Security in Alphabet City

Key differences between government facilities and commercial buildings

On the surface, there’s not a great deal that differentiates security in government facilities from security in commercial buildings. They both have physical structures, infrastructure and people that need to be protected. Integrators generally deploy the same array of security systems—everything from access control to video surveillance to intrusion detection. But when you delve a little deeper, you soon discover an array of acronym-laden regulations that govern federal procurement and installation, which are critical to doing business in the public sector.

Procurement is a Legally Protected Process

Unlike a commercial company that can choose whatever products it wants and who it wants to bid on the project, the government bidding process has to be more open and more accountable—or in today’s lingo, “transparent.” Transparency ensures that all procedures and policies are carried out to the letter of the law. Anyone attempting to play favorites or skirt the system is subject to severe repercussions.

The Office of Management and Budget (OMB) publishes an umbrella set of regulations governing federal procurement to ensure accountability is enforced within specific guidelines within the Federal Acquisition Regulations (FAR). These mandates encompass a whole realm of directives regarding what products federal entities may purchase and how those products should be purchased.

Individual agencies within the government often enact their own versions of FAR, adding another layer of requirements important to the reporting and transparency of what that particular agency plans on procuring.

For example, within FAR there’s a Buy America Act stipulating that a majority of all products purchased by the government and its agencies should be American made. However, DFAR, the Defense Federal Acquisition Regulations put out by the Department of Defense (DoD), exempts certain devices in the interest of heightening national security. The Federal Transportation Administration (FTA) also adds exemptions to the Buy America Act outlined in FAR for certain microprocessor- based devices. So when doing business with the federal government, be aware that the parameters for a specific federal acquisition regulation may vary from agency to agency, depending on an agency’s needs.

Certain Products Need to be Pre-approved

A number of federal agencies will purchase specific products that are on their own approved products list only. These products have been prescreened and approved for installation within federal facilities, and substitutions are rarely accepted. For instance:

  • DoD added a layer of protection against cyber threats by introducing DIACAP, the Defense Information Assurance Certification Accreditation Process. DIACAP protects the flow of information between agencies from being hacked by mandating that any IP-based equipment installed on a DoD network must pass certain certification processes to ensure that it doesn’t provide a portal for a hacker to gain access to DoD data or sabotage the operation of the DoD network.
  • A federal agency may require that certain products used for a project be purchased off of a General Services Administration (GSA) product list or similar Multiple Award Schedule (MAS) contract.
  • The Army’s Joint Interoperability Test Command (JITC) rigorously tests, operationally evaluates and certifies IT capabilities on behalf of the DoD. The goal is to ensure joint interoperability, which increases the nation’s ability to operate critical systems for its users. As such, JITC puts out its own approved products list that itemizes preferred products certified for certain installations.
  • The Air Force has its own list of approved products for access control and other devices that go into physical security protection.
  • Even the Department of Homeland Security (DHS) has its own approved products list covered under the Safety Act designation. In most instances, integrators have to convince the end user of the benefits of a particular product before it can be list-approved, and then the end user has to initiate the request with the accrediting agency to test and approve that product before it can be installed. In rarer cases, manufacturers can apply directly to the different agencies to test and approve their products under consideration.

The Government Limits Vendor Liability

While commercial corporations generally have unlimited freedom when it comes to procurement, the government often sets aside certain projects to protect and promote special vendor groups like small businesses, disabled veteran enterprises and women-owned and minority-owned companies. These organizations can apply online to do business with the government and potentially be added to the Central Contractor Registration (CCR) network. If on that CCR list when bidding on specially earmarked procurement projects, these special vendor groups are easily identified as a particular type of contractor.

Landing a lucrative government contract is not without risk, however. Whether the winning contractor is a standard integrator or one of the special small businesses, exposure in the case of terrorist attack or catastrophe can be mitigated by DHS’s Safety Act. This is important to note because, under the laws of the United States, a plaintiff can bring a civil suit against not only the government but also the integrator who installed the system and the manufacturers of the products that were installed as part of that system.

To limit liability in a lawsuit of that magnitude, the Safety Act works as a stopgap measure to protect individual businesses from taking a crippling financial blow. It’s another approval process that must be applied for through DHS, which tests and certifies products that fall under the protections outlined in the Safety Act.

Mandating Interoperability

Many commercial entities have employee badges that allow individuals to go from building to building or division to division within the same company. But federal employees often have a need to work with other agencies outside their own authority. To promote interoperability between agencies without compromising security, the government created Federal Identity Credential and Access Management (FICAM) standards that apply across agencies.

Most prominent among these governing standards are the common access credential (CAC) smart cards that contain varying authority levels granting federal employees permission to enter different agency and department facilities using trusted credentials.

The government has also begun extending interoperability mandates beyond facility access to include areas of shared data and device access. This is particularly critical for crisis management when a number of agencies like FEMA, the FBI and the ATF might need to meet and discuss how to coordinate a response to the situation. In cases of disaster or high alert, the ability to access and share data and devices across multiple agencies and the first responder community is paramount.

To ensure that federal agencies comply with the interoperability measures set forth in FICAM, the OMB issued a directive called OMB m11-11, which basically states that no funding will be provided to any agency for physical security improvements until a FICAM roadmap is in place. Security integrators are responsible for assisting federal end users in meeting this mandate and should look for solutions that provide compliance or, at the very least, guidelines for compliance before attempting to move forward with a project.

Top-Secret Facilities Have Their Own Set of Rules

Beyond the plethora of regulations for standard government facilities, topsecret sites require a whole new set of rules for security integrators and security product manufacturers. Even deeper behind the scenes are mission-critical facilities where the DoD, the intelligence community and the White House gather to share top-secret information that will impact the security of our nation. These locations are specifically designed to prevent communications within their walls from leaking out and being used for malicious purposes.

The first of these is the SCIF, a Secure Compartmentalized Information Facility. While a traditional office might have four walls and a dropped ceiling, a SCIF is more like a six-sided, hardened box with reinforced walls, ceiling, floor and doors. It incorporates certain protections that regulate who can get into the facility and how they can access particular rooms inside. Any device or communications cabling that goes into a SCIF must be protected by a black box device that encrypts or alters the radio frequencies so the communications can’t be eavesdropped on or intercepted.

Radio Frequency (RF) Shielded Facilities take that protection to another level; lead-lined plates are welded into the walls, ceiling, floor and doors to protect against any sensitive monitoring devices that a counter-intelligence entity might use to gain access to the discussions taking place inside or any data being housed there. As with a SCIF, any cabling that goes into an RF facility must be protected by a black box device that encrypts or alters the RFs so the communications can’t be eavesdropped on or intercepted.

For anyone hoping to do business with a top-secret federal agency program, stricter communications controls are a must, such as requiring users to employ a Public Key Infrastructure (PKI) certificate, which is a unique encrypted identifier that provides greater protection for data access than the traditional username and password. Beyond providing secure devices, vendors must employ staff who have top-secret clearance. If not, they must hire a topsecret clearance escort to shadow workers in and out of the facility for the duration of the project, which is going to substantially eat into profits.

The ABC's of Procurement

While dealing with government security is a slightly different beast than civilian commercial facilities, the underlying best practices for security systems still prevail. As long as you’ve mastered the fundamentals of designing a solution that meets the needs of your client, you’re 90 percent there. Though the preponderance of acronyms may seem overwhelming at first, landing a government contract is basically a matter of understanding the procurement process and asking the right questions:

  • How aggressive are the agency’s security needs?
  • Where are its points of vulnerability?
  • Are there interoperability issues that need to be addressed?
  • What lists and certifications do I need before I can get started?

This article originally appeared in the November 2012 issue of Security Today.

Featured

  • AI to Help Resolve Non-Emergency Calls Across Utah and Decrease 911 Caller Wait Times

    The Utah Communications Authority (UCA), which oversees the state’s next generation 911 technology services, recently announced that public safety answering points (PSAPs) throughout the state plan to implement Motorola Solutions’ Virtual Response technology to automate the receipt and resolution of 10-digit non-emergency line calls in Utah with the help of AI. Read Now

  • Report: 2025 Video Surveillance Market Set to Grow After Small Decline in 2024

    Novaira Insights has unveiled its latest report, “World Market for Video Surveillance Hardware and Software – 2025 Edition.” The research indicates that the global market for video surveillance hardware and software experienced a slight decline of 0.3% in 2024. This performance fell short of previous forecasts, primarily due to a significant decrease of 7.8% in the Chinese market. Conversely, the rest of the world saw a growth of 4.9%. The global market for video surveillance equipment was estimated to be worth $25.0 billion in 2024. Read Now

  • Report Reveals Local Governments Face Surge in Ransomware Attacks with Minimal Resources

    KnowBe4, the cybersecurity platform that comprehensively addresses human risk management, recently released new research highlighting the critical cybersecurity challenges facing state, local, tribal, and territorial (SLTT) governments. The report details how government organizations have become prime targets for cybercriminals while simultaneously facing severe resource constraints. Read Now

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities