Actions still needed to ensure interoperable physical access control of fed buildings
During a performance audit from October 2017 to December 2018, the Government Accountability Office (GAO), Congress’ investigative arm, found the Office of Management and Budget’s (OMB) oversight of efforts by federal agencies to procure and implement secure, interoperable, General Services Administration (GSA) approved “physical access control systems” (PACS) for federal buildings have been “hampered because it lacks baseline data on agencies’ implementation of PACS.” And, “without such data,” GAO told the House Committee on Homeland Security Subcommittee on Oversight and Management Efficiency, “OMB cannot meet its responsibility to ensure agencies adhere to PACS requirements or track progress in implementing federal PACS requirements and achieving the vision of secure, interoperable systems across agencies.”
PACS are systems designed to manage the secure access to controlled areas within federal buildings, and include identification cards, card readers, and other technology that electronically confirm employees’ and contractors’ identities and validate their access to facilities.”
As GAO pointed out, “In an effort to increase the security of federal facilities and information systems where there is potential for terrorist attacks such as those that occurred on September 11, 2001, Homeland Security Presidential Directive 12 (HSPD-12) established the requirement for a mandatory, government-wide identification standard for federal government employees and contractor personnel in August 2004.”
This standard identified the technical requirements for physical access control systems in order to “issue secure and reliable identification credentials to federal employees and contractors for gaining access to federal facilities and information systems.”
To meet this standard, government agencies “have begun implementing enhanced physical access control systems for controlling employees’ and contractors’ access to buildings” using systems that rely on “personal identity verification (PIV) cards that operate with networked physical access control systems” so agencies can ensure employees and contractors are who they claim to be, and have the proper authority to enter.
Biometric Update has learned from a variety of contracted Federal Protection Service (FPS) guard services for federal buildings, including federal court facilities, that existing access control systems, including PIV and other credentialing, frequently don’t work, that codes aren’t regularly changed, and that even internal building access control systems have been problematic, not to mention problems with CCTV monitors and cameras.
GAO pointed out that, “neither OMB nor GSA currently collect data on agency efforts to implement physical access control system requirements, including use of the Approved Products List. This is significant because our interviews with physical access control systems’ manufacturers, integrators, and selected agencies indicate that government-wide implementation of physical access control systems may be limited and raises questions about government-wide progress. Officials from four of the five selected agencies we reviewed told us that, since 2013, when physical access control system end-to-end testing requirements began, they had only purchased GSA-approved physical access control system equipment for a limited number of their facilities. Moreover, they said that where purchasing occurred, it was sometimes for physical access control systems that required replacement because they were nearing the end of their useful life.”
Continuing, GAO found that “a limited number of GSA facilities have physical access control systems that fully adhere to the latest requirements.” GSA told GAO it “has met federal physical access control system requirements for 70 out of approximately 340 of its non-courthouse buildings with another 90 being partially in line with requirements (e.g., PIV access credentials are used). The remaining facilities do not yet meet federal physical access control system requirements.”
GSA staff told GAO “GSA administers the public spaces in approximately 360 courthouse buildings and is developing a security implementation plan for these spaces.” GSA officials also told GAO that GSA administers about 8,000 leased buildings “where the tenants in these spaces are generally responsible for setting up physical access control systems and GSA does not track this information.”
Agencies’ officials also told GAO “that physical access control systems are not required in all areas of federal buildings. Risk assessments, as recommended by ISC guidance, should determine where physical access control systems are necessary.”
According to a Department of Homeland Security (DHS) official, “the Approved Products List provides the end-to-end configuration for a new physical access control system, but since most agencies have existing systems, they need to be retrofitted with the appropriate validation system and readers, and then specially configured through information technology support and approval processes in order to function in accordance with the Approved Products List. This creates a situation where agencies may not be able to completely follow the Approved Products List when adding on to an existing system that is still in transition to Approved Products List-compliance. In short, simply procuring an Approved Products List-system does not equal achieving FIPS-201 compliance.
To implement HSPD-12, standards and guidance call for the interoperability of these systems across agencies.
GAO noted that, “Implementation of physical access control systems at federal agencies represents a significant federal investment. For example, over the next 5 years,” the Transportation Security Administration (TSA) alone intends to spend more than $70 million to put physical access control systems in place, “with the bulk of these funds ($51 million) going toward the acquisition of new systems from [GSA’s] Approved Products List [APL]”
And TSA is just “one of hundreds of federal agencies,” GAO pointed out. “According to GSA officials, GSA has spent millions of dollars to test these systems. However, a congressional committee and some industry stakeholders have raised questions about the implementation of this directive, specifically about the extent to which agencies are using the Approved Products List to purchase physical access control systems. Not only could purchasing products not on the APL lead to wasteful spending, but such purchases could result in security breaches if, for example, elements of access credentials are counterfeited, cloned, or copied, and physical access control systems fail to detect them.”
While a number of federal agencies have vital government-wide responsibilities for implementing HSPD-12, OMB is responsible for the program’s overall direction and oversight. GSA “is responsible for testing physical access control systems to ensure they meet security and interoperability standards and identifying such systems through its Approved Products List,” which OMB and the Federal Acquisition Regulation require agencies to use … when buying physical access control systems to achieve an integrated approach to physical security” pursuant to National Institute of Standards and Technology (NIST) Special Publication 800-116: A Recommendation for the Use of PIV Credentials in Physical Access Control Systems, published in November 2008. The publication “provides guidelines for the use of PIV cards in physical access control systems [and] recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to federal government facilities.”
The Interagency Security Committee (ISC), chaired by the DHS, plays a fundamental role in ensuring the protection of nondefense buildings and facilities and security. NIST sets forth the technical specifications “that form the basis of standards, including for example, the minimum requirements for a federal PIV system that meets the control and security objectives of HSPD-12.3”
GAO said GSA told auditors “GSA and its testing contractor, in order for this certificate authentication process to be successful, physical access control system equipment must be networked so that physical access control systems can communicate with directories maintained by issuers of cards; physical access control systems that are not networked will lack access to this extra level of security. A networked physical access control system can confirm not only the validity of a credential’s issuer, but also the authenticity and validity of any given credential. This validity must be confirmed with the card’s issuer every 18 hours; otherwise, a physical access control system must deny access.”
GAO’s report to the subcommittee stated officials from the five selected agencies GAO “reviewed identified a number of challenges relating to PACS implementation, including cost, lack of clarity on how to procure equipment, and difficulty adding new PACS equipment to legacy systems.”
In addition, GAO reported “officials from OMB, GSA, and industry not only confirmed that these challenges exist, but … they were most likely present across the federal government.” The ISC is tasked to “develop security standards for non-military agencies. In this capacity, the ISC is well-positioned to determine the extent that PACS implementation challenges exist across its membership and to develop strategies to address them. An ISC official told GAO that the ISC has taken steps to do so, including setting up a working group to assess what additional PACS guidance would be beneficial.”
GAO recommended “OMB determine and regularly monitor a baseline level of progress on PACS implementation, that ISC assess the extent of, and develop strategies to address, government-wide challenges to implementing PACS.”
OMB did not comment on GAO’s recommendation, while DHS only concurred with the recommendation to ISC.
GAO said, “We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.”
GAO reported it “interviewed OMB and GSA about their efforts to fulfill their government-wide responsibilities [and] asked them to provide data on agencies’ Approved Products List usage. We interviewed private sector companies that have key roles in government-wide implementation of HSPD-12, specifically: seven manufacturers of physical access control systems, five integrators (contractors who install the equipment and connect it to agency networks with software), as well as other industry organizations, including a trade association, GSA’s contractor that tests physical access control systems for the Approved Products List, and a long-time industry consultant.”
Officials at two of the selected agencies and one system integrator told GAO “some agency officials are reluctant to more fully integrate their physical access control systems … due to concern about a perceived increase in security risks resulting from more broadly networking physical access control systems’ equipment and access credentials like PIV cards. However, other federal officials told us that this concern is unfounded. According to these officials, integrating agencies’ physical access control systems will enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy by electronically authenticating the validity of access credentials.”
GAO additionally found that, stakeholders believe some federal agency officials have limited knowledge of physical access control system requirements. “According to most physical access control systems’ manufacturers and integrators we spoke to,” GAO reported, “federal agencies’ contracting officers commonly lack sufficient understanding of federal physical access control system requirements. This insufficient understanding of physical access control system requirements may lead contracting officers to award contracts for the installation of physical access control systems to under-qualified integrators, which can lead to systems being improperly deployed or integrated. These experts said that this situation could lead to security vulnerabilities at these agencies and expensive future costs.”