What GAO found
The Office of Administration and Budget (OMB) and the General Services Administration (GSA) have taken steps to help agencies acquire and implement "secure, interoperable and approved physical access control systems (PACS) for buildings. federal PACS are systems to manage access to controlled areas within buildings. PACS include identification cards, card readers and other technologies that electronically confirm the identities of employees and contractors and validate their access to the facilities (see figure). The steps taken include the following:
OMB issued several memoranda to clarify the responsibilities of the agencies. For example, OMB issued a 2011 note citing the guidance of the Department of Homeland Security (DHS) that agencies must update existing PACS to use identity credentials before using relevant funds for other activities. But GAO found that OMB monitoring efforts are hampered because it lacks reference data on the implementation of PACS by agencies. Without such data, OMB cannot fulfill its responsibility to ensure that agencies comply with PACS requirements or track progress in the implementation of federal PACS requirements and achieve the vision of safe and interoperable systems in all agencies. .
GSA developed an approved Product List that identifies products that meet federal requirements through a testing and evaluation program. Federal agencies must use the List of approved products to purchase PACS equipment. GSA has also provided acquisition guidance to agencies through its identity management website.
Example of components of a physical access control system (PACS)
Officials from the five selected agencies that GAO reviewed identified a number of challenges related to the implementation of PACS, including cost, lack of clarity on how to acquire equipment and the difficulty of adding new PACS equipment to legacy systems. Officials from OMB, GSA and the industry not only confirmed that these challenges exist, but also told GAO that they were probably present throughout the federal government. The Interagency Security Committee (ISC), chaired by DHS and composed of 60 federal departments and agencies, has the mission of developing safety standards for non-military agencies. In this capacity, the ISC is well positioned to determine the extent to which PACS implementation challenges exist among its members and develop strategies to address them. An ISC official told GAO that the ISC has taken steps to do so, including the creation of a working group to assess what additional guidance from PACS would be beneficial.
Why did GAO do this study?
A federal directive of 2004 and the related standard established a vision to use information technology to verify the identity of people accessing federal buildings. Vision requires safe and reliable forms of identification that work in conjunction with access control systems. The interoperability of these systems between departments and agencies is part of the vision. OMB and GSA have responsibilities throughout the government related to this effort. The ISC provides guidance to non-military executive branch agencies on physical security issues. The GAO was asked to review the PACS implementation efforts.
This report analyzes (1) the steps that OMB and GSA have taken to fulfill their government-wide responsibilities related to PACS and (2) the challenges facing selected federal agencies to meet current requirements. For review, GAO analyzed documents from Commerce, GSA, ISC and OMB. GAO selected five non-military agencies based on factors that include the number of buildings and geographic location. GAO reviewed the relevant requirements and key practices. GAO also interviewed federal agency officials, PACS providers and knowledgeable industry officials.
What GAO recommends
GAO recommends (1) that OMB regularly determine and monitor a level of baseline progress in the implementation of PACS and (2) that ISC assess the scope and develop strategies to address the challenges of the entire government to implement PACS. OMB did not comment on the recommendation. DHS agreed with the recommendation to the ISC.
For more information, contact Lori Rectanus at (202) 512-2834 or email@example.com.