Stamp of Approval

CRI, McLean, Va., is a different kind of systems integrator, one that’s becoming increasingly commonplace in the security landscape. The company’s grounded on the IT and logical side of the business, but their experience in satisfying even the most complex integration and convergence projects found them migrating naturally to the physical security space. 
CRI was approached by an existing customer, United States Department of Agriculture (USDA), Office of Security Services (OSS), soon after they had completed a broad program review and market survey in search of new access control solutions to meet government compliance and regulations.  USDA is a large organization comprised of 29 different agencies and offices, 25,000 facilities nationwide, and more than 98,000 federal employees.

USDA OSS is responsible for providing security policies for the entire Department. Along with the promulgation of policy, OSS provides direction and coordination for physical security initiatives across the many USDA agencies and offices. OSS must meet all requirements of Homeland Security Presidential Directives such as HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection; HSPD–9, Defense of United States Agriculture and Food; HSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors; and HSPD–20, National Continuity Policy.

Compliant ePACS
CRI had built a small-scale IT enterprise system for one of the larger agencies within USDA. This earlier effort had some of the same attributes USDA was seeking to support their Homeland Security Presidential Directive 12 (HSPD-12) Program including compliant enterprise Physical Access Control System (ePACS) to centrally manage all PACS within USDA saving millions of dollars by eliminating redundant costs and providing one standard for this security countermeasure.  

“We were working with one office on related efforts within the security field and providing full IT system development services for another USDA agency that they were familiar with,” said Eric Schneider, vice president and chief operating officer at CRI. “On the hardware side we have been upgrading many of their physical access control systems to provide support for agency-issued smart cards. During this transition we were asked to migrate many site-specific solutions to enterprise-wide solutions. To support this requirement, USDA and other agencies such as Health and Human Services asked us to assist them in installing a more secure centrally located Physical Access Control System (PACS) that provides a higher return on investment,” he said. 

As a trusted provider to the federal government, CRI provides consultative services for its customers as they relate to numerous security related federal guidelines and policies, according to Victoria Johnson, president and chief executive officer. Johnson said CRI has been involved in working groups and interagency committees since the inception of HSPD-12.
“The project itself directly correlates to CRI’s ability to provide services related to executive orders and federal guidelines as well as our core capability in providing design, installation and operation services for physical access control systems,” Johnson added.

For years the Physical Security Division (PSD) in the OSS attempted to manage, control and write one standard for PACS throughout the USDA. However, due to the many disparate systems in the USDA and the lack of funding, this could never be accomplished, according to Richard Holman, Chief, USDA’s Physical Security Division.

“Since the inception of HSPD-12 and its mandate to rapidly authenticate an Identification Card (USDA ID card called LincPass–named after Abraham Lincoln who founded the USDA) electronically; and issue to only providers whose reliability has been established by an official accreditation process, PSD was now given the authority to accomplish this long time security goal,” said Holman. “With CRI’s expertise and willingness to transfer their corporate knowledge, the USDA has developed an enterprise system that will abide by two of the tenants of HSPD-12, which ultimately increase security in our facilities and save thousands of dollars in redundant costs spent each year.”

Under HSPD-12, USDA had to implement the use of a government wide identity credential that is compliant with Federal Information Processing Standard 201 (FIPS 201) for all federal employees and contractors gaining access to USDA-controlled facilities. This HSPD-12 requirement necessitated change to USDA’s existing architecture for physical access control systems (PACS) throughout the Department.  The main goal was to phase in the centralized compliant access control system, ePACS, while at the same time leveraging existing systems to save money and manpower. PSD can centrally manage and control, through newly written policies and implemented systems, all PACS that are installed or are to be installed in the USDA’s thousands of facilities. 

The newly designed and deployed system is capable of the following:

• The ability for an employee or contractor from any USDA agency to use their personal identification verification (PIV) card to access any other given agency’s facility within the USDA,
• Reduced hardware and administration costs by providing the ability to install PACS systems in facilities nationwide without the cost of a head-end server for each facility along with the cost and time to conduct certification and accreditation for each system. ePACS will consolidate all costs and efforts under one system,
• Greater security through auditing and reporting for all PACS systems across the USDA nationwide,
• Higher level of security through automatically updated revocation lists of terminated users and deprovisioning ID cards that will be filtered throughout all PACS in the USDA,
• Leverage existing PACS components until they reach the end of their lifecycle or until the OMB set date of October 27, 2011, when all PACS will be FIPS 201-1 compliant.

“For CRI, there were many challenges of a system of this magnitude, one of which was simplify the logistics, and that’s where the company’s expertise continued to come into play,” Schneider said. “On a program level there were several. Starting with 180 plus disparate ‘stove-piped’ systems, and 40 plus different PACS, to the issue there was no authoritative database for PACS which left no means to replicate card status changes to all PACS.  Further, no one PACS was centrally hosted with a true disasterrecovery solution. There was a myriad of license and maintenance issues with these many systems that were costly and labor intensive to ensure all updating was completed in a timely and efficient manner. Finally, there were no system compliance documents such as business cases, certification and accreditations, which means all previous efforts had not adhered to the requirements for capital investments which in this case mandated that all system development must follow USDA guidelines relating to selection, management and evaluation. We first had to ensure USDA Capital Planning and Investment Control (CPIC) and System Development Life Cycle (SDLC) phases were fully met.”

In addition to the program goals of an open architected PACS enterprise standard, the system included head-end central hosting in a USDA Enterprise Data Center; disaster recovery solution with fail-over hosting; and enterprise-based license fees.

“The equipment installed for the enterprise system was comprised of two environments for production and disaster recovery/redundancy purposes,” according to Todd Johnson, director, Integrated Security Solutions, CRI. “Both of the environments have complete master and regional servers to manage the physical access control portion of ePACS, as well as the capability to manage the authoritative data provided by the GSA MSO to electronically authenticate credentials for access to USDA facilities.”

Additionally, a Web-based server manages the application to validate the HSPD-12 credential at facilities or locations that do not have PACS installed. “To provide complete HSPD-12 validation capabilities for facilities without PACS, an additional regional server was installed to provide the authoritative data from GSA,” said Michael Gilliland, director, Technology Solutions, CRI.

CRI made the move to encompass physical access control security in addition to it’s superb IT and communications solutions and found success through its expertise and knowing what the customer wants—a turnkey system they can grow with and rely on across the enterprise.


Key Suppliers
Lenel Systems International—OnGuard software,
Micro Design International (MDI)—Network storage management solutions,
HID—Card readers,
NEC—Server equipment,
*According to CRI, any product on the GSA approved list would be applicable for the project–see (