Established under the National Cancer Institute Act of 1937, the National Cancer Institute (NCI) is the federal government’s principal agency for cancer research and training. It coordinates the National Cancer Program, which conducts and supports research, training, health information dissemination, and other programs with respect to the cause, diagnosis, prevention, and treatment of cancer, rehabilitation from cancer, and the continuing care of cancer patients and the families of cancer patients. Part of the National Institutes of Health (NIH), NCI is one of 11 agencies that compose the Department of Health and Human Services (HHS).
Accustomed to maintaining distinct campus locations and operations, NCI had few organization-wide security or operational protocols in place across its five National Capital Region campuses and numerous off-campus facilities, housing 9,200 total employees. It also lacked a common credential to identify employees and contracted personnel entering its sites. Given the sensitive nature of NCI’s work, this security weakness could have devastating consequences. For example, after the earthquake in August of 2001, NCI senior staff realized it did not have a viable way to quickly ascertain the whereabouts of staff and account for damage at local facilities. It became quickly evident that creating an off NIH campus command center using a PSIM to both aggregate data from various systems and disseminate emergency data to staff was a critical need.
While this had been business as usual for years, increasingly sophisticated (and typically incompatible) security technologies and rising U.S. security threat levels rapidly were changing the way NCI did business, making it even more difficult—and increasingly important—for the organization to ensure standard practices and protocols at all of its many locations. With the impending move to one centralized location, the NCI security team began devising plans to eliminate these existing security weaknesses. NCI faced a number of key challenges including:
- No single identification credential -- NCI needed a system that would enable them to embrace FIPS 201-2 for the use of one credential for physical access at all facilities.
- Disparate technologies and protocols—no two NCI buildings were alike when it came to the myriad security devices and systems in place. Each location had its own security staff and set of standard operating procedures. For instance, although two campuses might each operate video surveillance and motion detection systems, the providers of those systems were independently selected by the local security staff at each site, and could therefore only be operated by personnel trained on those specific solutions. This hindered cross-location visibility, and made it impossible for a single command center to effectively operate all NCI security technologies.
- No standardized metrics— lacking a consistent way to measure security successes and failures across buildings, NCI was finding it increasingly challenging to identify and address problem areas and gaps in security.
- High personnel turnover rate—facing steady turnover of its security and operations personnel, NCI regularly needs to train new employees on its security systems, a timely and costly endeavor with low ROI.
- Off-campus personnel— often times, off NIH campus facilities lacked adequate security related information. In some instances, remote personnel received emergency notifications from the NIH mass notification system, making it next to impossible to cohesively aggregate a response from local buildings. In order to address these challenges, NCI sought to establish a single, unified command location that could act as a control center with visibility across all of its sites and personnel while also providing a direct link to and standardized identification protocol for staff members working outside of regular campuses in lab tech and administrative capacities.