Ask a market analyst to estimate the size of the integration opportunity presented by Homeland Security Presidential Directive 12 and you can hear a hint of "You've got to be kidding" behind the non-answer. And you will get a non-answer, because no one knows how massive the job of integrating physical and logical access security across federal agencies will be. But they say it will be huge.
"Let's put it this way," said Alan Webber, senior analyst at Forrester Research. "The only thing in the next 10 years besides this integration that might have a bigger dollar value is probably the enterprise resource planning systems that [agencies] are putting in place."
HSPD-12 poses such significant opportunities for integrators because it poses such significant challenges for agencies. And many of the incumbents the companies that build physical access control systems to protect government facilities are facing a brand-new reality.
"A lot of the physical access community hasn't woken up to what HSPD-12 means and how obsolete a lot of their stuff is going to be," said Jeremy Grant, vice president for enterprise solutions at Reston, Va., integrator Maximus Inc.
But they're about to.
ONE GIANT STEP
Webber and others agree that overhauling physical security, the quintessential stovepipe system, will be the first major step in building HSPD-12-compliant systems. Expanding security controls to enable them to handle access to computer resources as well as physical security will be a future integration project.
Not surprisingly, much of the focus both in and out of government is on how HSPD-12 affects whats already installed. Last November, the Physical Access Interagency Interoperability Working Group revised a document called Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems. And earlier in the fall, industry trade group the Smart Card Alliance put out its own guidance: An Overview of the Impact of FIPS 201 on Federal Physical Access Control Systems. (Federal Information Processing Standard 201, published by the National Institute of Standards and Technology, describes the specifications that HSPD-12 systems must meet.)
The physical access security industry has been anxious to see FIPS 201 implemented, said Randy Vanderhoof, executive director of the Smart Card Alliance. Every government agency has some type of physical access system in place now, so it's going to require a lot of change.
Perhaps the most basic challenge is that physical access control systems usually have been islands unto themselves. PACS vendors usually have built proprietary systems that lock customers into their products and services. Access control cards from one vendor typically work only with that companys readers, which typically work only with the same companys control panels.
The practice is becoming increasingly irksome to users. Mike Butler, chief of smart-card programs in the Defense Departments Common Access Card Office, described a panel discussion with PACS vendors at a recent conference. During the question-and-answer period, attendees asked when the companies would open up their products to let them communicate with other systems.
The vendors response, Butler said: Not for the next 10 years if they can help it, because that maintains their proprietary lock on the programs.
Moving to IP systems and FIPS 201 will change that.
But not all security systems are closed, and most modern PACS support IP connections.
One systems integrator cited Amag Technology Inc. of Torrance, Calif., and Lenel Systems International Inc. of Rochester, N.Y., as PACS vendors that sell highly customizable systems. Amag helped the Interior Department build its first integrated smart-card security system. Lenel has done smart-card work with several agencies, including NASA.