Step 10 - Plan and Conduct Acquisition
Your agency must comply with specified regulations and policies, mainly the Federal Acquisition Regulation (FAR), when planning for the acquisition of ICAM products and services. The FAR sets the rules governing the federal acquisition process and includes several clauses particularly relevant to your agency’s ICAM program. M-06-18 provides guidance to federal agencies related to the acquisition of products and services for HSPD-12 implementations. It introduced several amendments to the FAR, which were codified in 48 C.F.R Subpart 4.13, that require agencies to comply with HSPD-12 and FIPS 201 for contractors who require routine logical or physical access and include language to this effect in applicable solicitations and contracts.
The addition to the FAR also requires that agencies purchase only approved products and services in support of their HSPD-12 implementations. The FIPS 201 Evaluation Program was developed to organize and define a standard approval process for these products and services. All required NIST validation and GSA testing must be met to be an approved product or service for HSPD-12 purchases. Approved products and services, which have been demonstrated to meet NIST validation and GSA testing and have been qualified by the Evaluation Program, can be found on the FIPS 201 APL.
Checklist
Evaluate factors to estimate cost of solution. Once you’ve determined a solution, you should evaluate a number of factors to estimate the costs that will be incurred. We’ve provided common characteristics that you should examine to not only determine costs, but to also compare the potential cost savings of various solution.
PACS Evaluation Factors
| Facility Size | The number of users requiring access to a facility significantly impacts the level of administrative efforts required to provision user accounts and manage access privileges. |
| Level of PACS Service Provided | Determine the level that PACS services should be provided. There are cost savings and efficiencies that can be achieved by providing services at the enterprise-level. For example, an agency hosting a server for the bureaus/components. |
| Analysis of Population | Examine user populations (employees, contractor’s short term, etc.) and facility tenants (federal, non-federal) to determine the types of groups requiring access. You should consider complex user populations when making a decision on the type of PACS solution to implement. You should also consider the ability to handle increased usage as the modernization continues and the amount/type of users change over time. |
| Number of PACS | The number of PACS within an agency often dictates implementation time and can significantly affect implementation cost, depending on the resources’ connection requirements. |
| Type of PACS | The type of PACS varies based on the vendors, platforms, operating systems, products, databases, etc. That are in use across your organization. These variances impact the complexity of integrating resources with the PACS infrastructure and require different integration processes. |
| Existing PACS Investments | Your agency may have existing investments in place that are capable of providing physical access services in a manner consistent with the modernized ICAM segment architecture. Those investments should be used when possible and offer the potential to achieve a modernized PACS state without requiring significant investment from the organization. |
| Credentials Supported | Examine the types of credentials that the PACS must support (including PIV-I) and incorporate any costs associated with validating acceptable credentials. |
| Protection Areas | Consider the number or combination of protection areas (Limited, Exclusion, Controlled) when determining program costs. For example, a high number of exclusion protection areas may increase costs due to the added level of access control required to protect those areas. |
LACS Evaluation Factors
Logical access control deployments require adequate planning and consideration to ensure that an agency achieves the best possible value for its investment. LACS projects offer agencies the potential to realize significant ROI in the form of cost avoidance, reallocation of resources, productivity gains, and reduced administrative burden. In order to achieve these benefits, an agency should assess its organizational structure, identity stores/repositories, access control processes, and IT resources when planning new or modifying existing LACS investments.
| Organizational Size | The number and type of users requiring access to agency IT resources, as well as the frequency of turnover of users, significantly impacts the level of administrative effort required to provision user accounts and manage access privileges. |
| Cost Effectiveness | Agencies need to evaluate the return on investment (ROI) that their agency would gain compared with the upfront investment costs when planning for a LACS investment. |
| Complexity of User Population | Organizations with complex user and role management requirements should consider LACS solutions that offer services in these areas. User management complexity represents an opportunity to streamline existing processes or, potentially, an area that could significantly increase implementation costs. Additionally, the availability (or lack thereof) of user repositories can impact implementation costs. |
| Number of IT Resources | The number of IT resources within an agency often dictates implementation time and can significantly affect implementation cost, depending on the resources’ connection requirements. |
| Type of IT Resources | The type of IT resources varies based on the platforms, operating systems, products, databases, etc. that are in use across the organization. These variances impact the complexity of integrating resources with the LACS infrastructure and require different integration processes. |
| Complexity of Integrating with IT Resources | Resource integration complexity is a combination of several factors, including: age of resource, underlying infrastructure, operating requirements, and user base. Combined, these factors among others indicate how complex it is to integrate particular resources into the modernized LACS infrastructure. Large numbers of complex resources (including mainframe applications) can rapidly increase overall implementation costs. At a high-level the complexity and cost associated with common application types can be grouped as follows: • Web Based Applications – Low to Moderate Complexity • Client/Server Applications – Moderate to High Complexity • Distributed Applications – Varied Complexity • Mainframe/Legacy Applications – High to Very High Complexity |
| Business Goals/Drivers | Internal agency policies and business needs as well as required compliance with external federal policies and regulations drive organizational requirements for LACS solutions. Certain solutions, while inexpensive, may not always create long term cost savings and may prohibit the organization from meeting certain business goals. |
| Workflow Requirements | Examine the complexity of various manual and semi-manual workflows that are used to provision user accounts and access privileges to IT resources. The number and complexity of an agency’s workflows impacts the schedule and labor costs associated with implementing some LACS solutions. |
| Organizational IT Infrastructure | Specific platforms and operating environments, particularly ones that leverage legacy products, may require additional support and/or custom configuration to achieve the maximum benefit from LACS solutions. This also includes potential costs associated with networking LACS components, high-availability components, etc. Additionally, environments that utilize non-standard Operating Systems may require additional investment to integrate to a modernized LACS infrastructure. |
| Vendor Product Compatibility and Interoperability with Existing Infrastructure | While it is not required for agencies to purchase a Commercial Off-The-Shelf (COTS) Identity Access Management (IAM) product suite, agencies considering this option for modernizing their LACS infrastructure should assess the integration approach of these products to ensure interoperability, and identify and determine a best fit for their current infrastructures, applications, and business needs. Additionally, the availability of enterprise software licenses should be investigated, as these can significantly lower acquisition costs and influence an agency’s make or buy decision. |
Lesson Learned
In order to drive adoption of its enterprise LACS and participation in pilot implementations, USDA offered to fund the initial LACS integration costs for a subset of agency applications that were candidates for early adoption. Doing so increased participation and enabled the Department to demonstrate technical using real world examples.
Determine funding for ICAM solution. As you look to purchase your solution you may find challenges for funding and implementing the investment, where equipment and services will likely be purchased centrally. Below, we’ve included several approaches other agencies have taken to fund their PACS and LACS improvement efforts.
- Incorporate Costs into Existing Investment. There’s no need to have a separate investment for an implementation like an enterprise PACS solutions. You can include the costs for PACS modernization into an existing business case.
- Investment Business Case. Create a new investment request to fund the implementation at the enterprise level. This business case should include details of how the proposed investment would support the agency‘s mission.
- Working Capital Fund. Use a fund that’s able to provide financing to agencies without annual appropriation by Congress for operations that generate receipts. This funding method works well for an agency that’s providing something like an enterprise PACS as a centralized service and has a fee structure for the users across the bureaus/components.
ROI
Agencies are strongly encouraged to institute processes to include language in solicitations and contracts, where applicable, requiring use of the PIV card where encryption and digital signature services are provided. This language would supplement the existing FAR requirements related to using the PIV card for contractor access. This approach not only promotes government-wide consistency in providing these security services, but also supports a greater return on investment (ROI) in leveraging the agency’s existing PIV infrastructure.
Implementation Tip
The products implementing and executing the cryptographic processes with the PIV card must comply with FIPS 140 and be approved by NIST validated laboratory. Agencies should procure products and services from manufacturers who provide architectures that minimize the cost of FIPS 140 by producing components in very high volume, or by amortizing the cost into common components, such as a multi-door controller.
In addition to determining funding needs and obtaining funding, a key aspect of PACS implementation planning is outlining the life cycle activities associated with the modernization effort and determining the project schedule.
Review the Approved Products List (APL). The APL is a list of HSPD-12 related products and services that have been tested through an approved National Institute of Standards and Technology (NIST) test procedure. You can use multiple GSA Schedules to purchase a resource that’s included on the APL. When purchasing products and services for HSPD-12 implementation, you must a follow OMB M-06-18 and use the FIPS 201 Evaluation Program APL. The APL is continuously updated with approved products and technologies. It’s your responsibility to stay current on these changes and incorporate them into your planning during regular technology refresh cycles as part of the capital planning and budget process. You find a complete inventory of Government Certified and Approved Services and Products Listings on GSA’s website.
FAQ
Why are some products and services not represented by a category on the FIPS 201 Product/Service category list?
The FIPS 201 Evaluation Program assesses and approves only products and services for which there are direct requirements specified in FIPS 201. Although they are not part of the Evaluation Program, GSA has also developed qualification requirements and a list of qualified vendor services for other products and services that may be necessary for Homeland Security Presidential Directive 12 (HSPD-12) systems and deployments but have no direct requirements in FIPS 201 (e.g., integration services, contractor managed services and solutions). These can be found at idmanagement.gov.
Implementation Tip
Purchasing products off of the Homeland Security Presidential Directive 12 (HSPD-12) Approved Products List (APL) does not ensure interoperability or appropriateness for your agency’s implementation. Products bought from the APL must be properly integrated and configured to be interoperable with other ICAM programs and services. Prior to acquiring, agencies should determine if the products are appropriate for the risk level and/or design of the ICAM solution.
Identify contract vehicles for ICAM products and services. GSA Schedules are purchasing vehicles for a broad range of products and services. The resources available on the GSA Schedules have pre-approved vendors and pre- negotiated rates. They are not a required acquisition tool, but it provides quick, flexible, cost-effective procurement solutions and assist in compliance by including approved products. Examples of common GSA schedules to review are:
IT Schedule 70
IT Schedule 70 is under the Multiple Award Schedule (MAS) program and gives agencies direct access to commercial experts who are able to address the needs of the government IT Community through a series of Special Item Number (SINs). These SINs cover most of the general purpose commercial IT hardware, software, and services and should be used by agencies as needed to meet their mission objectives as well as ICAM initiatives.
- Refer to SINs 132-60 through 152-62, to find procurement needs to your agency’s ICAM program. These schedules include electronic credentials, PKI services, and HSPD-12 product and services.
- If you agency uses an acquisition vehicle other than GSA IT Schedule 70, your agency will take responsibility for ensuring compliance with the applicable federal standards and requirements.
IT Schedule 84
ICAM implementations often require the acquisition of security products and services, particularly items related to Physical Access Control Systems (PACS). These items may be procured using Schedule 84, which includes a full suite of solutions for law enforcement, security, facilities management, fire, rescue, clothing, marine craft, and emergency/disaster response. Agency procurement personnel may purchase resources off of both schedules to meet their ICAM implementation needs. For example, an agency trying to modernize their PACS could purchase new PIV card readers for access control points off of Schedule 84 and purchase services from the system integrator off of Schedule 70.
When purchasing products and services for its HSPD-12 implementation, an agency must also follow OMB M-06-18 and leverage the Federal Information Processing Standards 201 (FIPS 201) Evaluation Program Approved Products List (APL). In addition to the requirements governing federal acquisitions, an agency has other resources at its disposal to support acquisition for its ICAM program, including the GSA Schedules.
Benefits
More competitive rates and potentially lower costs. Regardless of the method used to access Schedules 70 and 84, GSA has already negotiated fair and reasonable prices for these products and services.
Shorter procurement time. GSA Schedules offer streamlined procurement over agency-negotiated contracts, which can be cumbersome and costly. Additionally, tools such as eBuy and GSA Advantage are available to assist in ordering from both Schedules.
Reduced complexity and effort required to perform due diligence. Agencies purchasing products not included on the GSA APL are responsible for ensuring that the products and services procured meet all applicable federal standards and requirements, ensuring conformance to applicable federal standards for the life cycle of the components, and maintaining a written plan for ensuring ongoing conformance to applicable federal standards for the life cycle of the components.
Elimination of non-compliance with standards and requirements. If the GSA Schedules and the APL are not used, an agency also runs the risk of potential non-compliance if its conformance processes are incomplete or do not keep pace with changes within the GSA Evaluation Program.