Edit this page

Procurements

A good starting point that will help you understand Physical Access Control System procurements is GSA’s PACS Customer Ordering Guide.

This page provides a sample PACS Procurement Checklist. You can reuse or tailor this checklist according to your agency’s practices. The checklist highlights common procurement activities as they relate to the following roles:

  • Information Technology or Physical Security Engineers (ENG)
  • Project Managers (PM)
  • Procurement Officers (PO)
  • Chief Information Officers (CIO)
  • Chief Security Officers (CSO)

Agency staff are encouraged to participate in steps where their roles are listed in blue, bold font.

PACS Procurement Checklist

PACS Procurement Checklist Recommended Participants
1. Identify agency’s need to procure or upgrade a PACS. ENG PM PO CIO CSO
  • Determine whether your agency has a similar effort underway or other projects that could impact the procurement.
  • Determine why the agency needs to procure or upgrade a PACS.
  • Perform a cost-benefit analysis.
2. Develop a PACS project charter. ENG PM PO CIO CSO
  • Identify the PACS project’s executive sponsor.
  • Document a high-level project purpose, scope, and goals.
  • Determine the PACS deployment model required for the project's scope.
  • Identify what standards and requirements need to be addressed (for example, HSPD-12, FIPS 201-2, NIST SP 800-116, Revision 1).
  • Estimate project duration.
3. Identify and obtain support from PACS stakeholders (iterative). ENG PM PO CIO CSO
  • Identify your required and optional stakeholders and request their participation.
  • Include national, regional, state, and local stakeholders.
  • Involve stakeholders from agency Information Technology (IT) teams (for example, architect/engineers, network engineers, security, infrastructure services, directory services, web services).
  • Involve agency facility and personnel support organizations (for example, physical security, building operations, Human Resources).
4. Identify PACS project phases and tasks (iterative). ENG PM PO CIO CSO
  • Document the project’s phases and required tasks. Samples can include:
    • Pre-project planning
    • Site security assessment(s)
    • Develop Statement of Work (SOW)
    • Develop PACS Requirements Document (or Specification)
    • Develop and release Request for Information (RFI)
    • Request for Proposal (RFP)/Request for Quotation (RFQ)
    • Integrator (vendor) evaluation and award
    • Design
    • Implementation
    • Inspections
    • Testing
    • Close-out
    • Sustainment
5. Develop a project schedule (iterative). ENG PM PO CIO CSO
  • Use automated tools or agency software to create a project schedule (that is, project tasks, dependencies, durations, and resources).
  • Share the project schedule with stakeholders to ensure its accuracy and completeness.
6. Conduct a Facility Security Level (FSL) assessment of project-related agency sites and determine Personal Identity Verification (PIV) authentication mechanisms for each site. ENG PM PO CIO CSO
  • For details, see Aligning FSL and Authentication Mechanism.
  • The FSL assessment and chosen PIV authentication mechanisms will form the basis for the PACS requirements document/specification, as well as affect the SOW and project costs.
  • The sample survey questions below will help you assess the FSL of each facility and select the right PIV authentication mechanisms:
    • Who will use a facility’s PACS? Include all possible users.
    • What credentials do the facility’s users and visitors have?
    • What facility access risks exist?
    • How can the facility mitigate these risks?
    • What PACS installations does the facility need?
    • What support systems would be integrated into the facility’s PACS (for example, intrusion detection, video surveillance, emergency notification, elevator control)?
    • What PACS integrator or other contractor services does the agency need to solicit bids on?
    • What PACS hardware and software is needed?
  • Your agency’s selected integrator will help select the approved, needed hardware and software through the GSA Acquisitions process (Schedules 70 and 84, Blanket Purchase Orders, etc.). The following are some useful considerations:
    • What are the facility’s common ingress and egress traffic patterns?
    • What throughput speeds are needed?
    • What are the ongoing operational and projected maintenance needs?
    • What are the training needs for PACS administrators, operators, technicians, and users?
    • Which PIV authentication mechanism(s) will be needed to secure the facility?
7. Develop a PACS requirements document or specification. ENG PM PO CIO CSO
  • When documenting PACS requirements, it’s critical to solicit input from your stakeholders.
  • Organize requirements into clear categories (for example, technical, performance, and operational) to help stakeholder’s give targeted feedback.
8. Release a Request for Information (RFI) to potential service providers. ENG PM PO CIO CSO
  • Create and issue an RFI to vendors that requests specific qualifications and capabilities against PACS requirements.
9. Submit an IT funding proposal following your agency’s budgetary process. ENG PM PO CIO CSO
  • Follow your agency's existing budgetary procedures to submit a funding proposal for the project.
10. Develop an RFP and SOW to solicit GSA-approved integrator bids. ENG PM PO CIO CSO
11. Solicit bids, evaluate, and award integrator contract. ENG PM PO CIO CSO
  • Include these steps during your bid and evaluation process:
    • Identify members of the evaluation committee.
    • Establish evaluation criteria for bid review.
    • Identify how well proposed integrator solutions meet your needs.
    • Document the award rationale and announce contract award decision.
    • Upon request, provide a brief explanation of the award rationale to unsuccessful bidder(s).
12. Develop a PACS architecture and migration strategy. ENG PM PO CIO CSO
  • Define a migration strategy to transition facilities to the new PACS solution.
13. Buy products listed on the GSA PACS APL. ENG PM PO CIO CSO
  • After contract award, your integrator will help you:
    • Choose the best PACS topology (that is, an end-to-end solution of hardware, software, a Certificate Validation System, and PIV credential readers) listed on the GSA PACS APL for the PIV authentication mechanisms selected for your facility.
    • Buy the products and additional services you need by using the GSA MAS, GSA Schedule 70, or GSA Schedule 84. Your chosen integrator will help your agency choose the right PACS products and services, according to your agency’s preferred GSA purchasing vehicle(s).
  • Want to learn more about GSA Schedules? Training is available: On-demand GSA Schedules Training. For help with GSA Schedules, email the GSA National Customer Service Center at NCSCcustomer.service@gsa.gov or call 1-800-488-3111.

If at any time you have PACS procurement questions, contact the GSA IT Customer Service at ITCSC@gsa.gov or call 1-855-482-4348.

Why Can We Buy Only GSA-Approved Products and Services?

GSA’s FIPS 201 Evaluation Program tests all GSA-listed PACS products, topologies, and services for compliance with FIPS 201-2 requirements. Purchasing products listed on the GSA APL ensures product compliance with FIPS 201-2, secure operations, and interoperability.

What Other GSA Resources Can Help Us?

The next section, Training, outlines PACS personnel roles and responsibilities and lists relevant training and certification programs.