The success of future federal access control systems for government agencies will depend a lot on the systems integrators equipped to handle those jobs, experts agreed during a panel at the SIA GovSummit, held June 29 at The Liaison Capitol Hill in Washington, D.C.
Tim Smith, chief technology officer, Chenega Integrated Security Solutions, said success lies in understanding complex guidance as well as the vision of the customer.
“You have to have a clear idea of what your end state is,” said Smith, presenting as a systems integrator working for a variety of agencies across the federal government. “One of the things we try to do as an integrator is reach out to both ends and try to close the requirements gap so that the end users understand …are buying the right kind of Chevy, as it were.”
“From a compliance standpoint, we need to make sure the changes an organization wants to do is something that is vectored toward an end state of strong credentials for access control. That’s what it boils down to.” — Tim Smith at the 2017 SIA GovSummit.
Qualifications for Systems Integrators in Federal Access
Guidance for implementation of Federated Identity, Credential and Access Management (FICAM) requires “a mechanism to assess the identity management standards against applicable federal requirements, policies and laws,” according to the U.S. government. And the FICAM road map understands that agencies cannot get there overnight.
“You don’t have to rip everything out. As long as you have a clear idea of the end state and what the system has to do,” Smith added. “It has to provide a strong credential to provide appropriate access based on user characteristics. You have to ask, what do I currently have? And how do I get there in phases?”
Ultimately, the federal government seeks to centralize physical access control systems (PACS) much as it does other IT services, Lenel’s Ryan Kaltenbaugh, vice president, Federal Government Solutions, explained to conference attendees hosted by the Security Industry Association (SIA).
“In the physical world, we fail to really think through how we automate compliance to security policy and control access to thousands of doors in a government enterprise just in the way we control access to thousands of applications on a network. So to me, FICAM means everything from end to end. It’s not just the credential or the PACS,” Kaltenbaugh said.
The Credit Card Analogy for Federal Access
Smith used an analogy of new Visa credit cards with chips, widely adopted in the United States only in the past few years. The chip cards are replacing old swipe cards because they offer stronger authentication, Smith said. It may be “a pain in the butt” to wait a few seconds longer when you are in the checkout line at Target, but the result is significant reduction in cybercrime related to credit card fraud.
“That’s what we are trying to bring to access control in federal facilities,” Smith said.“There’s a lot going on in that federal access control decision, but what you get for it is that we know who this person is and whether they have access to that particular door.”
Most recently, the U.S. National Institute of Standards and Technology (NIST) issued guidance in the form of SP 800-63-3, Digital Identity Guidelines, on June 22 to “provide technical requirements for federal agencies implementing digital identity services.” NIST and the U.S. Office of Management and Budget (OMB) are working closely to promulgate the guidance across the federal government, tying implementation to budgets.
The goal is to manage risk as a federal enterprise where individual agencies must take into account the interconnectedness of all agencies, said Joe Stuntz of the OMB Cyber and National Security Unit during SIA GovSummit. PACS systems are IT systems.
The most recent NIST guidance rescinded 57 disparate requirements as the federal government streamlines, Stuntz said. The goal is to ease the burden on agencies and their systems integrators as they manage installation of access control systems that comply with federal guidance. An overall policy, consolidated into one set of regulations, will become available for public comment in the near future.
Implementing Guidance for Systems Integrators
As a study in how to bring it all together, William Windsor, deputy director of the Enterprise Integration and Compliance Office with the Office of the Chief Security Officer (CSO) at the U.S. Department of Homeland Security (DHS), offered insights into how his department is implementing guidance during the SIA GovSummit.
The DHS CSO has responsibility for working with component CSOs within the department to ensure PACS are in place and that those systems are compliant with requirements of the DHS chief information officer. The resulting DHS PACS Modernization effort brings together all stakeholders for a gap analysis that will require the ultimate approval of the DHS Secretary.
Systems integrators who successfully partner with DHS on federal access control systems projects will have a deep understanding of these requirements, which strive to be “agnostic” as to prescribing a specific solution, Windsor said. But success for DHS also depends on a specific reality—the cost of specific solutions. So it seems while measures of successful implementation may change over time, some considerations will always remain the same.
Learn more about the SIA GovSummit here.