Security in Alphabet City -- Security Today

Security in Alphabet City

Key differences between government facilities and commercial buildings

By John Bartolac
Nov 01, 2012

On the surface, there’s not a great deal that differentiates security in government facilities from security in commercial buildings. They both have physical structures, infrastructure and people that need to be protected. Integrators generally deploy the same array of security systems—everything from access control to video surveillance to intrusion detection. But when you delve a little deeper, you soon discover an array of acronym-laden regulations that govern federal procurement and installation, which are critical to doing business in the public sector.

Procurement is a Legally Protected Process

Unlike a commercial company that can choose whatever products it wants and who it wants to bid on the project, the government bidding process has to be more open and more accountable—or in today’s lingo, “transparent.” Transparency ensures that all procedures and policies are carried out to the letter of the law. Anyone attempting to play favorites or skirt the system is subject to severe repercussions.

The Office of Management and Budget (OMB) publishes an umbrella set of regulations governing federal procurement to ensure accountability is enforced within specific guidelines within the Federal Acquisition Regulations (FAR). These mandates encompass a whole realm of directives regarding what products federal entities may purchase and how those products should be purchased.

Individual agencies within the government often enact their own versions of FAR, adding another layer of requirements important to the reporting and transparency of what that particular agency plans on procuring.

For example, within FAR there’s a Buy America Act stipulating that a majority of all products purchased by the government and its agencies should be American made. However, DFAR, the Defense Federal Acquisition Regulations put out by the Department of Defense (DoD), exempts certain devices in the interest of heightening national security. The Federal Transportation Administration (FTA) also adds exemptions to the Buy America Act outlined in FAR for certain microprocessor- based devices. So when doing business with the federal government, be aware that the parameters for a specific federal acquisition regulation may vary from agency to agency, depending on an agency’s needs.

Certain Products Need to be Pre-approved

A number of federal agencies will purchase specific products that are on their own approved products list only. These products have been prescreened and approved for installation within federal facilities, and substitutions are rarely accepted. For instance:

DoD added a layer of protection against cyber threats by introducing DIACAP, the Defense Information Assurance Certification Accreditation Process. DIACAP protects the flow of information between agencies from being hacked by mandating that any IP-based equipment installed on a DoD network must pass certain certification processes to ensure that it doesn’t provide a portal for a hacker to gain access to DoD data or sabotage the operation of the DoD network.
A federal agency may require that certain products used for a project be purchased off of a General Services Administration (GSA) product list or similar Multiple Award Schedule (MAS) contract.
The Army’s Joint Interoperability Test Command (JITC) rigorously tests, operationally evaluates and certifies IT capabilities on behalf of the DoD. The goal is to ensure joint interoperability, which increases the nation’s ability to operate critical systems for its users. As such, JITC puts out its own approved products list that itemizes preferred products certified for certain installations.
The Air Force has its own list of approved products for access control and other devices that go into physical security protection.
Even the Department of Homeland Security (DHS) has its own approved products list covered under the Safety Act designation. In most instances, integrators have to convince the end user of the benefits of a particular product before it can be list-approved, and then the end user has to initiate the request with the accrediting agency to test and approve that product before it can be installed. In rarer cases, manufacturers can apply directly to the different agencies to test and approve their products under consideration.

The Government Limits Vendor Liability

While commercial corporations generally have unlimited freedom when it comes to procurement, the government often sets aside certain projects to protect and promote special vendor groups like small businesses, disabled veteran enterprises and women-owned and minority-owned companies. These organizations can apply online to do business with the government and potentially be added to the Central Contractor Registration (CCR) network. If on that CCR list when bidding on specially earmarked procurement projects, these special vendor groups are easily identified as a particular type of contractor.

Landing a lucrative government contract is not without risk, however. Whether the winning contractor is a standard integrator or one of the special small businesses, exposure in the case of terrorist attack or catastrophe can be mitigated by DHS’s Safety Act. This is important to note because, under the laws of the United States, a plaintiff can bring a civil suit against not only the government but also the integrator who installed the system and the manufacturers of the products that were installed as part of that system.

To limit liability in a lawsuit of that magnitude, the Safety Act works as a stopgap measure to protect individual businesses from taking a crippling financial blow. It’s another approval process that must be applied for through DHS, which tests and certifies products that fall under the protections outlined in the Safety Act.

Mandating Interoperability

Many commercial entities have employee badges that allow individuals to go from building to building or division to division within the same company. But federal employees often have a need to work with other agencies outside their own authority. To promote interoperability between agencies without compromising security, the government created Federal Identity Credential and Access Management (FICAM) standards that apply across agencies.

Most prominent among these governing standards are the common access credential (CAC) smart cards that contain varying authority levels granting federal employees permission to enter different agency and department facilities using trusted credentials.

The government has also begun extending interoperability mandates beyond facility access to include areas of shared data and device access. This is particularly critical for crisis management when a number of agencies like FEMA, the FBI and the ATF might need to meet and discuss how to coordinate a response to the situation. In cases of disaster or high alert, the ability to access and share data and devices across multiple agencies and the first responder community is paramount.

To ensure that federal agencies comply with the interoperability measures set forth in FICAM, the OMB issued a directive called OMB m11-11, which basically states that no funding will be provided to any agency for physical security improvements until a FICAM roadmap is in place. Security integrators are responsible for assisting federal end users in meeting this mandate and should look for solutions that provide compliance or, at the very least, guidelines for compliance before attempting to move forward with a project.

Top-Secret Facilities Have Their Own Set of Rules

Beyond the plethora of regulations for standard government facilities, topsecret sites require a whole new set of rules for security integrators and security product manufacturers. Even deeper behind the scenes are mission-critical facilities where the DoD, the intelligence community and the White House gather to share top-secret information that will impact the security of our nation. These locations are specifically designed to prevent communications within their walls from leaking out and being used for malicious purposes.

The first of these is the SCIF, a Secure Compartmentalized Information Facility. While a traditional office might have four walls and a dropped ceiling, a SCIF is more like a six-sided, hardened box with reinforced walls, ceiling, floor and doors. It incorporates certain protections that regulate who can get into the facility and how they can access particular rooms inside. Any device or communications cabling that goes into a SCIF must be protected by a black box device that encrypts or alters the radio frequencies so the communications can’t be eavesdropped on or intercepted.

Radio Frequency (RF) Shielded Facilities take that protection to another level; lead-lined plates are welded into the walls, ceiling, floor and doors to protect against any sensitive monitoring devices that a counter-intelligence entity might use to gain access to the discussions taking place inside or any data being housed there. As with a SCIF, any cabling that goes into an RF facility must be protected by a black box device that encrypts or alters the RFs so the communications can’t be eavesdropped on or intercepted.

For anyone hoping to do business with a top-secret federal agency program, stricter communications controls are a must, such as requiring users to employ a Public Key Infrastructure (PKI) certificate, which is a unique encrypted identifier that provides greater protection for data access than the traditional username and password. Beyond providing secure devices, vendors must employ staff who have top-secret clearance. If not, they must hire a topsecret clearance escort to shadow workers in and out of the facility for the duration of the project, which is going to substantially eat into profits.

The ABC's of Procurement

While dealing with government security is a slightly different beast than civilian commercial facilities, the underlying best practices for security systems still prevail. As long as you’ve mastered the fundamentals of designing a solution that meets the needs of your client, you’re 90 percent there. Though the preponderance of acronyms may seem overwhelming at first, landing a government contract is basically a matter of understanding the procurement process and asking the right questions:

How aggressive are the agency’s security needs?
Where are its points of vulnerability?
Are there interoperability issues that need to be addressed?
What lists and certifications do I need before I can get started?

This article originally appeared in the November 2012 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

Digital Edition

September 2019

Featuring:

• Deploying IoT Devices
• Averting Workplace Violence
• Automating Emergency Communication
• Security by Design
• The Access Solution
View This Issue

Security in Alphabet City

Colorado Becomes First State to Stop Using QR Codes, Barcodes to Count Ballots

First Do No Harm -- Are Active Shooting Drills Missing the Point?

Millions of Americans’ Medical Images Were Left Unprotected on The Web, Report Finds

Men Arrested For Breaking Into Iowa Courthouse Were Hired to Conduct Security Testing

Following Rise in Anti-Semitic Hate Crimes, New York City Plans For Increased Security During High Holy Days

The Dangers of Open-Source Vulnerabilities, and What You Can Do About It

Digital Edition

September 2019

Whitepapers

Beginners Guide to Encryption and Key Management

The AI (R)Evolution of Enterprise Security

Perimeter and Intruder Security for Educational Establishments

Webinars

First Do No Harm -- Are Active Shooting Drills Missing the Point?

Cameras and Storage - Designing a Video System That Supports Security in the Cannabis Industry

Active Shooter Webinar - Active Violence Prevention, Preparation and Response