Physical security attacks are increasing across all industries. A recent study by the Ontic Center for Protective Intelligence found that since the beginning of 2021, 58% of physical security leaders have received or investigated at least one physical security threat weekly. For federal government facilities it is mission critical and has further highlighted the importance of security compliances such as the Federal Identity, Credential, and Access Management (FICAM) compliance.
In this article, we discuss what it means to be FICAM compliant, why it is imperative for the protection of our federal buildings and the people within them, and why choosing a security manufacturer that meets these security compliances is paramount for both public and private sectors.
What are security compliances?
Security compliance involves following recognized standards, regulations, and best practices that cover all areas of security, such as physical security, cybersecurity, and information security.
Achieving security compliance involves meeting specific requirements to protect data, systems, and assets from potential threats and vulnerabilities. Compliance frameworks such as ISO 270001, GDPR, or FICAM provide guidelines for organizations to follow to maintain a secure and compliant environment.
What is FICAM Compliance?
FICAM, short for Federal Identity, Credential, and Access Management, is the set of tools, policies, and systems an agency uses to enable the right individual to access the right resource at the right time and for the right reason. Agencies implement these to unify their IT services, strengthen physical access control, and improve information security to ensure critical services remain intact and operational.
In 2004, the US federal government created the Homeland Security Presidential Directive 12 (HSPD12), which directed the United States Department of Commerce to develop federally controlled information systems, including FIPS (Federal Information Processing Standards) 201, and the requirements for a common identity credential.
From this directive, the US government established FICAM, which requires existing physical and logical access control systems to be upgraded to utilize Personal Identity Verification (PIV) credentials which are secure, reliable, and interoperable between federal agencies.
What is the purpose of FICAM?
FICAM is a government-wide initiative with the purpose of improving the security of federal information systems and data, providing a standardized and secure framework for identifying federal government employees and contractors, improving trust and interoperability, and controlling access to information systems.
One of the significant benefits of implementing a FICAM compliant system is that it elevates the security of an organization’s access control solution. Federal entities can be confident that only authorized individuals can access sensitive data and facilities.
Understanding the importance of FICAM compliance
In the digital age, organizations must prioritize FICAM compliance. With cyber threats constantly evolving and data breaches becoming increasingly common, it's crucial to take proactive steps to safeguard digital assets and sensitive information.
Choosing a FICAM compliant security manufacturer enables organizations to benefit from the highest level of cyber and physical security, ensuring the right people have access to the right resource, at the right time, for the right reasons and significantly reducing data breaches.
Benefits of FICAM Compliance
Complying with FICAM regulations offers advantages beyond simply fulfilling regulatory obligations. These benefits include:
- Application of single high assurance credential requirements
- Multi-factor authentication
- Official third-party evaluation
- Appropriate installation and implementation
Single high assurance credential requirements
FICAM certification provides the required physical and logical access through the same credential that is interoperable between federal agencies. This streamlined protocol allows for easier communication and workflow between all government agencies and helps reduce identity fraud and data breaches.
Using a single, highly secure credential, removes the issues associated with having multiple access control credentials across different sites. Through FICAM compliance, federal staff don’t need to carry additional credentials for a multitude of facilities which may open them up to known security vulnerabilities and outdated technology. It also removes the risk of PIN numbers for access control keypads being shared among staff and used for malicious activity.
The private sector is also beginning to follow federally mandated requirements due to funding from the government or understanding the benefits of high assurance credentials for both physical and logical access in highly regulated spaces.
Multi-factor authentication
The multi-layered authentication required to meet FICAM compliance provides the gold standard for optimal security. Multi-factor authentication requires at least two types of authentications with the options of: something you have, such as a cryptographic key for authentication, something you know, such as a password or PIN number, and something you are, such as a biometric.
This layered approach involves implementing multiple security levels to minimize the risks of security threats and ensure maximum protection for crucial locations.
Official third-party evaluation
Physical security systems that meet FICAM compliance undergo rigorous testing and certification to ensure ongoing compliance and meet interoperability requirements.
Having your product and software tested by an official third-party, such as FICAM, minimizes technology challenges and communicates system limitations early on. Comparatively, a hardware or software release that doesn’t include third-party testing can unintentionally result in unforeseen bugs and potential incompatibility when mixing manufacturer hardware components.
Appropriate installation and implementation
When installing a high security solution within critical infrastructure, such as federal buildings, using an experienced and approved system integrator is imperative for the protection of federal sites and the people within them.
Specific training requirements for General Services Administrator (GSA) Approved Products Lab (APL) deployments, such as the Certified Systems Engineer ICAM PACS (CSEIP) course, ensures that every installation is executed by a specialist individual who has the relevant knowledge and expertise required for the job.
The CSEIP course is required for all GSA APL installations. It provides advanced training for systems engineers and programmers on setting up and testing Enterprise Physical Access Control Solutions (E-PACS) to align with government-wide specifications.
The CSEIP course is hosted by Secure Technology Alliance and administered by knowledgeable ICAM instructors. It has its own baseline requirements to qualify and ensures only knowledgeable and reputable businesses are certified. For example, they must have physical access control system experience and at least one year of experience with PACS manufacturer certification.
At Gallagher, we maintain a certification system for our Certified Channel Partners working in high security environments to ensure the correct deployment of our products. We work closely with them to ensure they deliver you the perfect solution. These partners allow you to choose the installer service that best aligns with your unique requirements and provides you contestability of installation and maintenance. Training in the Gallagher solution is mandatory and is an ongoing requirement of our all our Channel Partners. As techniques, technology, and requirements evolve, so do the skills of our installers.
Gallagher’s FICAM compliant solutions
Gallagher has a proven history and reputation in the delivery of high security solutions around the globe, meeting some of the world’s most stringent physical and cyber security government standards.
Gallagher’s Command Centre delivers an enterprise Physical Access Control System offering strong, real-time authentication of all Federally issued and high assurance credentials.
Our PIV solution delivers exceptional security with particular suitability to any environment that requires high assurance authentication to computer network resources. Designed for compliance with the Federal Information Processing Standards (FIPS) 201-3, its simple, effective, and efficient end-to-end architecture enforces business policies, identity, and credential management for secure environments worldwide.
For 85 years, Gallagher’s solutions have been designed, engineered, manufactured, and distributed from our head office. Our vertically integrated manufacturing model means more control and oversight over the entire life cycle of our end-to-end solutions. That means every component, from software through to hardware, is produced in one place, reducing the number of touchpoints and vulnerabilities faced by other security manufacturers who rely on outsourcing through third parties. Everything stays in house, starting from design all the way through to shipping, ensuring the highest standards in quality control are maintained.
Staying ahead of the curve with FICAM compliance
There are many moving parts within the public sector when it comes to physical access and credential security requirements. New security compliances, regulations, and requirements are continually being introduced and staying ahead of the curve can be difficult for some government agencies. However, FICAM compliance with access control technologies is imperative for the protection of our federal government.
Choosing a manufacturer and integrator that can meet regulations and security compliances, who is knowledgeable, and truly understands the requirements of the security for federal agencies, is key to successful implementation, ensuring compliance, and reducing risk.
