HSPD and FIPS
Under HSPD-12, USDA had to implement the use of a government wide identity credential that is compliant with Federal Information Processing Standard 201 (FIPS 201) for all federal employees and contractors gaining access to USDA-controlled facilities. This HSPD-12 requirement necessitated change to USDA’s existing architecture for physical access control systems (PACS) throughout the Department. The main goal was to phase in the centralized compliant access control system, ePACS, while at the same time leveraging existing systems to save money and manpower. PSD can centrally manage and control, through newly written policies and implemented systems, all PACS that are installed or are to be installed in the USDA’s thousands of facilities.
The newly designed and deployed system is capable of the following:
• The ability for an employee or contractor from any USDA agency to use their personal identification verification (PIV) card to access any other given agency’s facility within the USDA,
• Reduced hardware and administration costs by providing the ability to install PACS systems in facilities nationwide without the cost of a head-end server for each facility along with the cost and time to conduct certification and accreditation for each system. ePACS will consolidate all costs and efforts under one system,
• Greater security through auditing and reporting for all PACS systems across the USDA nationwide,
• Higher level of security through automatically updated revocation lists of terminated users and deprovisioning ID cards that will be filtered throughout all PACS in the USDA,
• Leverage existing PACS components until they reach the end of their lifecycle or until the OMB set date of October 27, 2011, when all PACS will be FIPS 201-1 compliant.
“For CRI, there were many challenges of a system of this magnitude, one of which was simplify the logistics, and that’s where the company’s expertise continued to come into play,” Schneider said. “On a program level there were several. Starting with 180 plus disparate ‘stove-piped’ systems, and 40 plus different PACS, to the issue there was no authoritative database for PACS which left no means to replicate card status changes to all PACS. Further, no one PACS was centrally hosted with a true disasterrecovery solution. There was a myriad of license and maintenance issues with these many systems that were costly and labor intensive to ensure all updating was completed in a timely and efficient manner. Finally, there were no system compliance documents such as business cases, certification and accreditations, which means all previous efforts had not adhered to the requirements for capital investments which in this case mandated that all system development must follow USDA guidelines relating to selection, management and evaluation. We first had to ensure USDA Capital Planning and Investment Control (CPIC) and System Development Life Cycle (SDLC) phases were fully met.”
In addition to the program goals of an open architected PACS enterprise standard, the system included head-end central hosting in a USDA Enterprise Data Center; disaster recovery solution with fail-over hosting; and enterprise-based license fees.
“The equipment installed for the enterprise system was comprised of two environments for production and disaster recovery/redundancy purposes,” according to Todd Johnson, director, Integrated Security Solutions, CRI. “Both of the environments have complete master and regional servers to manage the physical access control portion of ePACS, as well as the capability to manage the authoritative data provided by the GSA MSO to electronically authenticate credentials for access to USDA facilities.”
Additionally, a Web-based server manages the application to validate the HSPD-12 credential at facilities or locations that do not have PACS installed. “To provide complete HSPD-12 validation capabilities for facilities without PACS, an additional regional server was installed to provide the authoritative data from GSA,” said Michael Gilliland, director, Technology Solutions, CRI.
CRI made the move to encompass physical access control security in addition to it’s superb IT and communications solutions and found success through its expertise and knowing what the customer wants—a turnkey system they can grow with and rely on across the enterprise.
Lenel Systems International—OnGuard software, www.lenel.com
Micro Design International (MDI)—Network storage management solutions, www.mdi.com
HID—Card readers, www.hidglobal.com
NEC—Server equipment, www.nec.com.au/
*According to CRI, any product on the GSA approved list would be applicable for the project–see (www.gsaadvantage.gov