Access Control: Fulfilling FICAM

July 14, 2016
Six challenges to deploying a government PACS solution, and how to overcome them

When the federal government decides to use a common technology across the entire enterprise, it is an important event. It means that every department and agency will have to update and/or replace systems, so industry pays particular attention. Such has been the case with FICAM — the Federal Identity, Credential, and Access Management standards, which are meant to provide a common set of standards, best practices, and implementation guidance for federal agencies.

With what seems like a constant change to the requirements, understanding the challenges around deploying a FICAM PACS solution provides an opportunity for security integrators to strengthen their trusted advisor role in providing support to security managers and customers within the federal government.

The Steps to FICAM Development

In August of 2004, President George W. Bush signed Homeland Security Presidential Directive (HSPD) 12. This outlined objectives for a new standard — including streamlining (cost-saving) government processes, increased protection of personal privacy and additional measures to prevent unauthorized access to government resources and facilities. The National Institute for Standards and Technology (NIST) is the regulating body responsible for creating government standards.

NIST created Federal Information Processing Standard (FIPS) publication 201, also known as FIPS 201, as a federal standard in response to HSPD-12. FIPS 201, “Personal Identity Verification (PIV) of Federal Employees and Contractors,” is broken into two parts: the first defines requirements of a role-based identity verification and card issuance system; the second defines the card technology and application of the credential — called a PIV card — for interoperable use throughout the government.

In the latest guidance to Executive Branch Federal Agencies, the FICAM Roadmap and Implementation Guide requires a more robust solution to providing identity validation and standardizing controls around identity and access management. In addition, helping agencies meet current gaps, agencies stand to gain significant benefits around security, cost and interoperability.

Six Common FICAM Challenges

1. Keeping Informed: Perhaps the biggest challenge in serving the federal government market is keeping up with new regulations and requirements. NIST, as well as the General Services Administration (GSA) and Office of Management and Budget (OMB), all publish guidance documentation that can be hundreds of pages in length. Organizations may not have the bandwidth or skill sets to have all of their staff up-to-date and therefore rely on designating Subject Matter Experts (SME) to provide this level of expertise. In addition, just understanding all the acronyms alone can act as a completely new language for newcomers to learn.

Thankfully, industry partners exist to offer help. The Smart Card Alliance (SCA) offers a three-day, GSA approved, Certified Systems Engineer ICAM PACS (CSEIP) training and certification program. This training provides system engineers with the necessary training to demonstrate their ability to efficiently and effectively implement PKI and federal ICAM architectures for E-PACS and meet all federal requirements.

This level of certification is required for integrators looking to bid on any GSA facility implementing a FICAM solution. GSA requires that all billable work performed on such systems be done using certified system engineers.

2. The Procurement Process: Another common challenge is that not all system owners are fully educated on the complete requirements of designing, procuring, and implementing a compliant FICAM solution. They may know certain buzzwords, but lack the understanding to fully implement.

This makes it difficult from an industry perspective to respond to request for proposals (RFP) in which the language of the requirements may be incomplete due to lack of understanding. When a Contract Officer (CO) is preparing to award a contract, the CO must consult OMB Memorandum M-11-11, which requires the agencies align with the architecture and guidance provided in the FICAM Roadmap and Implementation Guidance document. If the RFP was poorly executed, it creates obstacles to award, as the CO is required to show a FICAM approval certification. On occasion, the contract must be cancelled and the RFP process has to restart. Not only is this frustrating to the security integrators, it is costly and delays project schedules for the customer.

3. Defining the Scope of the solution: Recognizing the possible high costs of implementing security controls is a critical aspect in terms of installation, operation and maintenance and personnel costs. For example, solutions designed to perform high levels of identity assurance for each use of the credential will not only require the basic levels of infrastructure in place, but will require biometric authentication at PACS registration and at doors into exclusionary areas — and in some cases, dual or multi-biometric solutions. The equipment costs are high, the O&M costs are equally high, and the time to get through a portal will be slower, thus making productivity costs much higher as well.

Therefore, it is recommended that a facility security level evaluation (FSL) be performed with these costs and encumbrances in mind. In addition to the FSL, a risk assessment of the facility will appropriately address the areas that require one-, two-, or three-factor authentication. To make best use of limited budgets, the minimum level of functionality should be defined for the portals between areas of differing levels of security — such as limited, controlled and exclusion. Additional nested areas at the same security level may not require the same level of identity assurance, which is called security in depth. Special Publication 800-116 provides guidance around determining these security levels.

4. Physical vs. IT Security: Some traditional security integrators have struggled with the convergence of security and IT. This challenge only increases with the implementation of a FICAM solution. By the inherent nature of validation of the PIV credential, one must validate the real-time status of the PKI authentication. This happens not only at enrollment, but also periodically through a status check using an Online Certificate Status Protocol (OCSP). This requires the integrator to work with IT in defining the proper path and necessary firewall ports to be opened.

Often, the existing PACS infrastructure was an offline or “air gapped” network environment. Exposing the PACS network creates a whole set of challenges and security risks that must be mitigated prior to going onto the network. This can take security administrators and integrators by surprise, cause significant project delays, and add cost if not carefully planned for upfront.

5. Choosing a Technology Vendor: With multiple listed solutions on the GSA approved products list, determining the best solution can often be daunting. In selecting the right solution, one must consider several factors, such as: what architecture is best supported for the environment; cost; installation; effort; training required; what level of support is available from the manufacturer; is it a commonly installed solution; etc.

Certainly, you want to deploy a trusted/tested solution, which has a proven support channel to help eliminate risk. One way to evaluate such products is to schedule a visit to the GSA certification lab, hosted at Certipath’s Reston, Va., office, where you will be able to get a hands-on review of all current certified solutions and explore the technology behind each product. This is available to both integrators and government end-users in an impartial environment.

6. New Buildings vs. Retrofits: In a greenfield installation (new construction), the above challenges are addressed with proper planning and design work upfront to deploy a FICAM solution from the start.

However, with an existing PACS installation, retrofitting the solution to become compliant creates additional challenges to bear. Often, the end-user wants to preserve as much existing infrastructure as possible. In many instances, the PACS equipment at the head-end — software and controllers — are not capable of supporting the longer card number and digital certificate validation and must be replaced with newer technology components. Additionally, the readers at the door need to be replaced to meet the authentication requirements of the security assessment performed to meet compliance.

This process can create quite a disturbance of your security environment. Proper planning, involving all the right stakeholders and developing a concise installation plan are all crucial to avoid downtime of system operations.

Overcome the Challenges

More than ever it is becoming clear that working with the right security experts is valuable to your program success. Finding partners that have a working understanding of the ever-changing requirements is critical. Assembling a team of consultants, industry manufacturers and integrators to deploy an end-to-end FICAM solution is no longer about finding the cheapest solution, but instead, the goal should be focusing on the best value to mitigate risk, cost and schedule.

What defines success? It is a combination of industry providing a more simplified product, integrators deploying the best solution, and the customer defining the right requirements. This is an obtainable goal, one that is getting more and more defined as experience is gained in the government security market.

As the demand for these solutions increase, technology will also increase — providing more secure, cost-effective security solutions. Make sure you are ready.

Derek Greenland, CSEIP, CSPM, is Application Engineer, Government Systems, for AMAG Technology. Request more info about the company at