GAO-19-138, Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control
Efforts are underway to improve security with a government-wide approach to regulate access to controlled areas in federal buildings. Access control systems use ID cards, card readers, and other technologies to confirm identities and access rights.
The Office of Management and Budget and the General Services Administration have helped agencies move toward an interoperable system. However, OMB lacks information on agency progress and this hampers its oversight.
Agencies reported high costs and difficulty adding new equipment to existing systems.
Among other things, we recommended that OMB determine and monitor agencies' progress.
Example of Components of a Physical Access Control System
This graphic shows an ID card, validation system, and physical access control turnstile.
The Office of Management and Budget (OMB) and the General Services Administration (GSA) have taken steps to help agencies procure and implement secure, interoperable, GSA-approved “physical access control systems” (PACS) for federal buildings. PACS are systems for managing access to controlled areas within buildings. PACS include identification cards, card readers, and other technology that electronically confirm employees' and contractors' identities and validate their access to facilities (see figure). Steps taken include the following:
Example of Components of a Physical Access Control System (PACS)
Officials from the five selected agencies that GAO reviewed identified a number of challenges relating to PACS implementation including cost, lack of clarity on how to procure equipment, and difficulty adding new PACS equipment to legacy systems. Officials from OMB, GSA, and industry not only confirmed that these challenges exist but also told GAO that they were most likely present across the federal government. The Interagency Security Committee (ISC), chaired by the DHS and consisting of 60 federal departments and agencies, has a mission to develop security standards for non-military agencies. In this capacity the ISC is well-positioned to determine the extent that PACS implementation challenges exist across its membership and to develop strategies to address them. An ISC official told GAO that the ISC has taken steps to do so including setting up a working group to assess what additional PACS guidance would be beneficial.
A 2004 federal directive and the related standard set forth a vision for using information technology to verify the identity of individuals accessing federal buildings. The vision calls for secure and reliable forms of identification that work in conjunction with access control systems. Interoperability of these systems across departments and agencies is part of the vision. OMB and GSA have government-wide responsibilities related to this effort. ISC provides guidance to non-military executive branch agencies on physical security issues. GAO was asked to examine PACS implementation efforts.
This report discusses (1) steps OMB and GSA have taken to fulfill their government-wide responsibilities related to PACS and (2) challenges selected federal agencies face in meeting current requirements. For review, GAO analyzed documents from Commerce, GSA, ISC, and OMB. GAO selected five non-military agencies based on factors including number of buildings and geographic location. GAO reviewed relevant requirements and key practices. GAO also interviewed federal agency officials, PACS vendors, and knowledgeable industry officials.
GAO recommends (1) that OMB determine and regularly monitor a baseline level of progress on PACS implementation and (2) that ISC assess the extent of, and develop strategies to address, government-wide challenges to implementing PACS. OMB had no comment on the recommendation. DHS concurred with the recommendation to ISC.
For more information, contact Lori Rectanus at (202) 512-2834 or firstname.lastname@example.org.