Find news and information for the executive corporate security director, CSO, facility manager and assets protection manager on issues of policy, products, incidents, risk management, threat assessments and preparedness.
Issue link: http://sdi.epubxp.com/i/703941
66 Security Dealer & Integrator / www.SecurityInfoWatch.com July 2016 Just understanding all the acronyms can be like learning a completely new language for newcomers. ankfully, industry partners exist to offer help. e Smart Card Alliance (SCA) offers a three-day, GSA-approved, Cer- tified Systems Engineer ICAM PACS (CSEIP) training and certification pro- gram, which provides system engineers with the necessary training to demon- strate their ability to efficiently and effectively implement PKI and federal ICAM architectures for E-PACS and meet all federal requirements. is level of certification is required for integrators looking to bid on any GSA facility implementing a FICAM solution. GSA requires that all billable work performed on such systems be done using certified system engineers. 2 The Procurement Process: Another common challenge is that not all system owners are fully educated on the com- plete requirements of designing, pro- curing, and implementing a compliant FICAM solution. ey may know cer- tain buzzwords, but lack the under- standing to fully implement. is makes it difficult from an industry perspective to respond to RFPs in which the language of the requirements may be incomplete due to lack of understanding. When a Contract Officer (CO) is preparing to award a contract, that person must consult OMB Memorandum M-11-11, which requires the agencies align with the architecture and guidance provided in the FICAM Roadmap and Imple- mentation Guide. If the RFP is poorly executed, it creates obstacles to award, as the CO is required to show a FICAM approval certification. On occasion, the contract must be cancelled and the RFP process restarted. is is frustrating to integra- tors, while being costly and delaying project schedules for end-users. 3 Defining the Scope of the solution: Recognizing possible high costs of imple- menting security controls is a critical aspect in terms of installation, opera- tion, maintenance and personnel costs. For example, solutions designed to perform high levels of identity assur- ance for each use of the credential will not only require basic levels of infra- structure, but also will require biomet- ric authentication at PACS registration and at doors into exclusionary areas — and in some cases, dual or multi-bio- metric solutions. e equipment costs are high, the O&M; costs are equally high, and the time to get through a portal will be slower, thus making pro- ductivity costs higher as well. It is recommended that a facility security level evaluation (FSL) be per- formed with these costs and encum- brances in mind. In addition to the FSL, a risk assessment of the facility will appropriately address areas that require one-, two-, or three-factor authentication. To make best use of limited budgets, the minimum level of functionality should be defined for the portals between areas of differing levels of security — such as limited, controlled and exclusion. Additional nested areas at the same security level may not require the same level of iden- tity assurance, which is called security in depth. Special Publication 800-116 provides guidance for determining these security levels. 4 Physical vs. IT Security: Some traditional security inte- grators have struggled with IT security convergence. is challenge only increases with a FICAM solu- tion. By the inherent nature of valida- tion of the PIV credential, one must validate the real-time status of the PKI authentication. is happens not only at enrollment, but also periodically through a status check using an Online Certificate Status Protocol (OCSP). is requires the integrator to work with IT in defining the proper path and necessary firewall ports to be opened. Oen, the existing PACS infrastruc- ture was an offline or "air gapped" net- work environment. Exposing the PACS network creates challenges and security risks that must be mitigated prior to going onto the network. is can take security administrators and integrators by surprise, cause significant project delays, and add cost if not carefully planned for upfront. 5 Choosing a Technology Vendor: With multiple listed solutions on the GSA approved products list, determining the best solution can oen be daunting. In selecting the right solution, one must consider several factors, such as: what architecture is best supported for the environment; cost; installation; effort; training required; what level of support is available from the manufacturer; is it a commonly installed solution; etc. Certainly, you want to deploy a trusted and tested solution, which has a proven support channel to help Access Control The FICAM Roadmap and Implementation Guide requires a robust solution to providing identity validation and standardizing controls around identity and access management. Photo: Dept. of Defense