Federal Building Security:
Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control
GAO-19-138: Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
- Highlights Page:
- Full Report:
- Accessible Version:
Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control
Efforts are underway to improve security with a government-wide approach to regulate access to controlled areas in federal buildings. Access control systems use ID cards, card readers, and other technologies to confirm identities and access rights.
The Office of Management and Budget and the General Services Administration have helped agencies move toward an interoperable system. However, OMB lacks information on agency progress and this hampers its oversight.
Agencies reported high costs and difficulty adding new equipment to existing systems.
Among other things, we recommended that OMB determine and monitor agencies' progress.
Example of Components of a Physical Access Control System
This graphic shows an ID card, validation system, and physical access control turnstile.
- Highlights Page:
- Full Report:
- Accessible Version:
What GAO Found
The Office of Management and Budget (OMB) and the General Services Administration (GSA) have taken steps to help agencies procure and implement secure, interoperable, GSA-approved “physical access control systems” (PACS) for federal buildings. PACS are systems for managing access to controlled areas within buildings. PACS include identification cards, card readers, and other technology that electronically confirm employees' and contractors' identities and validate their access to facilities (see figure). Steps taken include the following:
- OMB issued several memos to clarify agencies' responsibilities. For example, OMB issued a 2011 memo citing Department of Homeland Security (DHS) guidance that agencies must upgrade existing PACS to use identity credentials before using relevant funds for other activities. But, GAO found OMB's oversight efforts are hampered because it lacks baseline data on agencies' implementation of PACS. Without such data, OMB cannot meet its responsibility to ensure agencies adhere to PACS requirements or track progress in implementing federal PACS requirements and achieving the vision of secure, interoperable systems across agencies.
- GSA developed an Approved Products List that identifies products that meet federal requirements through a testing and evaluation program. Federal agencies are required to use the Approved Products List to procure PACS equipment. GSA also has provided procurement guidance to agencies through its identity management website.
Example of Components of a Physical Access Control System (PACS)
Officials from the five selected agencies that GAO reviewed identified a number of challenges relating to PACS implementation including cost, lack of clarity on how to procure equipment, and difficulty adding new PACS equipment to legacy systems. Officials from OMB, GSA, and industry not only confirmed that these challenges exist but also told GAO that they were most likely present across the federal government. The Interagency Security Committee (ISC), chaired by the DHS and consisting of 60 federal departments and agencies, has a mission to develop security standards for non-military agencies. In this capacity the ISC is well-positioned to determine the extent that PACS implementation challenges exist across its membership and to develop strategies to address them. An ISC official told GAO that the ISC has taken steps to do so including setting up a working group to assess what additional PACS guidance would be beneficial.
Why GAO Did This Study
A 2004 federal directive and the related standard set forth a vision for using information technology to verify the identity of individuals accessing federal buildings. The vision calls for secure and reliable forms of identification that work in conjunction with access control systems. Interoperability of these systems across departments and agencies is part of the vision. OMB and GSA have government-wide responsibilities related to this effort. ISC provides guidance to non-military executive branch agencies on physical security issues. GAO was asked to examine PACS implementation efforts.
This report discusses (1) steps OMB and GSA have taken to fulfill their government-wide responsibilities related to PACS and (2) challenges selected federal agencies face in meeting current requirements. For review, GAO analyzed documents from Commerce, GSA, ISC, and OMB. GAO selected five non-military agencies based on factors including number of buildings and geographic location. GAO reviewed relevant requirements and key practices. GAO also interviewed federal agency officials, PACS vendors, and knowledgeable industry officials.
What GAO Recommends
GAO recommends (1) that OMB determine and regularly monitor a baseline level of progress on PACS implementation and (2) that ISC assess the extent of, and develop strategies to address, government-wide challenges to implementing PACS. OMB had no comment on the recommendation. DHS concurred with the recommendation to ISC.
For more information, contact Lori Rectanus at (202) 512-2834 or email@example.com.
Recommendations for Executive Action
Comments: In August 2019, GAO contacted OMB to determine if any progress has been made implementing this recommendation. GAO is awaiting OMB's response.
Recommendation: The Director of OMB should determine a government-wide baseline level of progress in meeting physical access control system requirements, including implementation of GSA-approved systems, and should monitor progress in meeting these requirements. (Recommendation 1)
Agency Affected: Executive Office of the President: Office of Management and Budget
Comments: In August 2019, GAO learned that DHS has recently completed the "Physical Access Control System (PACS) Modernization Working Group Charter." This charter was created under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council, Identity, Credentialing and Access Management Subcommittee, and the Program Director of the DHS Interagency Security Committee. The purpose of the PACS Modernization Working Group is to facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS within the federal government, thereby increasing security, coordination, and compliance with national-level policies and standards. GAO is following up with DHS to obtain additional information about this effort and to determine whether it addresses this recommendation.
Recommendation: The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)
Agency Affected: Department of Homeland Security