Spending the Government's Money
A look at how three major government entities manage security
- By Kim Rahfaldt, Adam Shane
- Mar 05, 2010
The government security market is a growing multi-billion dollar business. To address a host of new security requirements, the security industry has partnered with the government to develop new security standards and capabilities. New requirements have led to opportunities in the physical access control systems and the identity management markets.
To address the needs of identity, credential and access management, the government is spending billions of dollars on ID cards and systems to provide a higher level of assurance of a cardholder's identity. Government facilities and sea ports are upgrading their PACS to take advantage of new ID cards mandated by the government.
The government relies on regulations developed by various organizations to ensure products and services meet its own requirements. Depending on the customer, they may have different resources to verify compliance. For instance, the General Services Agency has defined the FIPS 201 evaluation program and the associated approved products list to assist federal agencies in determining which products have been tested to federal guidelines.
The TWIC program also publishes its own list, and TSA has posted the initial capabilities evaluation list showing which products meet its expectations for fixed and handheld devices. TSA also will conduct further environmental and functional testing to provide security system designers and purchasers with additional details on compliance of these products.
When selling to government customers— and others that are regulated to comply with additional standards, such as TWIC—products should be included on the appropriate resource lists.
The procedures for getting on these lists vary. Always start by contacting the agency responsible for the list. In addition to these lists of products that have met certain levels of compliance, various customers also will have to perform a separate certification and accreditation test, which is used to validate compliance. This generally is a system-wide test, so it does not apply to a single device and may not apply to a single manufacturer.
Selling to the Government
The government's process for awarding contracts begins with a request for information to discover what products and services exist in the market. Responding to an RFI is your opportunity to influence the specification. RFIs are used to gather information; solicitations are used to purchase. Solicitations issued by the government come in several flavors: request for quotation, request for proposal or invitation to bid. The government is looking for the best value: the product or service that meets the requirement at the lowest cost. Once the proposals are submitted, the government will conduct an evaluation and develop a list of companies that meet the requirements and offer competitive pricing. The candidates are invited for discussions and demonstrations and asked for a final bid.
A project may be more heavily weighted in favor of compatibility with an incumbent product or a specific function, a low-cost solution or one that minimizes human resources in favor of technology. The scoring may put a bias on the level of service the end user expects to receive; for example, in response time, equipment replacement or technology refresh period. The vendor should interview the customer and attempt to discern what his or her sensitivities are to these and other issues. This is known as pre-selling and is another area where the incumbent will have an advantage as they are already on site at the facility.
Position your product or service as a solution—not part of a solution—even if that means partnering with others to round out the offering. To convince the customer of how easily the solution can be implemented, show examples where similar solutions have been implemented and explain the lessons learned.
Timing is everything. You must be six to 12 months ahead of the opportunity hitting the streets. Take this time to pre-sell. If the customer has released the RFP, you are too late.
Government buildings face many of the same access control and video challenges that non-government entities encounter. First, they must perform a risk assessment to determine what needs protection, how best to protect it and what technology will provide the most comprehensive solution.
Meeting the government-mandated requirements, along with installing a security system that facilitates the needs of the building and staff, are just some of the many factors that come into play—there also are budgetary constraints and aggressive timelines.
A PACS that integrates with video and performs as one system provides the best security option. Deeply integrated access control and digital video produces a faster response to alarms. Any system activity can trigger an automated response on any subsystems. The response might be to lock/unlock a door, to swing a PTZ camera to a different preset position based on the alarm, or to tag video and start recording at a higher resolution and frame rate.
Government security officials must decide whether to implement multiple layers of security for sensitive information, public officials and matters of national security. When security is required in a less sensitive area, smartcard readers requesting a card swipe to open a door are sufficient. However, rooms that require increased security may require a card swipe and PIN or a biometric and PIN for access.
Meeting government mandates such as TWIC is another challenge. TWIC is an identification credential for individuals requiring unescorted access to secure areas of buildings and vessels regulated by the Maritime Transportation Security Act. Persons who qualify for a TWIC receive a tamper-resistant credential containing their fingerprint and an access code that provides a positive link between the card and individual. Many ports have chosen to deploy an electronic credential authentication in association with the TWIC cards.
Integrating government-approved access control with a governmentissued identity credential such as PIV or TWIC requires electronic credential authentication software to perform a multifactor authentication before the card is loaded into the local database. The multifactor authentication includes viewing the photo of the cardholder, validating the card's digital certificates, matching a PIN and a biometric fingerprint to the card, and checking the cardholder's ID against the TSA Hotlist. Periodic authenticity checks of registered cardholders also are required.
Choosing the Right Solution
Some government facilities need a powerful, robust system that can manage thousands of readers and cardholders and hundreds of cameras. They need a true open-architecture system that includes an access control head end, which can integrate with best-of-breed products in video management, intrusion detection, building automation, advanced identity management, electronic credential authentication and mobile readers. Systems must manage multiple transactions 24/7.
All other systems can integrate via the access control system, and security officers can utilize the software features to manage the integrated systems. An easy-to-use, feature-rich system that seemlessly integrates with all other components necessary for a comprehensive SMS will provide the government with the right solution.
The Port of Houston
The Port of Houston Authority owns and operates the public facilities located along the 25-mile-long Houston Ship Channel and is responsible for the security of its terminals. The 150- plus private owners along the channel have their own security plans but work closely with POHA to maintain a high level of security. AMAG Technology's Symmetry Central Card Handler manages all cardholder information.
The POHA implemented the TWIC program to ensure that individuals who pose a threat do not gain unescorted access to secure areas of the nation's maritime transportation system. Symmetry Global Security Management System integrated with Codebench's PIVCheck Plus for enrollment provides the multifactor authentication needed to meet the TWIC requirements. Veridt credential readers are used at entrance/exit points to restricted areas and dynamically read both TWIC cards and locally issued port ID cards. The various components perform their own specific functions but communicate with other parts of the system in a cohesive manner.
The Hoover Dam
One of America's national icons, the Hoover Dam is the world's 34th largest hydroelectric generating station. Its authorized purposes are to provide flood control, water storage and delivery, and generate electricity. It is the No. 1 nongambling tourist destination in Nevada and is registered as one of the engineering marvels of the world.
The Bureau of Reclamation, which built the dam, needed to improve its quick detection ability and develop a pre-planned response to mitigate and recover from security-related incidents. The upgrade also had to meet Homeland Security Presidential Directive 7 and Department of the Interior guidelines.
Hoover Dam achieved a multifaceted protection strategy that includes a security force comprised of officers from the Hoover Dam Police Department, proprietary and contract guards, and technological components. Through the implementation of AMAG's Symmetry Enterprise Security Management System, all onsite security entities now work together as one to help protect this critical national resource from any threat or emergency resulting from a hostile act. Symmetry separates public access from controlled access with millions of visitors each year, provides early warning of an unauthorized entry or security breach and employs equipment that did not destroy the architectural integrity, providing added security without compromising the historical landmark.
The Pentagon deploys the largest access control system with full-time operational abilities in the world. All stakeholders worked cooperatively to install AMAG's Symmetry Enterprise to protect the people, assets and national security information at the Pentagon.
Symmetry Enterprise's robust operational platform provides a userfriendly operation process, allowing for seamless access management for the world's largest office building. Symmetry manages a database that contains tens of thousands of cardholders and processes hundreds of thousands of events every day.
The Pentagon also is working to meet HSPD-12 and FIPS 201 requisites, and a recent upgrade will facilitate that requirement.
As technology changes and threats increase, the demand for government security will continue. Much of its core needs are the same as non-government, but it must follow government-mandated initiatives and use products that are on the GSA list.
Working with the government takes time and a commitment to quality products and customer service. However, it's well worth the effort. Once you land the government as a client, you will find a committed customer who will positively affect your company's bottom line.
This article originally appeared in the March 2010 issue of Security Today.