More than 14 years have passed since the U.S. government issued Homeland Security Presidential Directive 12 (HSPD-12), which—like many federal initiatives following 9/11—aimed to strengthen security at federal facilities around the country. It called for the establishment of a governmentwide identification verification system that would standardize how agencies approached physical access control—using an interoperable system to verify the identity of government employees and contractors accessing federal buildings across the country.
But when the U.S. Government Accountability Office (GAO) looked into implementation efforts last year, it found that the Office of Management and Budget (OMB) and the General Services Administration (GSA)—which are responsible for the program’s oversight and identifying appropriate technology—have no data on agency efforts to adhere to HSPD-12. Based on GAO’s interviews with industry experts and select federal agencies, most federal facilities may not be fully compliant.
“Here we are, 14 years later, and we really don’t know what progress has been made,” says Lori Rectanus, director of physical infrastructure at GAO and the author of the recent report. “We lack a lot of good data to know what agencies are doing, and in our report, we found that OMB just wasn’t getting the kind of information it needs to know: have we made good progress, or have we not? We did speak to some private sector companies, and some of them say that less than 10 percent of systems in the federal sphere are compliant. There’s no data one way or the other to support that.”
In its report, Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control, GAO interviewed five agencies on what it takes to acquire and implement HSPD-12-compliant physical security systems. The results were varied—and raise the larger question of whether a one-size-fits-all access control solution is the best approach to securing hundreds of facilities with diverse needs.
There are two overarching aspects of HSPD-12. The first is the use of personal identity verification (PIV) cards by employees, which must be interoperable with every federal agency’s physical access control system. The report explains that when cardholders attempt to enter an area managed by an access control system, they will use a card reader, which determines whether the cardholder is authorized to enter that area.
The GAO report emphasizes the importance of governmentwide interoperability—ideally, the card reader should be connected to an interconnected network that could prevent former federal employees, or those with only a certain amount of access, from entering secured areas, no matter what facility they are in.
“In order to realize the full security benefit of PIV cards, physical access control systems must have a network connection that enables them to validate a given cardholder’s access credentials,” the report states.
That’s where the second part of HSPD-12—system procurement—comes into play. The GSA has developed an approved products list of access control solutions that have meet federal requirements and are interoperable with PIV cards, regardless of manufacturer. GSA also manages a website of approved products and is tasked with aiding agencies in the procurement and implementation of systems in accordance with the latest federal supply schedule updates.
The product implementation required to make a facility HSPD-12-compliant isn’t cheap, the report notes. The U.S. Transportation Security Administration (TSA) alone is expected to spend about $73 million over the next five years to implement physical access control systems. Most of those funds will be spent acquiring new systems from the GSA’s approved products list.
However, based on GAO’s interviews, HSPD-12-compliant access control and interoperability does not seem to be a top priority for many agencies—and the OMB and GSA don’t have the data needed to track implementation levels or improvement.
“We found that neither OMB nor GSA currently collect data on agency efforts to implement physical access control system requirements, including use of the approved products list,” GAO states in its report. “This is significant because our interviews with physical access control systems’ manufacturers, integrators, and selected agencies indicate that governmentwide implementation of physical access control systems may be limited and raises questions about governmentwide progress.”
Each of the five agencies interviewed by the GAO has its own implementation concerns, and some agencies have found the HSPD-12 requirements clash with their own security needs. For example, the Bureau of Prisons (BOP) has successfully implemented approved access control systems at its headquarters and regional offices but cannot comply with HSPD-12 at its prisons.
“Bureau of Prisons officials told us that physical security and screening procedures at prisons are more stringent than those that occur with typical building-access procedures as persons and belongings are scanned and searched,” the report states. “Physical access control system equipment at these prisons may in fact be problematic.”
None of the U.S. Coast Guard’s 1,400 facilities with security responsibilities fully adhere to the requirements, largely because decisions about physical access control systems are made on a facility-by-facility basis, and there is no systemic tracking of equipment purchases. Similarly, the Environmental Protection Agency (EPA) currently does not have approved access control at any of its 72 facilities. The EPA had previously purchased approved system equipment, but because security requirements have changed over time, the buildings are no longer compliant.
On the other hand, the Transportation Security Administration (TSA) is actively striving to make its 139 facilities fully compliant. GAO found that the only item missing is the capability for interoperable identity verification checks among federal agencies, which TSA is planning to implement this year—at a cost of $14 million a year.
Rectanus points out that the variance in even these agencies’ physical security measures shows the challenges in becoming—and staying—fully compliant to HSPD-12. And while most facilities have likely implemented some sort of security, even if it’s not compliant, there’s no way to tell just how successful it is.
“I think if we don’t have interoperability at a facility, the facilities are trying to do what they can to control access,” Rectanus tells Security Management. “The risk you run is that—because my PIV card is not talking to a physical access control system—if I show up at an agency and I present my badge to a person, and they give me access to the building, they don’t really know that I’m still working for this organization, or that I really am who this card says I am. Agencies are doing what they need to do, obviously, but in the absence of this integrated network they really can’t ensure that I have the right to go to a particular place in the building.”
How did federal facility access control become so fractured? Beyond the fact that there has been no meaningful federal oversight, the GAO report points to the costs of updating equipment, confusion about what schedules and requirements must be adhered to, challenges in integrating new access control systems with legacy equipment, and lack of leadership and training about how to actually become HSPD-12-compliant—which has led to a broader skepticism of governmentwide interoperability.
“Some agency officials are reluctant to more fully integrate their physical access control systems,” the report notes. “This reluctance is due to concern about a perceived increase in security risks resulting from more broadly networking physical access control systems’ equipment and access credentials like PIV cards.” However, other federal officials tell Security Management that this concern is unfounded. According to these officials, integrating agencies’ physical access control systems will enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy by electronically authenticating the validity of access credentials.
Rectanus also points out that federal agencies are not immune to the struggle of many security departments in the private sector—it’s hard to tell if a security approach is inadequate when nothing goes wrong, especially when it comes to the insider threat.
“Security is one of those funny things where nobody really thinks there is a problem until something happens,” Rectanus says. “At this point I think many facilities may not know if people are infiltrating their locations unless something inappropriate happens, or if they can track back any hack or invalid access to this problem. It is true that we did not find any specific instances where, due to this problem, there was some sort of unauthorized access, but I’m just not sure it’s something that people are focused on. We know right now that you can mock up a government badge, go into a facility that doesn’t have these interoperable systems, and you could get in the building. It only takes one or two folks to potentially do something dangerous with that…and just because it hasn’t happened doesn’t mean the risk is not there.”
Rectanus notes that, in light of the lack of baseline data from OMB and GSA, talking with several security industry leaders—physical access control system manufacturers, integrators, and other organizations—helped GAO understand what the government can do to further improve physical security best practices. For example, she notes that they raised concerns about manufacturers or integrators that present themselves as being HSPD-12-compliant, even though they haven’t completed GSA testing and are not on the approved products list. This is one reason why facilities might think they are compliant when they actually aren’t.
“The industry stakeholders would like to see more leadership, incentives, and movement towards interoperability, because from their perspective they are very much an industry that understands the value of this governmentwide integration,” she explains. “They would like to help get across that idea that broader integration is actually a better thing, not a worse thing.”
Realistically, there will never be total HSPD-12 compliance in all federal facilities, whether it’s because the agency’s own security requirements clash with the directive or there just isn’t enough money to upgrade every system. However, agencies can still make steps towards fostering access control interoperability. To overhaul the physical security requirements to more accurately meet each agency’s needs, there needs to be a baseline understanding of where facilities stand—something that is currently lacking.
“I think the OMB obviously must recognize that agencies must have specific needs, and there are budgetary constraints,” Rectanus says. “There could be particular locations where maybe it doesn’t make sense to have a physical access control point that relies on swiping a badge, such as in prisons. From our perspective, this HSPD-12 mandate is still out there, and GSA is still being instructed to work with agencies to help them buy HSPD-12-compliant technology. I think the expectation is that, until we have a better system, this is probably the best one, and realize that an agency has to prioritize where it’s most relevant.”