Federal agencies devote billions of dollars a year to cybersecurity, especially to secure data and devices inside their buildings. They invest in technology to protect against insider threats, phishing scams, threats from mobile applications and even risks in their supply chains.
However, they need to do a better job of securing access to those buildings in the first place, according to a recent Government Accountability Office report. Since the George W. Bush administration issued a directive in 2004, agencies and contractors have been required to meet a federal standard for secure and reliable forms of identification to gain physical access to federally controlled facilities and logical access to federally controlled information systems.
The GAO report found that the Office of Management and Budget and the General Services Administration “have taken steps to help agencies procure and implement secure, interoperable, GSA-approved ‘physical access control systems’(PACS) for federal buildings.” However, it is clear that more needs to be done and agencies are facing difficulties in deploying secure PACS.
What Are Physical Access Control Systems?
PACS are systems for “managing access to controlled areas within buildings,” and “include identification cards, card readers, and other technology that electronically confirm employees’ and contractors’ identities and validate their access to facilities,” the GAO report notes.
Since 2004, the OMB has released several memos to clarify agencies’ responsibilities around PACS. For example, in 2011 the OMB issued a memo citing Department of Homeland Security guidance that agencies “must upgrade existing PACS to use identity credentials before using relevant funds for other activities.”
Yet the GAO found the OMB’s oversight efforts are being hindered because it lacks baseline data on agencies’ implementation of PACS. The OMB cannot ensure all agencies adhere to PACS requirements “or track progress in implementing federal PACS requirements and achieving the vision of secure, interoperable systems across agencies” without such data, the report says.
The GSA developed an Approved Products List, or APL, that identifies products that meet federal requirements for PACS through a testing and evaluation program. Agencies are required to use products on the list to procure PACS equipment. The GSA also has provided procurement guidance to agencies through its identity management website.
“Agencies have not made a lot of progress, primarily because no one’s been asking questions about what are they doing, what are they buying, what efforts are they making for governmentwide information to know who’s buying what and are they compliant,” Lori Rectanus, director of the physical infrastructure team at the GAO, told Federal News Network. “We really don’t know where agencies are and what progress has been made. OMB has the key responsibility for overseeing and enforcing this process. They are the ultimate arbiter of people’s budgets.”
What Agencies Can Do to Boost Facilities’ Physical Security
Indeed, the report says that OMB staff told the GAO that they oversee PACS requirements as part of the normal process of reviewing agencies’ budget submissions, but that the OMB does not conduct oversight beyond that. “This approach, however, does not allow OMB to identify or monitor the extent to which agencies are purchasing physical access control systems that meet the latest requirements or take action if agencies lag in this area,” the report says.
The GAO examined PACS at five civilian agencies: the U.S. Coast Guard within DHS, the Bureau of Prisons in the Justice Department, the Transportation Security Agency in DHS, the Environmental Protection Agency and the GSA.
Officials from the five agencies identified several challenges relating to the deployment of PACS, “including cost, lack of clarity on how to procure equipment, and difficulty adding new PACS equipment to legacy systems,” the report notes.
“Officials from OMB, GSA, and industry not only confirmed that these challenges exist, but also told GAO that they were most likely present across the federal government,” the report says.
The Interagency Security Committee, which is chaired by the DHS and consists of 60 federal departments and agencies, develops security standards for civilian agencies. The GAO says the ISC “is well-positioned to determine the extent that PACS implementation challenges exist” across government and to develop strategies to address them.
An ISC official told the GAO that the ISC has taken steps to do so, including setting up a working group to explore whether additional PACS guidance would be beneficial. The The GAO recommends that the OMB “determine and regularly monitor a baseline level of progress on PACS implementation” and that the ISC “assess the extent of, and develop strategies to address, governmentwide challenges to implementing PACS.”
Officials from most of the five selected agencies, PACS manufacturers, and from integrators the GAO interviewed said that the cost of buying GSA-approved physical access control systems using the APL and installing them “is a challenge in the current budget environment.”
For example, TSA officials estimate that the agency will need over $14 million per year to continue implementing GSA-approved physical access control systems using the APL in its 625 facilities, “an expense for which the agency receives no additional funds.”
Yet the OMB noted that agencies have had 13 years to replace PACS technology “with products that meet federal requirements,” and that the issue may be agencies’ training and planning rather than cost.” The OMB expects that, over time, agencies will implement PACS that use equipment that was exclusively from the APL and compliant with Federal Information Processing Standards.