In November 2014, the General Services Administration (GSA) informed integrators, manufacturers, distributors and others that it would be making changes to the way the federal government procures identity, credentials and access management (ICAM) products and services.
In a notice known as a request for information (RFI), GSA sought feedback on its plan, which would realign ICAM offerings on its approved products list for IT Schedule 70 and Law Enforcement Schedule 84.
Essentially, GSA is moving to update what federal agencies can buy to conform to guidance from the U.S. Office of Management and Budget that will update technical evaluation criteria to ensure the security and interoperability of products available.
As of now, agencies have no guarantee that various products purchased from federal shopping lists (the schedules) will work together correctly without conducting independent research. GSA’s proposals would change that, and the agency is hoping to have final rules in place by the end of the summer.
By doing so, GSA seeks to give agencies confidence that separate products from separate sources on an approved products list will work together seamlessly when purchasing components for physical access control systems (PACS) or logical access control systems (LACS) while moving to fulfill requirements of Homeland Security Presidential Directive (HSPD) 12.
“If I buy one component off the list and another component off the list, they are not necessarily guaranteed to interoperate together,” said Chi Hickey of the GSA Office of Government Wide Policy, Identity Assurance and Trusted Access Division, during a Security Industry Association (SIA) webcast on Feb. 25.
GSA officials will join SIA in a special industry gathering Monday, June 8, at the SIA Government Summit in Washington, D.C. GSA will host its own industry day on the subject in Washington on May 14.
In the SIA webcast, GSA managers provided insights into the kind of feedback they have received from vendors, such as clarification on getting on the GSA schedules and evaluation factors related
to doing so. They told GSA that distinctions under the new requirements among integrators, service providers and others remain unclear.
They also had questions about a required training requirement proposed under the new regulations. “Anyone doing the work” on a federal PACS or LACS contract would require certification, Hickey said. While grateful to the Smart Card Alliance for offering the necessary training, GSA hopes also to find other sources.
“We would love to have another organization provide this certification as well,” Hickey added.
The certification requirement arose due to GSA concerns that organizations that deal mostly in PACS might not have sufficient understanding of public key infrastructure (PKI) involved in LACS requirements.
“I would recommend not only integrators having this certification … and I recommend those in the federal government dealing with physical access control systems … should go to this class as well to get better informed,” Hickey said.
Brenda McCall, lead contracting officer, GSA Law Enforcement and Security Branch, noted that more than 1,000 vendors offer about 114 specific products or services on Schedule 84, which saw $1.55 billion in total sales in fiscal 2014.
Of those sales, 42.7 percent went to small business vendors (who make up 81.6 percent of the vendors on the schedule). In addition, state and local purchasing programs can buy off the federal schedule for initiatives involving disaster recovery and drug interdiction.