Focus moves from component testing to system interoperability
Mixed reaction from stakeholders
The new requirements seem to be a proverbial mixed bag. On the plus side, the systems agencies are deploying are operating properly and securely, but it’s taking significant time for vendors to have their systems tested and placed on the list, costing them sales.
Allegion manufactures wall mounted smart card readers and wireless reader and lock peripherals for physical access control systems that were certified under the first FIPS 201 Approved Products List. When the government progressed to FIPS 201-2 they removed the APL and replaced it with a current approved products list based on FIPS 201-2 and placed all the legacy products on the removed product list. This impeded Allegion’s ability to sell these products on federal projects, says Terry Collins, director of government sales at Allegion.
Since Allegion only provides one component of an overall physical access control system, the company must find partners with the other components to test under the new FIPS 201-2 requirements, Collins says. Allegion is still waiting for its first overall system to be approved – the first of which should be submitted to the GSA later this year.
Vendors must first have a full system available in order for testing to take place. If that full system passes, then Allegion would go on the APL with that specific system. Allegion must have their components tested with other PACS providers as well, which will mean many more testing cycles, explains Collins.
While procurement officers would previously go down the approved products list and pick and choose components, now they have to choose systems and certified installers
While vendors seemingly have to jump through more hoops, the end result will be systems that work and are more secure, says Lars Suneborn, director of training programs at the Smart Card Alliance. The organization runs the training program to certify physical access control system installers as required by the GSA.
The changes were designed to make sure that the system worked with all the components and are truly secure, Suneborn says. The changes brought on by FIPS 201 and the more recent changes from the GSA bring about a shift in how physical access control systems are built and deployed, he says. While procurement officers would previously go down the approved products list and pick and choose components, now they have to choose systems and certified installers.
Progress to date
The Smart Card Alliance has been running training classes for more than a year, Suneborn says. More than 120 individuals have been certified. As for the APL there are 25 vendors with 27 solutions available for agencies to purchase.
Even though there are certified technicians to install the systems, along with entire systems now available, they still aren’t necessarily being deployed. Educating federal procurement officers on these requirements is the last step, Zivney says. Those in the DC Beltway know about the requirements, but those at smaller facilities outside have no idea. “Unless we train the procurement officers it’s still going to be a problem,” he says.