Physical access security at federal buildings is lacking, according to a report from the Government Accountability Office (GAO).
Over 14 years ago, the mandate came down demanding information technology to verify the identity of individuals accessing federal buildings. The mandate called for secure and reliable forms of identification that work in conjunction with access control systems. Interoperability of these systems across departments and agencies was a requirement.
This is the government, so this is going to get into a bit of acronym bingo, but the Office of Management and Budget (OMB) and the General Services Administration (GSA) have government-wide responsibilities related to this effort. The Interagency Security Committee (ISC) provides guidance to non-military executive branch agencies on physical security issues.
For its review, GAO analyzed documents from Commerce, GSA, ISC, and OMB.
GAO selected five non-military agencies based on factors including number of buildings and geographic location. GAO reviewed relevant requirements and key practices. GAO also interviewed federal agency officials, physical access control vendors, and knowledgeable industry officials.
GAO found OMB and GSA have taken steps to help agencies procure and implement secure, interoperable, GSA-approved physical access control systems (PACS) for federal buildings. PACS are systems for managing access to controlled areas within buildings. PACS include identification cards, card readers, and other technology that electronically confirm employees’ and contractors’ identities and validate their access to facilities.
OMB issued several memos to clarify agencies’ responsibilities.
GSA developed an approved products list that identifies products meeting federal requirements through a testing and evaluation program. Federal agencies must use the approved products list to procure PACS equipment. In addition, GSA manages IDManagement.gov, which guides federal agencies through the process of identifying Approved Products List-compliant physical access control system equipment.
According to Environmental Protection Agency (EPA) officials, none of EPA’s 72 facilities (including, for example, its headquarters building in the District of Columbia and 10 regional headquarters buildings) currently adhere to the latest physical access control system requirements. EPA officials told GAO the agency used GSA’s approved products list to purchase physical access control system equipment in the past. However, because requirements have changed over time, the 72 buildings where EPA is responsible for physical access control need to be upgraded to the latest requirements. EPA will procure these required systems using the approved products list and prioritize implementation to those facilities with the highest assessed risk.
According to TSA officials, since 2013, 64 TSA facilities have implemented some physical access control system upgrades using products from the approved products list, while an additional 75 leased facilities have been upgraded by GSA. While the 139 facilities are not fully compliant, the only item missing to make these facilities compliant is the capability for interoperable, secure identification checks among federal agencies, TSA officials said. This would allow TSA’s physical access control systems to recognize revoked personal identity verifications from any federal agency. TSA told GAO that it plans to roll out this capability in fiscal year 2019. Over the next five years, TSA plans to spend about $73 million in physical access control system implementation with the bulk of these funds ($51 million) going toward the acquisition of new systems from the Approved Products List.
Coast Guard officials told GAO that none of the agency’s 1,400 facilities where it has security responsibilities fully adhere to the latest federal physical access control system requirements.
As a result of its report, GAO recommends that OMB determine and regularly monitor a baseline level of progress on PACS implementation and that ISC assess the extent of, and develop strategies to address, government-wide challenges to implementing PACS.