- | 6. Conduct a Facility Security Level (FSL) assessment of project-related agency sites and determine Personal Identity Verification (PIV) authentication mechanisms for each site. |
+ 6. Conduct a Facility Security Level (FSL) assessment of project-related agency sites and determine each site's Personal Identity Verification (PIV) authentication mechanisms. |
ENG |
PM |
PO |
@@ -381,7 +389,7 @@ Agency staff are encouraged to participate in steps where their roles are listed
- For details, see Aligning FSL and Authentication Mechanism.
- - The FSL assessment and chosen PIV authentication mechanisms will form the basis for the PACS requirements document/specification as well as affect the SOW and project costs.
+ - The FSL assessment and chosen PIV authentication mechanisms will form the basis for the PACS requirements document/specification and it will affect the SOW and project costs.
- The sample survey questions below will help you assess the FSL of each facility and select the right PIV authentication mechanisms:
- Who will use a facility’s PACS? Include all possible users.
@@ -389,7 +397,7 @@ Agency staff are encouraged to participate in steps where their roles are listed
- What facility access risks exist?
- How can the facility mitigate these risks?
- What PACS installations does the facility need?
- - What support systems would be integrated into the facility’s PACS (for example, intrusion detection, video surveillance, emergency notification, elevator control)?
+ - What support systems would be integrated into the facility’s PACS (for example, intrusion detection, video surveillance, emergency notification, and elevator control)?
- What PACS integrator or other contractor services does the agency need to solicit bids on?
- What PACS hardware and software is needed?
@@ -419,8 +427,8 @@ Agency staff are encouraged to participate in steps where their roles are listed
- - When documenting PACS requirements, it is critical to solicit input from your stakeholders.
- - Organize requirements into clear categories (for example, technical, performance, and operational) to help stakeholders give targeted feedback.
+ - When documenting PACS requirements, soliciting input from your stakeholders is critical.
+ - Organize requirements into clear categories (technical, performance, and operational) to help stakeholders give targeted feedback.
|
@@ -437,7 +445,7 @@ Agency staff are encouraged to participate in steps where their roles are listed
- - Create and issue an RFI to vendors that requests specific qualifications and capabilities against PACS requirements.
+ - Create and issue an RFI to vendors that request specific qualifications and capabilities against PACS requirements.
|
@@ -471,13 +479,13 @@ Agency staff are encouraged to participate in steps where their roles are listed
|
|
- | 11. Solicit bids, evaluate, and award integrator contract. |
+ 11. Solicit bids, evaluate, and award the integrator contract. |
ENG |
PM |
PO |
@@ -492,9 +500,9 @@ Agency staff are encouraged to participate in steps where their roles are listed
- Identify members of the evaluation committee.
- Establish evaluation criteria for bid review.
- - Identify how well proposed integrator solutions meet your needs.
+ - Identify how well-proposed integrator solutions meet your needs.
- Document the award rationale and announce the contract award decision.
- - Upon request, provide a brief explanation of the award rationale to unsuccessful bidder(s).
+ - Upon request, explain the award rationale briefly to the unsuccessful bidder(s).
@@ -530,10 +538,10 @@ Agency staff are encouraged to participate in steps where their roles are listed
- - After contract award, your integrator will help you:
+
- After the contract award, your integrator will help you:
- - Choose the best PACS topology (that is, an end-to-end solution of hardware, software, a Certificate Validation System, and PIV credential readers) listed on the GSA PACS APL for the PIV authentication mechanisms selected for your facility.
- - Buy the products and additional services you need by using the GSA Multiple Award Schedule (MAS). Your chosen integrator will help your agency choose the right PACS products and services, according to your agency’s preferred GSA purchasing vehicle(s).
+ - Choose the best PACS topology (an end-to-end solution of hardware, software, a Certificate Validation System, and PIV credential readers) listed on the GSA PACS APL for the PIV authentication mechanisms selected for your facility.
+ - Buy the products and additional services you need by using the GSA Multiple Award Schedule (MAS). Your chosen integrator will help your agency choose the right PACS products and services according to your agency’s preferred GSA purchasing vehicle(s).
- Want to learn more about GSA Schedules? Training is available: On-demand GSA Schedules Training. For help with GSA Schedules, email the GSA National Customer Service Center at NCSCcustomer dot service at gsa dot gov or call 1-800-488-3111.
@@ -543,7 +551,7 @@ Agency staff are encouraged to participate in steps where their roles are listed
-{% include alert-no-icon.html content="If at any time you have PACS procurement questions, contact the GSA IT Customer Service at ITCSC at gsa dot gov or call 1-855-482-4348." %}
+{% include alert-no-icon.html content="If you have PACS procurement questions at any time, contact GSA IT Customer Service at ITCSC@gsa.gov or call 1-855-482-4348." %}
## Why Can We Buy Only GSA-Approved Products and Services?
[GSA’s FIPS 201 Evaluation Program]({{site.baseurl}}/fips201ep/){:target="_blank"}{:rel="noopener noreferrer"} tests all GSA-listed PACS products, topologies, and services for compliance with FIPS 201 requirements. Purchasing products listed on the GSA APL ensures product compliance with FIPS 201, secure operations, and interoperability.
@@ -554,7 +562,7 @@ Agency staff are encouraged to participate in steps where their roles are listed
- [GSA Multiple Awards Schedule (MAS)](https://www.gsa.gov/technology/technology-purchasing-programs/mas-information-technology){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
- [GSA Multiple Awards Schedule (MAS) Categories](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/multiple-award-schedule-it){:target="_blank"}{:class="usa-link usa-link--external"}{:rel="noopener noreferrer"}
- [GSA Multiple Awards Schedule (MAS) News and Updates](https://www.gsa.gov/buying-selling/purchasing-programs/gsa-schedules/schedules-news-and-updates){:target="_blank"}{:class="usa-link usa-link--external"}{:rel="noopener noreferrer"}
-- [GSA’s eBuy](https://www.ebuy.gsa.gov/ebuy/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} RFQ online system enables you to post requirements, obtain quotes, and issue orders electronically.
+- [GSA’s eBuy](https://www.ebuy.gsa.gov/ebuy/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} RFQ online system lets you to post requirements, obtain quotes, and issue orders electronically.
- Approved [Certified System Engineer ICAM PACS (CSEIP) List]( https://www.securetechalliance.org/activities-cseip-registry/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. Agencies must use FIPS 201-approved integrators and other contractors. The "lead designer" for FIPS 201-approved integrators must possess a Certified System Engineer ICAM PACS (CSEIP) certification or be certified by another federally recognized certification program.
## Training
@@ -572,16 +580,16 @@ PACS project teams consist of both agency employees and contractors. Teams inclu
| Technician | Installs, administers, and maintains network and system components. |
| Operator | Uses physical security functions, such as setting access privileges or taking actions to resolve system-generated events and alarms.|
-{% include alert-no-icon.html content="IT Architects, Engineers, and Operators may be federal employees and/or contractors. Technicians are typically contractors." %}
+{% include alert-no-icon.html content="IT Architects, Engineers, and Operators may be federal employees and/or contractors, while technicians are typically contractors." %}
-{% include alert-no-icon.html content="Teams also include a PACS Project Manager, Procurements Official or Specialist, project management specialists, budget analysts, lawyer(s), etc." %}
+{% include alert-no-icon.html content="Teams include a PACS Project Manager, Procurements Official or Specialist, project management specialists, budget analysts, lawyer(s), etc." %}
## Recommended Technical Training
| Role | Recommended Training |
|:------|:-------------|
-| IT Architects| Must be knowledgeable about the [GSA PACS APL]({{site.baseurl}}/acquisition-professionals/#products){:target="_blank"}{:rel="noopener noreferrer"} and the manufacturers' solutions for PACS. Should be knowledgeable about federal government and agency-specific policies, standards, and guidance documents to make design recommendations related to PACS implementation. In order to implement a PACS solution, IT Architects must possess a current [Certified System Engineer ICAM PACS (CSEIP) certification](https://www.securetechalliance.org/activities-certified-system-engineer-icam-pacs-training-and-certification-program/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. There are no other similar, federally recognized certifications as of May 24, 2022.|
-| Engineers| May hold a [CSEIP](https://www.securetechalliance.org/activities-certified-system-engineer-icam-pacs-training-and-certification-program/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} certification. There are no other similar, federally recognized certifications as of May 24, 2022. Engineers may optionally complete PACS product manufacturers' training (for example, PACS APL products) related to the PACS implementation. Should be knowledgeable about federal government and agency-specific policies, standards, and guidance documents related to enterprise networks and PACS implementation. |
+| IT Architects| Must be knowledgeable about the [GSA PACS APL]({{site.baseurl}}/acquisition-professionals/#products){:target="_blank"}{:rel="noopener noreferrer"} and the manufacturers' solutions for PACS. Should be knowledgeable about the federal government and agency-specific policies, standards, and guidance documents to make design recommendations related to PACS implementation. To implement a PACS solution, IT Architects must possess a current [Certified System Engineer ICAM PACS (CSEIP) certification](https://www.securetechalliance.org/activities-certified-system-engineer-icam-pacs-training-and-certification-program/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. There are no other similar, federally recognized certifications as of June 16, 2024.|
+| Engineers| May hold a [CSEIP](https://www.securetechalliance.org/activities-certified-system-engineer-icam-pacs-training-and-certification-program/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} certification. There are no other similar, federally recognized certifications as of June 16, 2024. Engineers may optionally complete PACS product manufacturers' training (for example, PACS APL products) related to the PACS implementation. Should be knowledgeable about federal government and agency-specific policies, standards, and guidance documents related to enterprise networks and PACS implementation. |
| Technicians | Should complete PACS product manufacturers' training (i.e., PACS APL products) related to the PACS solution implementation.|
| Operators | Should complete tailored training in federal government policies and standards related to PACS. Completing PACS product manufacturers' (i.e., PACS APL products) certification related to the PACS implementation is recommended.|
@@ -595,21 +603,41 @@ PACS project teams consist of both agency employees and contractors. Teams inclu
The [Interagency Security Committee](https://www.cisa.gov/resources-tools/groups/interagency-security-committee-isc){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} developed a series of free, self-paced, [online training courses](https://www.dhs.gov/interagency-security-committee-training){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} that provide an overview of facility security standards, processes, and practices.
### Equipment Manufacturers
-[GSA PACS APL]({{site.baseurl}}/acquisition-professionals/#products){:target="_blank"}{:rel="noopener noreferrer"} PACS manufacturers whose products are listed on the GSA PACS APL offer product-specific courses for Operators and Technicians directly or through authorized service providers. Operators and Technicians may obtain certifications for completing some series of courses.
+[GSA PACS APL]({{site.baseurl}}/fips201/){:target="_blank"}{:rel="noopener noreferrer"} PACS manufacturers whose products are listed on the GSA PACS APL offer product-specific courses for Operators and Technicians directly or through authorized service providers. Operators and Technicians may obtain certifications for completing some series of courses.
>**Note:** Manufacturer training may not address unique operational requirements or site-specific configurations, so authorized service providers should conduct this training: [GSA Multiple Award Schedule (MAS)](https://www.gsa.gov/technology/technology-purchasing-programs/mas-information-technology){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}.
### Authorized Service Providers
-Authorized service providers offer manufacturer training for installing, configuring, and maintaining PACSs: [GSA Multiple Award Schedule (MAS)](https://www.gsa.gov/technology/technology-purchasing-programs/mas-information-technology){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. This training can be tailored to your agency, facility, implementation features, operational policies, and procedures. This training should be planned during the Procurements phase.
+Authorized service providers offer manufacturer training for installing, configuring, and maintaining PACSs: [GSA Multiple Award Schedule (MAS)](https://www.gsa.gov/technology/technology-purchasing-programs/mas-information-technology){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. This training can be tailored to your agency, facility, implementation features, operational policies, and procedures. It should be planned during the Procurement phase.
### Industry Certifications
Industry certifications are vendor neutral and standards based. GSA requires that all work performed on approved PACS for GSA-managed facilities must be designed and installed by a Certified System Engineer for ICAM PACS (CSEIP). The [CSEIP Program](https://www.securetechalliance.org/activities-certified-system-engineer-icam-pacs-training-and-certification-program/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} trains those who implement solutions related to OMB M-05-24 and OMB M-19-17.
Commercial vendors offer additional certification opportunities.
+### Industry Training
+
+The Secure Technology Alliance Access Control Council held a six-part webinar on planning, procuring, and implementing PIV-enabled physical access control systems (PACS) for government facilities. The series was created for systems engineers, facility managers, physical security personnel, and other government facility stakeholders.
+
+Webinar sessions feature industry and government experts covering:
+-Identifying stakeholders involved in deploying a PIV-enabled PACS
+-Planning implementation: facility characterization and risks
+-Establishing the project scope
+-Developing and implementing the procurement strategy
+-Deploying the chosen solution
+-Reviewing use cases and agency lessons learned
+
+Recordings of completed webinars are available.
+Part 1: How to Plan, Procure, and Deploy a PIV-Enabled Physical Access Control System
+Part 2: Facility Characterization and Risk Management
+Part 3: Establishing the Project Scope
+Part 4: Developing the Procurement Strategy
+Part 5: Implementing the Solution
+Part 6: Use Cases and Lessons Learned
+
### GSA PACS Reverse Industry Day Conference (2018)
-In 2018, GSA hosted a _PACS Reverse Industry Day_ conference that featured government and industry experts on a range of PACS topics. Event videos are available via the GSA YouTube channel:
+In 2018, GSA hosted a PACS Reverse Industry Day conference featuring government and industry experts on various PACS topics. Event videos are available via the GSA YouTube channe:
- [Morning Session](https://www.youtube.com/watch?v=r9X1XtrLjMg){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
- [Afternoon Session](https://www.youtube.com/watch?v=bS8jdkW_WUI){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
@@ -620,24 +648,24 @@ Federal agencies have shared these PACS lessons learned:
## Planning
- Identify all stakeholders upfront, including an Executive Sponsor.
-- Designate staff to fill key roles, such as architects, engineers, and operators.
+- Designate staff, such as architects, engineers, and operators, to fill key roles.
- Engage CIO/CISO representatives early. _Remember: A PACS is an IT system._
- As an IT system, a PACS must complete Certification and Accreditation and obtain an Authority to Operate before connecting to the network.
- Create, maintain, and share an integrated master schedule that presents project phases, tasks, resources, and dependencies.
-- Establish a PACS component lifecycle management plan to help estimate hardware and software upgrades over the life of the system.
+- Establish a PACS component lifecycle management plan to help estimate hardware and software upgrades over the system's lifetime.
- Build the cost of software licensing and system sustainment into your project budget.
- Work with facility engineers to identify constraints specific to your workplace, such as mandatory construction requirements. These constraints may limit solution offerings.
-- Consider the impact on the federal facility population when modernizing PACS assets, especially if your agency is moving toward FICAM-compliant PACS.
+- When modernizing PACS assets, consider the impact on the federal facility population, especially if your agency is moving toward FICAM-compliant PACS.
- Plan a standardized deployment strategy across locations.
-- Remember that legacy system hardware, such as credential readers, may not support FICAM-compliant modes of operation. (FICAM Mode implies using PKI-based authentication mechanisms and online identity validation.) Review your system hardware capabilities after identifying desired authentication mechanisms to determine if upgrades are necessary.
+- Remember that legacy system hardware, such as credential readers, may not support FICAM-compliant modes of operation. (FICAM Mode implies using PKI-based authentication mechanisms and online identity validation.) After identifying desired authentication mechanisms, review your system hardware capabilities to determine if upgrades are necessary.
- Use legacy credentials and non-FICAM compliant modes of operation *only* in a migration strategy, not as the end state.
- Retire and phase out secondary, legacy credentials.
-- Use your agency Identity Management System as the authoritative source for all user records in the PACS.
-- Recall that some PACS allow assignment of user access levels at the time of credential registration. Plan the method of assignment before provisioning/registration.
+- Use your agency's Identity Management System as the authoritative source for all user records in the PACS.
+- Recall that some PACS allows the assignment of user access levels at the time of credential registration. Plan the method of assignment before provisioning/registration.
- Avoid acts of “omission” that create noncompliance. For example, procuring products listed on the Approved Products List (APL) but not correctly enabling FICAM Mode.
-- Use a risk-based approach when selecting appropriate PIV authentication mechanisms for physical access to federal government buildings and facilities, regardless of whether they are leased or government-owned.
+- Use a risk-based approach when selecting appropriate PIV authentication mechanisms for physical access to federal government buildings and facilities, whether leased or government-owned.
- Remember that access points should not rely solely on an authentication mechanism that requires optional card features, as these features might not be available on all user-population cards (for example, on-card biometric comparison).
-- Plan the PACS to meet the needs of the operating environment (for example, do not require three-factor authentication when only one factor is needed).
+- Plan the PACS to meet the operating environment's needs (e.g., do not require three-factor authentication when only one factor is needed).
- Understand that PKI is the foundation for high-assurance PACS implementations.
@@ -649,19 +677,19 @@ Federal agencies have shared these PACS lessons learned:
- Work closely with agency legal team members to define an SOW that contains unambiguous responsibilities for the integrator and appropriate cures for non-performance.
- Have your integrator provide copies of all relevant FIPS 201-3 compliance and functionality testing documentation.
- Specify personnel roles, responsibilities, and training requirements within the SOW (for example, all engineers must be CSEIP certified).
-- Ensure qualified professionals and/or SMEs review the design documents before releasing them for bid or formal contractor response. Consider hiring an SME capability to augment agency staff as a "buyer’s agent" during these activities.
-- Consider looking for evidence of qualified and/or registered personnel certifying the proposed solution (submittals) before approval or notice to proceed.
+- Ensure qualified professionals and/or SMEs review the design documents before releasing them for bid or formal contractor response. Consider hiring an SME capable of augmenting agency staff as a “buyer’s agent” during these activities
+- Consider seeking evidence of qualified and/or registered personnel certifying the proposed solution (submittals) before approval or notice to proceed.
## Operations
-- Define clear processes and procedures to support the remedy of system incidents (for example, a failed credential reader). Be sure to identify key support personnel and expected levels of support.
-- Perform regular system maintenance and patching of the PACS components. Establish clear procedures for testing upgrades prior to widespread deployment, and develop "roll-back" procedures in the event they are required.
+- Define clear processes and procedures for remedying system incidents (for example, a failed credential reader). Be sure to identify key support personnel and expected levels of support.
+- Perform regular system maintenance and patching of the PACS components. Establish clear procedures for testing upgrades before widespread deployment and develop “roll-back” procedures if required.
- Ensure the PACS is configured and maintained to operate in FICAM Mode.
- Work with your IT Department to ensure your PACS can perform online certificate validation. Credential validation should take place at or near the time of authentication. If your PACS is limited to offline certificate validation, manually load CRLs and certificate trust lists into the PACS daily.
- Provision only assured identities from an agency authoritative source into your PACS.
-- Consider having the PACS administrator disable PIV credentials that are invalid (expired, certificates placed on CRL, etc.) immediately rather than waiting for automatic disabling through the routine credential validation process. Consider disabling identity and credential records rather than removing them to retain audit data that might be needed at a later time (for example, employee misconduct investigations).
+- Consider immediately having the PACS administrator disable invalid PIV credentials (expired, certificates placed on CRL, etc.) rather than waiting for automatic disabling through the routine credential validation process. Also, consider disabling identity and credential records rather than removing them to retain audit data that might be needed later (for example, employee misconduct investigations).
- Remove all PII from PACS endpoints to protect privacy.
-- Audit expected system functionality on a regular basis. Minimally, verify that access points are challenging the correct number and type of authentication factors. Consider using test credentials that have expired or been revoked to further ensure correct operation.
+- Audit expected system functionality regularly. Minimally, verify that access points are challenging the correct number and type of authentication factors. Consider using test credentials that have expired or been revoked to ensure correct operation further.
## Training
- Create and maintain a training plan that formally documents training requirements.
@@ -705,7 +733,7 @@ E.O. 13636 and PPD-21 - ["Fact Sheet: Improving Critical Infrastructure Cybersec
[NIST SP 800-60, Volume II, Revision 1, _Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories_](http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, August 2008
-[NIST SP 800-73-4, _Interfaces for Personal Identity Verification_](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, Parts 1 and 2, May 2015 (Updated February 8, 2016)
+[NIST SP 800-73pt1-5, _Interfaces for Personal Identity Verification_](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73pt1-5.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, Parts 1 ,July 2024
[NIST SP 800-116, Revision 1, _Guidelines for the Use of PIV Credentials in Facility Access_](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, June 2018
@@ -721,11 +749,11 @@ E.O. 13636 and PPD-21 - ["Fact Sheet: Improving Critical Infrastructure Cybersec
[_Facility Access Control: An Interagency Security Committee Best Practice_](https://www.cisa.gov/sites/default/files/publications/Facility%20Access%20Control%20-%20An%20Interagency%20Security%20Committee%20Best%20Practice.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, 2020 Edition
-[_PACS Customer Ordering Guide (v2.0)_](https://www.gsa.gov/system/files/General_Supplies__Services/Guide_to_GSA_PACS_An_Ordering_Guide_-_July_2020.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, GSA Schedule 84 - Security, Fire, & Law Enforcement, June 2018
+[_PACS Customer Ordering Guide (v2.0)_](https://buy.gsa.gov/docviewer?id=2038&docTitle=Physical%20Access%20Control%20Systems%20Ordering%20Guide&category=Security%20%20Protection,%20Security%20Systems&docType=Buyers%20Guide){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, GSA Schedule 84 - Security, Fire, & Law Enforcement, January 2021
[_Personal Identity Verification (PIV) in Enterprise Physical Access Control Systems (E-PACS)_]({{site.baseurl}}/docs/pacs-piv-epacs.pdf){:target="_blank"}{:rel="noopener noreferrer"}, Interagency Security Committee (ISC), Version 3.0, March 26, 2014
-[_Personal Identity Verification Interoperability for Issuers_]({{site.baseurl}}/docs/archived/fpki-pivi-for-issuers.pdf){:target="_blank"}{:rel="noopener noreferrer"}, Version 2.0.1, July 27, 2017
+[_Personal Identity Verification Interoperability for Issuers_]({{site.baseurl}}/university/pivi/){:target="_blank"}{:rel="noopener noreferrer"}, Version 2.0.1, July 27, 2017
[_The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard_](https://www.cisa.gov/sites/default/files/publications/isc-risk-management-process-2016-508.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, ISC, 2nd Edition, November 2016
@@ -740,17 +768,17 @@ Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access
## Glossary
-{% include alert-no-icon.html content="NIST SP-800-116, Revision 1, \"Guidelines for the Use of PIV Credentials in Facility Access\" Appendix G contains additional PACS-related terms and definitions." %}
+{% include alert-no-icon.html content="NIST SP-800-116, Revision 1, Guidelines for the Use of PIV Credentials in Facility Access [Appendix G](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf){:target=\"_blank\"}{:rel=\"noopener noreferrer\"}{:class=\"usa-link usa-link--external\"} contains additional PACS-related terms and definitions." %}
1. Access Control - The process of granting or denying specific requests to: (1) obtain and use information and related information processing services; and (2) enter physical facilities, such as federal buildings, military establishments, and border crossing entrances.
-2. Access Point - An access point can be a door, turnstile, or other physical barrier where granting access can be electronically controlled.
+2. Access Point - An access point can be a door, turnstile, or other physical barrier that can be electronically controlled to grant access.
3. Authentication - The process of establishing confidence in the authenticity and validity of a person’s identity.
-4. Authentication Factors - Authentication systems are often categorized by the number of factors that they incorporate. The three factors often considered as the cornerstone of authentication are something you know (for example, a password), something you have (for example, an ID badge or a cryptographic key), and something you are (for example, a thumbprint or other biometric data). Authentication systems that incorporate all three factors are stronger than systems that only incorporate one or two of the factors.
-5. Authorization - Grants access to only the resources a person needs to perform a job. A person with an authentic, high-assurance credential (PIV or CAC) will not have access to all resources. In a large enterprise with thousands of employees and contractors needing access to hundreds of different access points, attempting to manage authorization manually is costly, time consuming, and error-prone.
-6. Biometric - A measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris image samples are all examples of biometrics.
-7. BIO - A [FIPS 201](https://csrc.nist.gov/pubs/fips/201-3/final){:target="_blank"}{:rel="noopener noreferrer"} authentication mechanism that is implemented by using a fingerprint or iris images data object sent from the PIV credential to the PACS and which is matched to the credential holder’s live scan.
+4. Authentication Factors - Authentication systems are often categorized by the number of factors they incorporate. The three factors often considered as the cornerstone of authentication are something you know (for example, a password), something you have (for example, an ID badge or a cryptographic key), and something you are (for example, a thumbprint or other biometric data). Authentication systems that incorporate all three factors are stronger than systems that only incorporate one or two.
+5. Authorization - GGrants access to only the resources a person needs to perform a job. A person with an authentic, high-assurance credential (PIV or CAC) cannot access all resources. In a large enterprise with thousands of employees and contractors needing access to hundreds of different access points, attempting to manage authorization manually is costly, time-consuming, and error-prone.
+6. Biometric - A measurable, physical characteristic or personal behavioral trait used to recognize or verify an applicant's claimed identity. Facial images, fingerprints, and iris image samples are all examples of biometrics.
+7. BIO - A [FIPS 201](https://csrc.nist.gov/pubs/fips/201-3/final){:target="_blank"}{:rel="noopener noreferrer"} authentication mechanism that is implemented by using a fingerprint, facial, or iris image data object sent from the PIV credential to the PACS and matched to the credential holder’s live scan.
8. BIO-A - A [FIPS 201](https://csrc.nist.gov/pubs/fips/201-3/final){:target="_blank"}{:rel="noopener noreferrer"} authentication mechanism in which the BIO authentication mechanism is performed in the presence of an attendant who supervises the use of the PIV credential and the submission of the PIN and the sample biometric by the credential holder.
-9. BIO(-A) - A shorthand used to represent both BIO and BIO-A authentication mechanisms.
+9. BIO(-A) - A shorthand represents both BIO and BIO-A authentication mechanisms.
10. Credential - A collection of information about a person, attested to by an issuing authority. A credential is a data object, such as a certificate, that can be used to authenticate the credential holder. One or more data object credentials may be stored on the same physical memory device, such as a PIV card.
11. Credential Validation - The process of determining if a credential is valid, which can include the following requirements:
- The credential was legitimately issued.
@@ -760,14 +788,15 @@ Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access
- The credential has not been suspended or revoked by the issuing authority.
12. Certificate Revocation List - A list of revoked public key certificates created and digitally signed by a certification authority.
13. Identity Management System (IDMS) - A system comprising one or more systems or applications that manages the identity verification, validation, and issuance process.
-14. Identity Registration - The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes in the system.
+14. Identity Registration - The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes.
15. Identity Verification - The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV credential or system and associated with the identity being claimed.
-16. Interoperability - The quality of allowing any government facility or information system to verify a credential holder’s identity using the credentials on the PIV credential, regardless of issuer.
+16. Interoperability - The quality of allowing any government facility or information system to verify a credential holder’s identity using the credentials on the PIV credential, regardless of the issuer.
17. OCC-AUTH - A two-factor authentication mechanism that uses secure messaging and an on-credential comparison of credential holder fingerprint(s).
-18. Physical Access Control System - An electronic system that controls the ability of people to enter a protected area, by means of authentication and authorization at access control points.
-19. PKI-AUTH - A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the PIV
+18. Physical Access Control System - An electronic system that controls the ability of people to enter a protected area utiizing authentication and authorization at access control points.
+19. PACS Alternative Authenticator- Derived PKI-CAK - A PIV authentication mechanism implemented on an approved alternative authenticator (token) using wireless asymmetric key challenge/response protocol of a Derived (NIST SP 800-157) Card Authentication certificate and key.
+20. PKI-AUTH - A PIV authentication mechanism implemented by an asymmetric key challenge/response protocol using the PIV
Authentication certificate and key.
-20. PKI-CAK - A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the Card Authentication certificate and key.
-21. Provisioning - The process of specifying for each identity both the credential used (for example, a PIV, CAC, or PIV-I card) and the privileges granted to access specific resources (for example, a particular facility, door, or access point), and ensuring that a complex set of rules is enforced.
-22. SYM-CAK - An authentication mechanism based on the optional symmetric card authentication key. As the name implies, the purpose of the SYM-CAK authentication mechanism is to authenticate the credential and thereby the credential holder.
-23. Validation - The process of determining that an identity credential was legitimately issued and is still valid (that is, the credential has not expired or been revoked).
+21. PKI-CAK - A PIV authentication mechanism implemented by an asymmetric key challenge/response protocol using the Card Authentication certificate and key.
+22. Provisioning - The process of specifying for each identity both the credential used (for example, a PIV, CAC, or PIV-I card) and the privileges granted to access specific resources (for example, a particular facility, door, or access point), and ensuring that a complex set of rules is enforced.
+23. SM-AUTH - A PIV authentication mechanism implemented by an elliptic curve key challenge/response protocol using the Secure Message key.
+24. Validation - The process of determining that an identity credential was legitimately issued and is still valid (the credential has not expired or been revoked).
From bbd75c3c3bfb9a40053efef8c3b267ba80bdc119 Mon Sep 17 00:00:00 2001
From: Clayton J Barnette <110616975+claytonjbarnette@users.noreply.github.com>
Date: Wed, 11 Sep 2024 13:58:19 -0400
Subject: [PATCH 2/3] updated alert to support markdown
---
_includes/alert-error.html | 2 +-
_includes/alert-info.html | 2 +-
_includes/alert-no-icon-success.html | 2 +-
_includes/alert-no-icon.html | 2 +-
_includes/alert-slim.html | 2 +-
_includes/alert-success.html | 2 +-
_includes/alert-warning.html | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/_includes/alert-error.html b/_includes/alert-error.html
index 5ba70dde..d862c18b 100644
--- a/_includes/alert-error.html
+++ b/_includes/alert-error.html
@@ -1,6 +1,6 @@
{{include.heading}}
- {{include.content}}
+ {{include.content | markdownify}}
diff --git a/_includes/alert-info.html b/_includes/alert-info.html
index 60da43d9..0cca5eca 100644
--- a/_includes/alert-info.html
+++ b/_includes/alert-info.html
@@ -1,6 +1,6 @@
{{include.heading}}
- {{include.content | markdownify }}
+ {{include.content | markdownify}}
\ No newline at end of file
diff --git a/_includes/alert-no-icon-success.html b/_includes/alert-no-icon-success.html
index 855ae6d3..f574e19e 100644
--- a/_includes/alert-no-icon-success.html
+++ b/_includes/alert-no-icon-success.html
@@ -1,5 +1,5 @@
- {{include.content}}
+ {{include.content | markdownify}}
diff --git a/_includes/alert-no-icon.html b/_includes/alert-no-icon.html
index 72c59ba0..1d209f32 100644
--- a/_includes/alert-no-icon.html
+++ b/_includes/alert-no-icon.html
@@ -1,5 +1,5 @@
- {{include.content}}
+ {{include.content | markdownify}}
diff --git a/_includes/alert-slim.html b/_includes/alert-slim.html
index dca10487..6103686f 100644
--- a/_includes/alert-slim.html
+++ b/_includes/alert-slim.html
@@ -2,6 +2,6 @@ Slim alert
- {{include.content}}
+ {{include.content | markdownify}}
diff --git a/_includes/alert-success.html b/_includes/alert-success.html
index 0ccc762f..1476fa05 100644
--- a/_includes/alert-success.html
+++ b/_includes/alert-success.html
@@ -1,6 +1,6 @@
{{include.heading}}
- {{include.content | markdownify }}
+ {{include.content | markdownify}}
\ No newline at end of file
diff --git a/_includes/alert-warning.html b/_includes/alert-warning.html
index 0aca2d1b..959d3425 100644
--- a/_includes/alert-warning.html
+++ b/_includes/alert-warning.html
@@ -1,6 +1,6 @@
{{include.heading}}
- {{include.content | markdownify }}
+ {{include.content | markdownify}}
\ No newline at end of file
From bef31b659af7bdbedd21887aa58c416507642de6 Mon Sep 17 00:00:00 2001
From: "Nelson R." <125207848+TheInfinityBeyonder@users.noreply.github.com>
Date: Wed, 11 Sep 2024 16:09:51 -0400
Subject: [PATCH 3/3] Update pacs101.md
---
_university/pacs101.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/_university/pacs101.md b/_university/pacs101.md
index afec4bca..338155c6 100644
--- a/_university/pacs101.md
+++ b/_university/pacs101.md
@@ -99,7 +99,7 @@ Agencies that use standalone PACSs have encountered operational challenges:
* Agencies with many standalone PACSs see increased human error, such as data entry errors.
-{% include alert-no-icon-success.html content="Can agencies centrally control physical access for most or all of their sites? Yes. The answer is to implement an Enterprise Physical Access Control System." %}
+{% include alert-no-icon.html content="Can agencies centrally control physical access for most or all of their sites? Yes. The answer is to implement an Enterprise Physical Access Control System." %}
## Enterprise PACS
| |