Edit this page

What is a Physical Access Control System?

A Physical Access Control System (PACS) grants access to employees and contractors who work at or visit a site by electronically authenticating their PIV credentials. Although PACSs are Information Technology systems, they must be designed, deployed, and operated in cooperation with Physical Security teams to successfully meet agency mission needs.

The following table defines common PACS components:

Component Description
Access point Entrance point or physical barrier where an employee or contractor interacts with the PACS. Example access points include turnstiles, gates, and locking doors.
PIV credential Federal employees and contractors use Personal Identity Verification (PIV) credentials to physically access federal facilities and logically access federal information systems.
Credential reader and keypad The reader provides power to and reads data from a PIV credential. The reader also sends this data to a control panel to authenticate the PIV credential and request access authorization. Employees and contractors may need to enter a PIN into the keypad and add a biometric, depending on the facility’s security classification and risk levels.
Biometric reader Captures biometric data (for example, fingerprint or iris scan) and verifies it against the PIV credential’s biometric data.
Control panel Receives the credential data sent by the reader and verifies its presence in the credential holder data repository. It then makes an access decision and transmits authorization data to the access control server and access point.
Access control server Grants authorization to the employee or contractor requesting access (for example, presenting a PIV credential to a reader). It also registers and enrolls employees and contractors; enrolls and validates credentials; and logs system events.
Credential
holder data repository
Contains employee and contractor data and physical access privileges. Control panels use this authoritative data to validate credential data.
Auxiliary Systems Agencies may integrate the PACS with additional facility monitoring systems such as surveillance systems, fire alarm systems, and evacuation systems.

All agency-purchased PACS components must be FIPS 201-compliant and selected from GSA's Approved Products List (APL) for PACS Products. The products in this list have undergone vulnerability and interoperability testing through the FIPS 201 Evaluation Program. As an IT system, a PACS must still complete Certification and Accreditation and obtain an Authority to Operate from your agency before connecting to the network.

Characteristics of a FICAM-Compliant PACS

In May 2019, the Office of Management and Budget (OMB) released memorandum M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management. Related to PACS, M-19-17 rescinded memorandum M-11-11, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors. The updated guidance adds further specificity to require the use of PIV credentials for physical access to Federal facilities, implemented per The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard and NIST SP 800-116, Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS).

Characteristics of NIST SP 800-116, Revision 1, compliant systems include, but are not limited to:

  • Use high-assurance credentials for electronic authentication of employees and contractors.
  • Use non-deprecated authentication mechanisms, as defined by FIPS 201-2.
  • Validate the status and authenticity of credentials.
  • Interoperate with PIV credentials issued by other agencies.
  • Use components listed on the GSA FIPS 201 Approved Products List (APL).

The next section, PACS Deployment Models, describes common deployment models for PACS.