Standing Strong 20 Years On: Industry Pros Reflect on 9/11 & How It Changed Security
SSI commemorates the 20th anniversary of the singular event that changed the course of U.S. history and the electronic security industry. Suppliers, integrators and others examine 9/11’s impacts, from technology advances to challenges with deploying mandated solutions.
(Image: rabbit75_fot/stock.adobe.com)
Curse the Unfunded Mandate
To say the adoption of identity, credentialing and access management (ICAM) products and services, as mandated by the federal government, has been slow is a deeply frustrating understatement for the security industry.
The FIPS 201 standard specifies Personal Identity Verification (PIV) smart credential requirements, with the intent to improve the identification and authentication of federal employees and contractors for access to federal facilities and IT systems. FIPS 201 was developed to satisfy the technical requirements of HSPD-12 and issued in early 2005.
Although FIPS 201, which was replaced by FIPS 201-2 in 2013, is credited for helping advance system interoperability and integration, systems integrators and manufacturers alike express concern despite all these years later very few federal agencies and facilities are actually being secured to the high degree initially envisioned.
Far too many doors at a majority of federal facilities are still being opened essentially with legacy proximity technology, says Mark Allen, general manager, premises, for Identiv, a global provider of physical security and secure identification.
“I am not completely upbeat on the progress we’ve made in the last 10 years because to be truthful even though I think every federal employee and contractor has a PIV card — and some of them are using it to log onto their networks to be more secure — most aren’t using the card for physical security, even though the technology is there. The industry has responded and created technology.”
Those facilities that are deploying the new hardware oftentimes fail to activate the PIV card — which was one of the first security products to be mandated by HSPD-12 — for access control. Instead, readers are taking a serial number off the card, similar to proximity technology, when the intent is to pull a digital certificate off the PIV card in a three-factor, PKI fashion.
The reasons for the sluggish adoption are multiple and include strapped budgets. Typically, a FIPS 201-certified solution can be two to three times the price of a proximity-based system.
“I am completely bullish this is the right thing for federal buildings to really protect them and protect the people who go in them, and solve some of the issues that we saw with 9/11,” say Allen. “But the reality is it’s been a long trip and we’re not there yet.”
A lack of end-user understanding and a dearth of education has long hampered adoption as well, according to Roy Hayes, president of Virginia-based Systems Engineering, noted as one of the first systems integrators to add certified PACS products and services to the GSA program.
The federal government, Hayes says, simply has not done a very good job over the years disseminating information about the various security requirements and mandates. And especially outside of the Beltway.
“If you go out to a facility in Nebraska, they may or may not have ever heard about [a FIPS 201-certified solution]. If their senior leadership didn’t tell them about it, then they’re not going to acquire it.”
Systems Engineering (SEI) demonstrates FIPS 201-compliant products and solutions at its headquarters in Sterling, Va.
The onus of educating federal end users must come from the government itself to further adoption of ICAM products and services, Hayes stresses. Since the channel has an obviously vested interest, the government must get the word out to its individual components about security obligations, “but not only inform these are the requirements but ‘this is why the requirements exist,’” he says.
Likely the most vexing barrier to adoption? FIPS 201 has largely been an unfunded mandate, with little pressure applied to agencies to conform. The situation, however, has gradually improved in the past few years, according to Mike Ruddo, chief strategy officer of Herndon, Va.-based Integrated Security Technologies (IST), one of the first GSA contractors to add the new GSA Special Item Numbers for CSEIP Certification for identity management and PACS products.
“People had to budget for it and it was difficult to budget for it until these FIPS requirements were fully defined, so that integrators like myself could have an intelligent conversation with a government entity and say, ‘Hey, here’s what you’re required to do, and here’s the cost associated with it, go budget for it,” Ruddo says. “So we’re really starting to see a lot of progress in these systems being deployed as was envisioned as funding becomes available.”
It wasn’t until about five years ago when IST deployed its first compliant system, albeit to an “early adopter,” says Ruddo. “Funding can be secured, and the rules are fully defined. It doesn’t happen unless you’ve got an agency that’s really wanting to tackle it and sees the importance of it.”
The creation of HSPD-12 and similar standards initiated a rush into the federal space by manufacturers that saw great opportunity and profits to be made by supplying certified products and solutions. But the painfully slow adoption rate became an expensive grind for some, and over the years several manufacturers have left the federal market altogether.
“It’s a cumbersome process. It’s complex. You need to have people with specialty skills to not only deploy these systems, but to develop them and get them into the lab and get them approved,” says Ruddo who has seen multiple manufacturers exit the federal market in his years-long work in the space.
Despite varied headwinds in the years following 9/11 the industry has continued to develop, under leadership from SIA and other alliances, in a collaborative, innovative direction through the development of technical standards and deployment guidelines.
Educational programs and close working relationships with other stakeholders, from public and private sector associations to members of Congress and Executive Branch agencies, have also been vital, explains Hawkins, whose work at SIA includes overseeing member groups focused on data privacy, drones and robotics and public safety.
“In short,” he adds, “the security industry, during the past 20 years, has reinvented itself to expand its core functions of surveillance, access control and intrusion detection into systems that are able to provide technological defense in depth.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
About the Author
Rodney Bosch, Senior Editor
Although Bosch’s name is quite familiar to those in the security industry, his previous experience has been in daily newspaper journalism. Prior to joining SECURITY SALES & INTEGRATION in 2006, he spent 15 years with the Los Angeles Times, where he performed a wide assortment of editorial responsibilities, including feature and metro department assignments as well as content producing for latimes.com. Bosch is a graduate of California State University, Fresno with a degree in Mass Communication & Journalism. In 2007, he successfully completed the National Burglar and Fire Alarm Association’s National Training School coursework to become a Certified Level I Alarm Technician.
Related Content
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.
