What the Government Really Wants

Specific standards must be met to bulk up federal security

• By Kim Rahfaldt
• Mar 01, 2011

Federal government buildings pose similar security challenges to commercial facilities: They need to control access, visually monitor daily activity and manage intrusion-prevention. To meet these demands, the government must integrate with numerous security manufacturers that supply a means to protect different functions, such as single sign-on for individual computers, or large servers to provide redundancy and fault-tolerant needs.

Of course, the level of protection needed could vary, depending on the building being secured. Buildings that house government servers or national archives may need more protection than a single card swipe and camera, for example. So how does a government security manager determine what is needed to secure the men and women who work for the government? What technologies and cost-saving solutions will influence decision-makers? And how can manufacturers and resellers help the government make these important decisions?

How Government Does Business
Working with the government is a long, involved process that requires education and patience. Understanding the intricacies of the process will help integrators and manufacturers gain the trust involved to win projects.

After first assessing its security needs thoroughly, the designated security committee will ask a number of companies for a request for information (RFI). An RFI allows the committee to glean information about the products and services available to them that will solve the issues defined in their risk assessment. After reviewing the RFI, the committee may ask for a solicitation in the form of a request for quotation (RFQ), request for proposal (RFP) or invitation for bid (IFB). Understanding the differences among these requests is critical to meeting criteria and moving to the next level of the process.

Timing is critical. A company must be six to 12 months ahead of the specification going public. This time should be spent pre-selling. Once the RFP is released, it’s too late. You should be talking with the primary end user, contractor (person doing the paperwork) and the technical representative (person who determines if the product or service meets the project’s requirements). Developing a relationship with these three individuals is crucial. They must know early on that you are interested in providing a solution for their security needs.

The soliciting agency will evaluate the proposal based on how the solution meets its need and budget. A company that meets those needs is then invited to demonstrate its product and discuss its solution, as well as provide a final bid.

Technologies Play a Role
The government is always looking for ways to reduce costs associated with redundancies across the different agencies and departments. Many agencies and departments have their own data centers to store critical information, including employee information. In recent years, the number of computers and data centers has skyrocketed, and if agencies continue to create their own data centers, there will be a lot of redundancy in people and energy. This redundancy could be eliminated by combining centers.

The government could do this by using cloud computing. Cloud computing could make government agencies more efficient, provide a cost-savings and reduce the environmental impact of purchasing hardware. The savings is derived from the cost of dedicated servers for each agency or application, and the energy costs to operate those servers. Using cloud computing saves hosting and maintenance costs, staffing and the cost of software installation and ongoing support.

However, when it comes to physical access control, the risks of cloud computing outweigh the benefits. The bandwidth needed for video surveillance is significant and expensive. Cyber-threats have grown tremendously, so there is the risk of a security breach. The system user has no control over the application and is at the mercy of the cloud provider as to when updates will be received.

Government customers want a solution that meets their operational requirements, not one that will require their operation to change to accommodate the software. In a cloud computing environment, the government data is under the physical control of others -- yes, the government is responsible for the data but has no control over it.

The government could turn to server virtualization as a way to save money and energy. Server virtualization consists of using a single server to operate multiple virtual instances of servers through a VMware product. A small operating system is installed using a hyperviso -- a virtualization method that allows multiple operating systems to run concurrently on a host computer -- to manage the interface between the hardware and various virtual servers. The Windows operating system and application software are installed in the virtual machine, and the software cannot tell the difference between this environment and a physical one.

Server virtualization allows the minimization of hardware and all costs associated with it: hardware technology refresh, maintenance, personnel and energy costs. The control remains with the user and is safer because the information is stored on the server.

FIM Saves Money
Federated identity management (FIM) is a growing idea and offers another budget-friendly security solution. FIM is where each device or system, as in a security system, uses a centralized database for authentication and authorized information. FIM would allow participating government agencies to use their existing databases of identities and import that information into the security management system. Using a personal identity verification (PIV) card, multiple agencies could share an FIM application, and consolidating resources would save money.

The government is working to achieve Federated Identity, Credential and Access Management (FICAM). According to www. idmanagement.gov, “The goal is a consolidated approach for all government-wide identity, credential and access management activities to ensure alignment, clarity and interoperability. It establishes the foundation for trust and interoperability in conducting electronic transactions both within the federal government and with external organizations. It encompasses the core capabilities to be able to identify, authenticate and authorize individuals to provide appropriate access to resources, which is the lynchpin to the success of the national cybersecurity initiative and the successful and secure adoption of electronic health records for the healthcare industry.”

Government agencies would use a PIV card when necessary to assert someone’s identity. For example, if an individual were going to log into a workstation or pass through a doorway, a PIV card would assert the identity. FICAM identifies where it’s necessary to assert his or her identity and the appropriate way to implement the assertion. One card can be used for access control and logical access, simplifying the process and reducing costs.

Become a Trusted Security Adviser
Developing a close relationship with the people involved in providing security services to their agency or bureau is important to a reseller’s success. You need to become more than just the company that manufactures the product or the reseller who installs the product. You need to get involved, ask questions and help them figure out what they will need for a security system now and in the future.

Be proactive and demonstrate the value in what you do. You need to become not just a company, but a trusted security adviser. As a trusted security adviser, the agency will turn to you with questions and will rely on your input to help them make decisions.

To become a trusted security adviser, you need to get involved with your government customers and partners in a variety of ways. Involve your company or individuals in industry associations that advise the government on applying and implementing technologies. Be readily available to provide a consultation or recommendations directly. Work closely with all partners involved in a project, whether it’s the IT department, integrator, vendor partners or security managers, and facilitate open communication. Assist with system design on new projects, and help facilitate migration from legacy equipment to compliant, modern solutions.

Solutions
Federal assets, including cyber-assets, staff and buildings, must be secure 24/7 with some variation in the level of security implemented, based on the time of day. The ability to recognize worthwhile technology integrations and having the capability to quickly implement the integration gives a company an edge.

The government has been asking for a security management solution that includes an integrated intrusion management system. AMAG Technology listened, and its Symmetry Homeland V7 features a newly enhanced intrusion detection system (IDS) capability that will allow authorized people to manage their intrusion system from a contactless smart card reader. Government needs demanded a feature-rich contactless smart card reader, such as AMAG’s S884 Javelin reader, to meet special Section 508 guidelines, requiring agencies to make electronic and information technology accessible to people with disabilities.

According to www.section508.gov, the law applies to all federal agencies when they develop, procure, maintain or use electronic and information technology. The Javelin reader has four lines of text where most readers have two. The four lines of text can be programmed to read one line of text that is four lines high, or two lines of text two lines high. This option allows the government to meet guidelines for the visually impaired.

In addition to becoming a trusted security adviser and providing government-compliant products, companies need to have a good reputation and long-standing commitment to their products and services. In other words, the government prefers to work with a company that is going to be in business for a long time.

The government often needs a new software feature added to its security system or new integration. Having the capability to write software or manufacture hardware quickly is an advantage to working within this market. The government sector looks favorably on companies who have full control over product development and can help it meet its security needs quickly.

The government must install products that comply with the many standards the various federal entities impose, and must work with companies whose products meet those standards and certifications.

Staying ahead of the project bid and becoming a trusted security adviser are two ways companies can gain an advantage in this lucrative market.

Helping the government meet its needs now, and in the future, while providing excellent support, will help ensure success.

This article originally appeared in the March 2011 issue of Security Today.