The Government Accountability Office (GAO) was asked to examine physical access security at federal buildings. Its December 20 report highlights the oversight difficulties faced by agencies when ensuring physical access control is properly implemented.
A 2004 federal directive and the related standard set forth a vision for using information technology to verify the identity of individuals accessing federal buildings. The vision calls for secure and reliable forms of identification that work in conjunction with access control systems. Interoperability of these systems across departments and agencies is part of the vision. The Office of Management and Budget (OMB) and the General Services Administration (GSA) have government-wide responsibilities related to this effort. The Interagency Security Committee (ISC) provides guidance to non-military executive branch agencies on physical security issues.
For its review, GAO analyzed documents from Commerce, GSA, ISC, and OMB. GAO selected five non-military agencies based on factors including number of buildings and geographic location. GAO reviewed relevant requirements and key practices. GAO also interviewed federal agency officials, physical access control vendors, and knowledgeable industry officials.
GAO found that OMB and GSA have taken steps to help agencies procure and implement secure, interoperable, GSA-approved physical access control systems (PACS) for federal buildings. PACS are systems for managing access to controlled areas within buildings. PACS include identification cards, card readers, and other technology that electronically confirm employees’ and contractors’ identities and validate their access to facilities.
OMB issued several memos to clarify agencies’ responsibilities. For example, OMB issued a 2011 memo citing Department of Homeland Security (DHS) guidance that agencies must upgrade existing PACS to use identity credentials before using relevant funds for other activities. However, GAO found OMB’s oversight efforts are hampered because it lacks baseline data on agencies’ implementation of PACS. Without such data, GAO says OMB cannot meet its responsibility to ensure agencies adhere to PACS requirements or track progress in implementing federal PACS requirements and achieving the vision of secure, interoperable systems across agencies.
GSA developed an Approved Products List that identifies products that meet federal requirements through a testing and evaluation program. Federal agencies are required to use the Approved Products List to procure PACS equipment. In addition, GSA manages IDManagement.gov, which guides federal agencies through the process of identifying Approved Products List-compliant physical access control system equipment.
GSA also established the U.S. Access program to enable federal civilian agencies to issue common HSPD-12 approved credentials to their employees and contractors. Finally, GSA developed a list of system integrators that can be used to install physical access control systems that have been approved for the Approved Products List. These integrators are listed on the GSA’s IDManagement.gov website.
Officials from the five selected agencies that GAO reviewed identified a number of challenges relating to PACS implementation including cost, lack of clarity on how to procure equipment, and difficulty adding new PACS equipment to legacy systems. Officials from OMB, GSA, and industry not only confirmed that these challenges exist but also told GAO that they were most likely present across the federal government.
Officials from four of the five selected agencies we reviewed told GAO that, since 2013, when physical access control system end-to-end testing requirements began, they had only purchased GSA-approved physical access control system equipment for a limited number of their facilities.
According to Environmental Protection Agency (EPA) officials, none of EPA’s 72 facilities (including, for example, its headquarters building in the District of Columbia and 10 regional headquarters buildings) currently adhere to the latest physical access control system requirements. EPA officials told GAO that the agency used GSA’s Approved Products List to purchase physical access control system equipment in the past. However, because requirements have changed over time, the 72 buildings where EPA is responsible for physical access control need to be upgraded to the latest requirements. EPA will procure these required systems using the Approved Products List and prioritize implementation to those facilities with the highest assessed risk.
According to TSA officials, since 2013, 64 TSA facilities have implemented some physical access control system upgrades using products from the Approved Products List, while an additional 75 leased facilities have been upgraded by GSA. While the 139 facilities are not fully compliant, the only item missing to make these facilities compliant, according to TSA officials, is the capability for interoperable, secure identification checks among federal agencies. This would allow TSA’s physical access control systems to recognize revoked personal identity verifications from any federal agency. TSA told GAO that it plans to roll out this capability in fiscal year 2019. Over the next five years, TSA plans to spend about $73 million in physical access control system implementation with the bulk of these funds ($51 million) going toward the acquisition of new systems from the Approved Products List.
Coast Guard officials told GAO that none of the agency’s 1,400 facilities where it has security responsibilities fully adhere to the latest federal physical access control system requirements. However, 53 of these facilities have been prioritized for physical access control system implementation. In addition, since 2013, four Coast Guard locations have begun to implement GSA approved physical access control systems using the Approved Products List. Coast Guard officials said that due to the decentralized nature of Coast Guard’s decision-making process for physical access control systems, it is difficult to say where purchases have been made, and there is no systematic tracking. The Coast Guard does not have a formal plan for upgrading its physical access control systems, but officials told GAO that they continue to pursue opportunities to upgrade facilities with physical access control system equipment using the Approved Products List.
The ISC, chaired by the DHS and consisting of 60 federal departments and agencies, has a mission to develop security standards for non-military agencies. In this capacity the ISC is well-positioned to determine the extent that PACS implementation challenges exist across its membership and to develop strategies to address them. An ISC official told GAO that the ISC has taken steps to do so including setting up a working group to assess what additional PACS guidance would be beneficial.
As a result of its report, GAO recommends that OMB determine and regularly monitor a baseline level of progress on PACS implementation and that ISC assess the extent of, and develop strategies to address, government-wide challenges to implementing PACS. DHS concurred with the recommendation to ISC and OMB made no comment.