Skip to main content

Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control

GAO-19-138 Published: Dec 20, 2018. Publicly Released: Dec 20, 2018.
Jump To:

Fast Facts

Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control

Efforts are underway to improve security with a government-wide approach to regulate access to controlled areas in federal buildings. Access control systems use ID cards, card readers, and other technologies to confirm identities and access rights.

The Office of Management and Budget and the General Services Administration have helped agencies move toward an interoperable system. However, OMB lacks information on agency progress and this hampers its oversight.

Agencies reported high costs and difficulty adding new equipment to existing systems.

Among other things, we recommended that OMB determine and monitor agencies' progress.

Example of Components of a Physical Access Control System

This graphic shows an ID card, validation system, and physical access control turnstile.

This graphic shows an ID card, validation system, and physical access control turnstile.

Skip to Highlights

Highlights

What GAO Found

The Office of Management and Budget (OMB) and the General Services Administration (GSA) have taken steps to help agencies procure and implement secure, interoperable, GSA-approved “physical access control systems” (PACS) for federal buildings. PACS are systems for managing access to controlled areas within buildings. PACS include identification cards, card readers, and other technology that electronically confirm employees' and contractors' identities and validate their access to facilities (see figure). Steps taken include the following:

  • OMB issued several memos to clarify agencies' responsibilities. For example, OMB issued a 2011 memo citing Department of Homeland Security (DHS) guidance that agencies must upgrade existing PACS to use identity credentials before using relevant funds for other activities. But, GAO found OMB's oversight efforts are hampered because it lacks baseline data on agencies' implementation of PACS. Without such data, OMB cannot meet its responsibility to ensure agencies adhere to PACS requirements or track progress in implementing federal PACS requirements and achieving the vision of secure, interoperable systems across agencies.
  • GSA developed an Approved Products List that identifies products that meet federal requirements through a testing and evaluation program. Federal agencies are required to use the Approved Products List to procure PACS equipment. GSA also has provided procurement guidance to agencies through its identity management website.

Example of Components of a Physical Access Control System (PACS)

Example of Components of a Physical Access Control System (PACS)

Officials from the five selected agencies that GAO reviewed identified a number of challenges relating to PACS implementation including cost, lack of clarity on how to procure equipment, and difficulty adding new PACS equipment to legacy systems. Officials from OMB, GSA, and industry not only confirmed that these challenges exist but also told GAO that they were most likely present across the federal government. The Interagency Security Committee (ISC), chaired by the DHS and consisting of 60 federal departments and agencies, has a mission to develop security standards for non-military agencies. In this capacity the ISC is well-positioned to determine the extent that PACS implementation challenges exist across its membership and to develop strategies to address them. An ISC official told GAO that the ISC has taken steps to do so including setting up a working group to assess what additional PACS guidance would be beneficial.

Why GAO Did This Study

A 2004 federal directive and the related standard set forth a vision for using information technology to verify the identity of individuals accessing federal buildings. The vision calls for secure and reliable forms of identification that work in conjunction with access control systems. Interoperability of these systems across departments and agencies is part of the vision. OMB and GSA have government-wide responsibilities related to this effort. ISC provides guidance to non-military executive branch agencies on physical security issues. GAO was asked to examine PACS implementation efforts.

This report discusses (1) steps OMB and GSA have taken to fulfill their government-wide responsibilities related to PACS and (2) challenges selected federal agencies face in meeting current requirements. For review, GAO analyzed documents from Commerce, GSA, ISC, and OMB. GAO selected five non-military agencies based on factors including number of buildings and geographic location. GAO reviewed relevant requirements and key practices. GAO also interviewed federal agency officials, PACS vendors, and knowledgeable industry officials.

Recommendations

GAO recommends (1) that OMB determine and regularly monitor a baseline level of progress on PACS implementation and (2) that ISC assess the extent of, and develop strategies to address, government-wide challenges to implementing PACS. OMB had no comment on the recommendation. DHS concurred with the recommendation to ISC.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should determine a government-wide baseline level of progress in meeting physical access control system requirements, including implementation of GSA-approved systems, and should monitor progress in meeting these requirements. (Recommendation 1)
Open
As of June 2024, GAO was awaiting information from OMB on the status of this recommendation.
Department of Homeland Security The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)
Closed – Implemented
In December 2018, we reviewed five selected agencies and identified a number of challenges relating to physical access control system (PACS) implementation including cost, lack of clarity on how to procure equipment, and difficulty adding new PACS equipment to legacy systems. Officials from OMB, GSA and various agencies indicated that they were aware of some of these challenges as well as the possibly that some may be more broadly present across the federal government. The Interagency Security Committee (ISC), chaired by the DHS and consisting of 60 federal departments and agencies, has a mission to develop security standards, best practices, and guidelines for nonmilitary federal facilities in the United States. In this capacity the ISC is well-positioned to determine the extent that PACS implementation challenges exist across its membership and to develop strategies to address them. Therefore, we recommended that the ISC assess the extent of, and develop strategies to address, government-wide challenges to implementing PACS. In 2020, the ISC developed a document titled Facility Access Control: An Interagency Security Committee Best Practice, which provides guidance to federal executive branch departments and agencies regarding access control requirements and options for individuals entering federally occupied space. This document is a strategy designed to address government-wide challenges to facility access control. This guidance will help enhance adherence to physical access control system requirements and achieve the vision of secure, interoperable facility access control systems across departments and agencies.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Access controlBest practicesFacility securityFederal buildingsHomeland securityInformation systemsPersonal identity verificationPhysical securityFederal agenciesCompliance oversight