How Integrators Can Win Government Access Control Business

March 9, 2023
How integrators can leverage the upcoming TWIC compliance deadline, as well as PIV and CAC programs, to find success in the government and critical infrastructure markets

This article originally appeared in the March 2023 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.

Sept. 11, 2001, forever changed the U.S. government’s posture toward security. For integrators working in the physical access control space, those attacks exposed the wide variations in the quality and security of identification used to gain access to secure facilities.

Almost exactly three years later, Homeland Security Presidential Directive-12 (HSPD-12) established “a mandatory, government-wide standard for secure and reliable forms of identification” to put standardized and secure approaches to federal employee identity verification in motion.

After a few years of research, the National Standards of Institute and Technology (NIST) settled on the development and use of a smart card to manage the identities of both civilian and Department of Defense (DoD) employees. In March 2006, NIST published the first version of Federal Information Processing Standard (FIPS) 201-1, which they titled “Personal Identity Verification (PIV) of Federal Employees and Contractors.” This standard was intended to specify both the architecture and technical requirements necessary for the creation and use of PIV and PIV-I cards used by civilian agencies and government contractors.

Thus, the DoD began to transition to a more secure and scalable card built on the FIPS 201-1 standard. In April 2009, the Transportation Workers Identification Credential (TWIC), which uses the FIPS 201 standard for its underlying security, was fully implemented.

In 2008, a forum of Federal Chief Information Officers (CIOs) established both an Information Security and Identity Management Committee (ISIMC), as well as a Federal Identity, Credential and Access Management (ICAM or FICAM) subcommittee, in order to improve secure IT practices across U.S. Government agencies. Since the creation of FICAM, both civilian agencies and DoD installations have been instructed to transition their legacy physical access control systems (PACS) to FICAM-compliant systems to improve standards and tighten security. 

More than two decades of development later, access control management solutions built on these standards represent some of the most reliable and secure systems available. Today’s Common Access Card (CAC), PIV, and TWIC credentials are used to authenticate the identity of individuals presenting themselves to gain access to a government or high-risk private facility, either through an automated access control system or as a visitor, providing a secure method for individuals to access high-risk facilities and log onto computers.

For security integrators and manufacturers targeting the government access control market, these changes represented a paradigm shift in how to service these customers.

What Does This Mean for Integrators?

Looking back, by developing and embracing access control and identity management solutions built on FIPS 201, many U.S. government and civilian agencies have taken important steps toward protecting high-risk facilities, sensitive information, and employee/visitor identities. Looking forward, integrators still have a significant opportunity to meet customer demand for TWIC-compliant and FICAM-certified access control system deployments.

While the U.S. government has spent the last two decades creating this open standard, the security industry has followed their lead by developing PACS infrastructure for both physical and logical access control that complies with this standard.

The adoption and deployment of this infrastructure is ongoing. Nearly all U.S. government and DoD facilities have issued PIV and CACs to their employees and military personnel, for example; however, it is estimated that fewer than 20 percent of the government’s legacy PACS have been made fully FICAM compliant. As it stands, multiple commercial facility operators still need to comply with the Federal Maritime Transportation Security Act of 2002 (MTSA).

With that in mind, integrators who want to earn business in the government access control market should look to fold TWIC, CAC, and PIV cards into their product offerings. Here are a handful of ways to accomplish that:  

1. Leverage the Upcoming TWIC Compliance Deadline

If an integrator is not already working for one or more branches of the federal government, such as the U.S. Armed Forces, finding customers who need TWIC compliance is the best place to start. The importance of TWIC compliance is also coupled with the growing prominence of Chemical Facility Anti-Terrorism Standards (CFATS), so the business opportunity in this area is extensive.

Compared to CAC and PIV systems, the specialized skills and certifications required to resell, install, and manage TWIC-based systems are more accessible. Considering the current deadline for TWIC compliance is May 8, 2023, it is likely that many integrators already have customers in their portfolios who need to upgrade their PACS for TWIC compliance.

Fines incurred as a result of non-compliance are significant; however, for customers who cannot become TWIC compliant using fixed readers in time for the deadline, there is a quick and easy solution. Handheld TWIC readers not only meet TWIC compliance requirements enforced by the Coast Guard, they can also be used immediately after delivery.

Looking forward, handheld TWIC readers represent a solution that will continue to be useful for disaster recovery planning, as well as day-to-day operational challenges outside the standard operating procedures.

For potential customers, explain that on an individual level, registering for a TWIC card is relatively simple. After an individual submits their details online, participates in an in-person interview, enrolls their biometric information, and has their criminal history background checks and identity verification completed, they will receive a TWIC card delivered directly to them.

On a facility-wide level, customers can upgrade existing PACS by integrating TWIC-compliant validation and registration systems and readers that support card and biometrics for entry to the TWIC secured areas. For some customers, achieving TWIC compliance is as simple as upgrading their system software, enabling customers to continue using existing cards and readers for entry into TWIC-secured areas.

2. Get Certified to Resell FICAM Access Control

In the federal government space, reselling FICAM-certified solutions will require the integrator to complete a PACS managed training and certification program. Once completed and certified, integrators are then permitted to resell FICAM-certified systems to these customers.

For integrators who don’t already have customers in this space, start by registering on www.sam.gov  and save a query on any contracting opportunities that note “FICAM” to get email alerts when FICAM projects are listed.

3. Develop Local Relationships for Armed Forces CAC Business

Compared to TWIC and PIV cards, finding CAC opportunities with U.S. Armed Forces facilities is perhaps the most challenging.

Even through every individual member of the U.S. Armed Forces already has a CAC, the use of these credentials for physical access control differs greatly from branch to branch. Many small, CAC-based access control decisions are made locally and may never get bid on www.sam.gov, so focused and hyper-local relationships with base personnel are often needed to be effective.

4. Become CSEIP Certified

If integrators plan to incorporate Federal government PIV projects as a major part of their business, becoming CSEIP certified is essential to ongoing success.

The Certified System Engineer ICAM PACS (CSEIP) training and certification program is an extensive and in-depth GSA-approved training program for E-PACS engineers employed by commercial organizations looking to bid on GSA procurement agreements for access control systems.

According to the GSA, CSEIP is meant “to ensure that procurements of approved E-PACS for GSA managed facilities are installed properly.” Not all federal government projects follow this exact requirement, but most Federal government personnel at PACS are CSEIP certified.

5. Target Non-Government Critical Infrastructure Business

Many high-profile, non-government critical infrastructure enterprises would benefit greatly by updating their physical and logical solutions using an open source, PKI-based smart card for identity management. Here’s a look at the top sectors for this sort of upgrade:

Defense industrial base sector: This consists of more than 100,000 contractors and subcontractors who perform under contract to the DoD. The Cybersecurity Maturity Model Certification (CMMC) program requires many of these defense contractors to improve their cybersecurity programs. By deploying a FIPS-compliant smart card to access computers, these defense contractors can also improve their physical access programs. Editor’s Note: Read more about CMMC at www.securityinfowatch.com/21264185.

Energy sector: The energy sector is divided into three interrelated segments – electricity, oil, and natural gas. Both the defense and energy sectors sponsor Federally Funded Research and Development Centers (FFRDC) that typically reside with U.S. universities and colleges. Deploying FIPS-compliant PACS would streamline and secure user access across each of these segments.

Chemical sector: There are hundreds of thousands of chemical facilities in the United States, and high-risk chemical facilities that are required to meet CFATS regulations can piggyback off the TWIC program to screen employees and visitors seeking access to restricted areas, improving their physical access and standardizing their identity management.

David Smith is CEO of Identity One, an Atlanta-based provider of face biometrics, mobile validation, temporary PIV card issuance and derived credentials for CAC, PIV and TWIC. Request more info about the company at www.securityinfowatch.com/21204724.