who they claim to be, and have the proper authority to enter.
Biometric update has learned from a variety of contracted services of Federal Protection Service (FPS) guards for federal buildings, including federal court facilities, that existing access control systems, including PIV and other credentials, often do not work , that the codes are not changed regularly, and that even the internal systems of control of access to the building have been problematic, not to mention the problems with monitors and CCTV cameras.
GAO noted that "neither OMB nor GSA currently collect data on the agency's efforts to implement the requirements of the physical access control system, including the use of the approved product list. This is important because our interviews with manufacturers of physical access control systems, integrators, and selected agencies indicate that the implementation of physical access control systems throughout the government may be limited and raises questions about the government's progress. Officials from four of the five selected agencies we reviewed told us that, since 2013, when the end-to-end testing requirements of the physical access control system began, they had only purchased physical access control systems approved by the GSA. for a limited number of its facilities. . In addition, they said that where purchases were made, sometimes physical access control systems had to be replaced because they were reaching the end of their useful life. "
Continuing, GAO discovered that "a limited number of GSA facilities have physical access control systems that meet the latest requirements." GSA told GAO that it "has complied with the requirements of the federal physical access control system for 70 of approximately 340 of its non-courts." buildings with another 90 are partially in line with the requirements (for example, PIV access credentials are used). The remaining facilities still do not meet the requirements of the federal physical access control system. "
GSA staff told GAO "GSA manages public spaces in approximately 360 court buildings and is developing a security implementation plan for these spaces." GSA officials also told GAO that GSA manages approximately 8,000 leased buildings "where tenants in these spaces are generally responsible for the configuration of physical access control systems and GSA does not track this information."
Agency officials also told the GAO "that physical access control systems are not required in all areas of federal buildings." Risk assessments, as recommended by the ISC guide, should determine where they are needed. the physical access control systems ".
According to an official with the Department of Homeland Security (DHS), "the Approved Products List provides end-to-end configuration for a new physical access control system, but since most agencies have existing systems, they must be modified with the appropriate validation system and readers, and then are specially configured through the processes of approval and support of information technology to function in accordance with the list of approved products. This creates a situation in which agencies may not be able to fully follow the list of approved products when they are added to an existing system that is still in transition toward compliance with the approved product list. In summary, simply obtaining a list of approved products is not equivalent to achieving compliance with FIPS-201.
To implement HSPD-12, standards and guidance require the interoperability of these systems in all agencies.
The GAO noted that "the implementation of physical access control systems in federal agencies represents a significant federal investment. For example, in the next 5 years, "the Transportation Security Administration (TSA) only intends to spend more than $ 70 million to implement physical access control systems," and most of of these funds ($ 51 million) will go towards the acquisition of new systems of [GSA’s] List of approved products [APL]"
And the TSA is just "one of the hundreds of federal agencies," GAO said. "According to GSA officials, GSA has spent millions of dollars to test these systems. However, a committee of Congress and some industry stakeholders have raised questions about the implementation of this directive, specifically on the extent to which agencies use the approved product list to purchase physical access control systems. "The purchase of products that are not in the APL can generate unnecessary expenses, but these purchases can generate security violations if, for example, the elements of the access credentials are falsified, cloned or copied, and the control systems of physical access do not detect them ".
While several federal agencies have vital responsibilities throughout the government to implement HSPD-12, OMB is responsible for the overall direction and supervision of the program. GSA "is responsible for testing physical access control systems to ensure that they comply with security and interoperability standards and identify such systems through their Approved Products List", that OMB and the Federal Procurement Regulation require that agencies use … when purchasing physical access control systems to achieve an integrated approach to physical security "in accordance with the National Institute of Standards and Technology (NIST) Special publication 800-116: a recommendation for the use of PIV credentials in physical access control systems, published in November 2008. The publication "provides guidelines for the use of PIV cards in physical access control systems. [and] recommends a risk-based approach to select the appropriate PIV authentication mechanisms to manage physical access to federal government facilities. "
The Inter-institutional Security Committee (ISC), chaired by DHS, plays a key role in ensuring the protection of non-defense buildings, facilities and security. The NIST establishes the technical specifications "that form the basis of the standards, including, for example, the minimum requirements for a federal PIV system that meets the control and security objectives of HSPD-12.3"
GAO said that GSA told the auditors: "GSA and its testing contractor, for this certificate authentication process to be successful, the physical access control system equipment must be connected to the network so that the control systems Physical access control systems can communicate with directories maintained by card issuers, physical access control systems that are not connected to the network will not have access to this additional level of security, a network physical access control system can confirm Not only the validity of the issuer of a credential, but also the authenticity and validity of any given credential.This validity must be confirmed with the issuer of the card every 18 hours, otherwise, a physical access control system must deny the access. "
The GAO report to the subcommittee stated that officials from the five selected GAO agencies "reviewed identified several challenges related to the implementation of PACS, including cost, lack of clarity on how to acquire the equipment, and difficulty in adding new equipment. PACS to legacy systems. "
In addition, the GAO reported that "OMB, GSA and industry officials not only confirmed that these challenges exist, but … most likely, they were present throughout the federal government." The ISC is tasked with "developing safety standards for non-military agencies." In this capacity, the ISC is well positioned to determine to what extent the implementation challenges of PACS exist among its members and develop strategies to address them. ISC told the GAO that the ISC has taken steps to do so, including the establishment of a working group to evaluate what additional guidance from PACS would be beneficial. "
The GAO recommended that "the OMB regularly determine and monitor a reference level of progress in the implementation of PACS, that the ISC assess the scope and develop strategies to address the challenges of the entire government to implement PACS."
OMB did not comment on the GAO recommendation, while DHS only agreed with the recommendation to the ISC.
GAO said: "We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives."
GAO reported that it "interviewed OMB and GSA about their efforts to fulfill their responsibilities throughout the government" [and] He asked them to provide data on the use of the list of products approved by the agencies. We interviewed private sector companies that have key roles in the implementation of HSPD-12 throughout the government, specifically: seven manufacturers of physical access control systems, five integrators (contractors who install the equipment and connect it to networks of agencies with software), as well as "other industry organizations, including a trade association, the GSA contractor that tests the physical access control systems for the Approved Product List and a long-standing industry consultant".
Officials from two of the selected agencies and a systems integrator told GAO that "some agency officials are reluctant to more fully integrate their physical access control systems … because of concerns about the perception of a increase in security risks as a result of a wider network of physical access control systems and access credentials such as PIV cards, however, other federal officials told us that this concern is unfounded. The integration of the agencies' physical access control systems will improve security, increase government efficiency, reduce identity fraud and protect personal privacy through electronic authentication of the validity of access credentials. "
The GAO also found that, stakeholders believe that some officials of federal agencies have limited knowledge of the requirements of the physical access control system. "According to most of the manufacturers of physical access control systems and integrators with whom we speak," the GAO reported, "hiring officials from federal agencies generally lack sufficient understanding of the requirements of the federal system. physical access control This insufficient understanding of the requirements of the physical access control system may lead contracting officials to award contracts for the installation of physical access control systems to low-skilled integrators, which may lead to the implementation or Inadequate integration of systems These experts said that this situation could generate security vulnerabilities in these agencies and costly future costs. "
Topics of the article