What the Government Really Wants
Specific standards must be met to bulk up federal security
- By Kim Rahfaldt
- Mar 01, 2011
Federal government buildings pose similar security challenges
to commercial facilities: They need to control access, visually
monitor daily activity and manage intrusion-prevention. To
meet these demands, the government must integrate with
numerous security manufacturers that supply a means to protect
different functions, such as single sign-on for individual computers,
or large servers to provide redundancy and fault-tolerant needs.
Of course, the level of protection needed could vary, depending
on the building being secured. Buildings that house government
servers or national archives may need more protection than a single
card swipe and camera, for example. So how does a government
security manager determine what is needed to secure the men and
women who work for the government? What technologies and
cost-saving solutions will influence decision-makers? And how
can manufacturers and resellers help the government make these
important decisions?
How Government Does Business
Working with the government is a long, involved process that requires
education and patience. Understanding the intricacies of the process
will help integrators and manufacturers gain the trust involved to win
projects.
After first assessing its security needs thoroughly, the designated
security committee will ask a number of companies for a request for
information (RFI). An RFI allows the committee to glean information
about the products and services available to them that will solve the
issues defined in their risk assessment. After reviewing the RFI, the
committee may ask for a solicitation in the form of a request for
quotation (RFQ), request for proposal (RFP) or invitation for bid
(IFB). Understanding the differences among these requests is critical
to meeting criteria and moving to the next level of the process.
Timing is critical. A company must be six to 12 months ahead of
the specification going public. This time should be spent pre-selling.
Once the RFP is released, it’s too late. You should be talking with the
primary end user, contractor (person doing the paperwork) and the
technical representative (person who determines if the product or
service meets the project’s requirements). Developing a relationship
with these three individuals is crucial. They must know early on that
you are interested in providing a solution for their security needs.
The soliciting agency will evaluate the proposal based on how
the solution meets its need and budget. A company that meets those
needs is then invited to demonstrate its product and discuss its
solution, as well as provide a final bid.
Technologies Play a Role
The government is always looking for ways to reduce costs associated
with redundancies across the different agencies and departments.
Many agencies and departments have their own data centers to store
critical information, including employee information. In recent
years, the number of computers and data centers has skyrocketed,
and if agencies continue to create their own data centers, there will be
a lot of redundancy in people and energy. This redundancy could be
eliminated by combining centers.
The government could do this by using cloud computing. Cloud
computing could make government agencies more efficient, provide
a cost-savings and reduce the environmental impact of purchasing
hardware. The savings is derived from the cost of dedicated servers
for each agency or application, and the energy costs to operate those
servers. Using cloud computing saves hosting and maintenance costs,
staffing and the cost of software installation and ongoing support.
However, when it comes to physical access control, the risks of
cloud computing outweigh the benefits. The bandwidth needed for
video surveillance is significant and expensive. Cyber-threats have
grown tremendously, so there is the risk of a security breach. The
system user has no control over the application and is at the mercy of
the cloud provider as to when updates will be received.
Government customers want a solution that meets their
operational requirements, not one that will require their operation
to change to accommodate the software. In a cloud computing
environment, the government data is under the physical control of
others -- yes, the government is responsible for the data but has no
control over it.
The government could turn to server virtualization as a way to
save money and energy. Server virtualization consists of using a
single server to operate multiple virtual instances of servers through
a VMware product. A small operating system is installed using a
hyperviso -- a virtualization method that allows multiple operating
systems to run concurrently on a host computer -- to manage the
interface between the hardware and various virtual servers. The
Windows operating system and application software are installed
in the virtual machine, and the software cannot tell the difference
between this environment and a physical one.
Server virtualization allows the minimization of hardware and all
costs associated with it: hardware technology refresh, maintenance,
personnel and energy costs. The control remains with the user and is
safer because the information is stored on the server.
FIM Saves Money
Federated identity management (FIM) is a growing idea and offers
another budget-friendly security solution. FIM is where each device
or system, as in a security system, uses a centralized database for
authentication and authorized information. FIM would allow
participating government agencies to use their existing databases of
identities and import that information into the security management
system. Using a personal identity verification (PIV) card, multiple
agencies could share an FIM application, and consolidating resources
would save money.
The government is working to achieve Federated Identity,
Credential and Access Management (FICAM). According to www.
idmanagement.gov, “The goal is a consolidated approach for all
government-wide identity, credential and access management
activities to ensure alignment, clarity and interoperability. It
establishes the foundation for trust and interoperability in conducting
electronic transactions both within the federal government and with
external organizations. It encompasses the core capabilities to be
able to identify, authenticate and authorize individuals to provide
appropriate access to resources, which is the lynchpin to the success
of the national cybersecurity initiative and the successful and secure
adoption of electronic health records for the healthcare industry.”
Government agencies would use a PIV card when necessary to
assert someone’s identity. For example, if an individual were going
to log into a workstation or pass through a doorway, a PIV card
would assert the identity. FICAM identifies where it’s necessary to
assert his or her identity and the appropriate way to implement the
assertion. One card can be used for access control and logical access,
simplifying the process and reducing costs.
Become a Trusted Security Adviser
Developing a close relationship with the people involved in providing
security services to their agency or bureau is important to a reseller’s
success. You need to become more than just the company that
manufactures the product or the reseller who installs the product.
You need to get involved, ask questions and help them figure out what
they will need for a security system now and in the future.
Be proactive and demonstrate the value in what you do. You need
to become not just a company, but a trusted security adviser. As a
trusted security adviser, the agency will turn to you with questions
and will rely on your input to help them make decisions.
To become a trusted security adviser, you need to get involved
with your government customers and partners in a variety of ways.
Involve your company or individuals in industry associations that
advise the government on applying and implementing technologies.
Be readily available to provide a consultation or recommendations
directly. Work closely with all partners involved in a project, whether
it’s the IT department, integrator, vendor partners or security
managers, and facilitate open communication. Assist with system
design on new projects, and help facilitate migration from legacy
equipment to compliant, modern solutions.
Solutions
Federal assets, including cyber-assets, staff and buildings, must be
secure 24/7 with some variation in the level of security implemented,
based on the time of day. The ability to recognize worthwhile
technology integrations and having the capability to quickly
implement the integration gives a company an edge.
The government has been asking for a security management
solution that includes an integrated intrusion management system.
AMAG Technology listened, and its Symmetry Homeland V7 features
a newly enhanced intrusion detection system (IDS) capability that
will allow authorized people to manage their intrusion system from
a contactless smart card reader. Government needs demanded a
feature-rich contactless smart card reader, such as AMAG’s S884
Javelin reader, to meet special Section 508 guidelines, requiring
agencies to make electronic and information technology accessible to
people with disabilities.
According to www.section508.gov, the law applies to all federal
agencies when they develop, procure, maintain or use electronic and
information technology. The Javelin reader has four lines of text where
most readers have two. The four lines of text can be programmed to
read one line of text that is four lines high, or two lines of text two
lines high. This option allows the government to meet guidelines for
the visually impaired.
In addition to becoming a trusted security adviser and providing
government-compliant products, companies need to have a good
reputation and long-standing commitment to their products and
services. In other words, the government prefers to work with a
company that is going to be in business for a long time.
The government often needs a new software feature added to
its security system or new integration. Having the capability to
write software or manufacture hardware quickly is an advantage to
working within this market. The government sector looks favorably
on companies who have full control over product development and
can help it meet its security needs quickly.
The government must install products that comply with the many
standards the various federal entities impose, and must work with
companies whose products meet those standards and certifications.
Staying ahead of the project bid and becoming a trusted security
adviser are two ways companies can gain an advantage in this
lucrative market.
Helping the government meet its needs now, and in the future,
while providing excellent support, will help ensure success.
This article originally appeared in the March 2011 issue of Security Today.