Security in Alphabet City
Key differences between government facilities and commercial buildings
- By John Bartolac
- Nov 01, 2012
On the surface, there’s not a great deal that differentiates security
in government facilities from security in commercial buildings.
They both have physical structures, infrastructure and people
that need to be protected. Integrators generally deploy the same
array of security systems—everything from access control to
video surveillance to intrusion detection. But when you delve a little deeper, you
soon discover an array of acronym-laden regulations that govern federal procurement
and installation, which are critical to doing business in the public sector.
Procurement is a Legally Protected Process
Unlike a commercial company that can choose whatever products it wants and
who it wants to bid on the project, the government bidding process has to be more
open and more accountable—or in today’s lingo, “transparent.” Transparency ensures
that all procedures and policies are carried out to the letter of the law. Anyone
attempting to play favorites or skirt the system is subject to severe repercussions.
The Office of Management and Budget (OMB) publishes an umbrella set of
regulations governing federal procurement to ensure accountability is enforced
within specific guidelines within the Federal Acquisition Regulations (FAR).
These mandates encompass a whole realm of directives regarding what products
federal entities may purchase and how those products should be purchased.
Individual agencies within the government often enact their own versions of
FAR, adding another layer of requirements important to the reporting and transparency
of what that particular agency plans on procuring.
For example, within FAR there’s a Buy America Act stipulating that a majority
of all products purchased by the government and its agencies should be American
made. However, DFAR, the Defense Federal Acquisition Regulations put out
by the Department of Defense (DoD), exempts certain devices in the interest of
heightening national security. The Federal Transportation Administration (FTA)
also adds exemptions to the Buy America Act outlined in FAR for certain microprocessor-
based devices. So when doing business with the federal government, be
aware that the parameters for a specific federal acquisition regulation may vary
from agency to agency, depending on an agency’s needs.
Certain Products Need to be Pre-approved
A number of federal agencies will purchase specific products that are on their
own approved products list only. These products have been prescreened and approved
for installation within federal facilities, and substitutions are rarely accepted.
For instance:
- DoD added a layer of protection against cyber threats by introducing DIACAP,
the Defense Information Assurance Certification Accreditation Process. DIACAP
protects the flow of information between agencies from being hacked by
mandating that any IP-based equipment installed on a DoD network must pass
certain certification processes to ensure that it doesn’t provide a portal for a hacker
to gain access to DoD data or sabotage the operation of the DoD network.
- A federal agency may require that certain products used for a project be purchased
off of a General Services Administration (GSA) product list or similar
Multiple Award Schedule (MAS) contract.
- The Army’s Joint Interoperability Test Command (JITC) rigorously tests, operationally
evaluates and certifies IT capabilities on behalf of the DoD. The
goal is to ensure joint interoperability, which increases the nation’s ability to
operate critical systems for its users. As such, JITC puts out its own approved
products list that itemizes preferred products certified for certain installations.
- The Air Force has its own list of approved products for access control and other
devices that go into physical security protection.
- Even the Department of Homeland Security (DHS) has its own approved
products list covered under the Safety Act designation.
In most instances, integrators have to convince the end user of the benefits of a
particular product before it can be list-approved, and then the end user has to initiate
the request with the accrediting agency to test and approve that product before
it can be installed. In rarer cases, manufacturers can apply directly to the different
agencies to test and approve their products under consideration.
The Government Limits Vendor Liability
While commercial corporations generally have unlimited freedom when it comes
to procurement, the government often sets aside certain projects to protect and
promote special vendor groups like small businesses, disabled veteran enterprises
and women-owned and minority-owned companies. These organizations can apply
online to do business with the government and potentially be added to the
Central Contractor Registration (CCR) network. If on that CCR list when bidding
on specially earmarked procurement projects, these special vendor groups are easily identified as a particular
type of contractor.
Landing a lucrative government
contract is not without risk, however.
Whether the winning contractor is a
standard integrator or one of the special
small businesses, exposure in the
case of terrorist attack or catastrophe
can be mitigated by DHS’s Safety Act.
This is important to note because, under
the laws of the United States, a
plaintiff can bring a civil suit against
not only the government but also the
integrator who installed the system and
the manufacturers of the products that
were installed as part of that system.
To limit liability in a lawsuit of that
magnitude, the Safety Act works as a
stopgap measure to protect individual
businesses from taking a crippling financial
blow. It’s another approval process
that must be applied for through
DHS, which tests and certifies products
that fall under the protections outlined
in the Safety Act.
Mandating Interoperability
Many commercial entities have employee
badges that allow individuals to go
from building to building or division to
division within the same company. But
federal employees often have a need to
work with other agencies outside their
own authority. To promote interoperability
between agencies without compromising
security, the government
created Federal Identity Credential and
Access Management (FICAM) standards
that apply across agencies.
Most prominent among these governing
standards are the common access
credential (CAC) smart cards that
contain varying authority levels granting
federal employees permission to
enter different agency and department
facilities using trusted credentials.
The government has also begun extending
interoperability mandates beyond
facility access to include areas of
shared data and device access. This is
particularly critical for crisis management
when a number of agencies like
FEMA, the FBI and the ATF might
need to meet and discuss how to coordinate
a response to the situation. In
cases of disaster or high alert, the ability
to access and share data and devices
across multiple agencies and the first
responder community is paramount.
To ensure that federal agencies comply
with the interoperability measures
set forth in FICAM, the OMB issued
a directive called OMB m11-11, which
basically states that no funding will be
provided to any agency for physical security
improvements until a FICAM
roadmap is in place. Security integrators
are responsible for assisting federal
end users in meeting this mandate and
should look for solutions that provide
compliance or, at the very least, guidelines
for compliance before attempting
to move forward with a project.
Top-Secret Facilities Have
Their Own Set of Rules
Beyond the plethora of regulations for
standard government facilities, topsecret
sites require a whole new set of
rules for security integrators and security
product manufacturers. Even deeper
behind the scenes are mission-critical
facilities where the DoD, the intelligence community and the White House
gather to share top-secret information
that will impact the security of our nation.
These locations are specifically
designed to prevent communications
within their walls from leaking out and
being used for malicious purposes.
The first of these is the SCIF, a
Secure Compartmentalized Information
Facility. While a traditional office
might have four walls and a dropped
ceiling, a SCIF is more like a six-sided,
hardened box with reinforced walls,
ceiling, floor and doors. It incorporates
certain protections that regulate who
can get into the facility and how they
can access particular rooms inside. Any
device or communications cabling that
goes into a SCIF must be protected by
a black box device that encrypts or alters
the radio frequencies so the communications
can’t be eavesdropped on
or intercepted.
Radio Frequency (RF) Shielded Facilities
take that protection to another
level; lead-lined plates are welded into
the walls, ceiling, floor and doors to
protect against any sensitive monitoring
devices that a counter-intelligence
entity might use to gain access to the
discussions taking place inside or any
data being housed there. As with a
SCIF, any cabling that goes into an RF
facility must be protected by a black
box device that encrypts or alters the
RFs so the communications can’t be
eavesdropped on or intercepted.
For anyone hoping to do business
with a top-secret federal agency program,
stricter communications controls
are a must, such as requiring users to
employ a Public Key Infrastructure
(PKI) certificate, which is a unique encrypted
identifier that provides greater
protection for data access than the traditional
username and password. Beyond
providing secure devices, vendors
must employ staff who have top-secret
clearance. If not, they must hire a topsecret
clearance escort to shadow workers
in and out of the facility for the duration
of the project, which is going to
substantially eat into profits.
The ABC's of Procurement
While dealing with government security
is a slightly different beast than civilian
commercial facilities, the underlying
best practices for security systems
still prevail. As long as you’ve mastered
the fundamentals of designing a solution
that meets the needs of your client,
you’re 90 percent there. Though
the preponderance of acronyms may
seem overwhelming at first, landing a
government contract is basically a matter
of understanding the procurement
process and asking the right questions:
- How aggressive are the agency’s security
needs?
- Where are its points of vulnerability?
- Are there interoperability issues that
need to be addressed?
- What lists and certifications do I
need before I can get started?
This article originally appeared in the November 2012 issue of Security Today.