Manage Access Control Playbook

Edit this page

Step 5 - Conduct a Risk Assessment

Risk assessments should be conducted for both physical (e.g., facilities) and logical (e.g., network and infrastructure) resources. You must follow federal guidelines outlined in the Risk Management Process for Federal Facilities: An Interagency Security Committee Standard and the Guide for Applying the Risk Management Framework to Federal Information Systems. The Resource Risk Assessment will also help create access control requirements based on the level of risk identified for each resource.

Additional Facility Risk Assessment Considerations

  • HSPD-7 Critical Infrastructure Protection Mandates. This mandate establishes a national policy for federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from a terrorist attack. HSPD-7 identifies 17 sectors that require protective actions to prepare for, protect, or militate against a terrorist attack or other hazards.
  • National Infrastructure Protection Plan (NIPP). The use of the NIPP risk management framework is a part of the overall effort to ensure the protection and resiliency of our Nation‘s Critical Infrastructure/Key Resources. The NIPP includes the Government Facilities Sector Plan, which provides an approach to enhancing protection of government facilities.

Facilities and access points should be protected based on risk. Use the chart below to find a summary of the main steps that are considered industry best practices when conducting a facility risk assessment.


Process Integration Step
Description
Key Considerations
Step 1: Set Security Goals Define specific outcomes, conditions, end points, or performance targets that collectively constitute an effective protective posture or baseline. • Your agency’s security control posture and risk tolerance

• Federal security requirements, including FICAM security targets for PACS
Step 2: Identity Develop an inventory of the assets, systems, and access points that exist within a facility. • Range of systems and assets within a given facility

• Calculated value of assets within a given facility
Step 3: Assess Determine risk by identifying potential consequences of vulnerabilities. • Likelihood of occurrence

• Impact if vulnerabilities are exploited

• Local conditions and the area surrounding a facility
Step 4: Analyze Categorize and analyze risk assessment results to develop a comprehensive picture of facility risk. • Relevant legislation, policies, and standards

• Protection priorities and adequate countermeasures


The end result of the risk assessment is a complete risk profile of the facility. This information helps physical security implementers make decisions regarding appropriate security countermeasures to employ, including electronic (e.g., video surveillance, intrusion detection, Physical Access Control System, etc.), physical (e.g., bollards, gates), and guard force.

When applying the results of the facility risk assessment to the design of its Physical Access Control System (PACS), determine the risk level of a particular facility and individual areas within the facility that will be protected by a controlled access point. Then determine the appropriate authentication mechanism(s) that should be deployed at each access point, as defined in SP 800-116. SP 800-116 uses the restricted area concept of ― Controlled, Limited, Exclusion areas to address individual areas nested within a facility that may have specific security requirements. They are defined as follows:

  • Exclusion Area. An Exclusion area is a restricted area containing matter of such nature that access to the area constitutes access to the security interest or matter.
  • Limited Area. A Limited area is a restricted area containing matter of such nature that uncontrolled movement will permit access to the security interest or matter. Access in Limited areas may be controlled by requiring escorts or by other internal restrictions and controls.
  • Controlled Area. A Controlled area is that portion of a restricted area usually near or surrounding an Exclusion or Limited area. Entry to the controlled area is restricted to authorized personnel.


Lesson Learned

It can be difficult to analyze a site for its risks and know how to apply the appropriate guidance while keeping cost savings in mind. Assembling a small team of cross functional resources (including physical security, IT, etc.) from your ICAM program to help bureaus/components or individual sites conduct facility risk assessments and make decisions regarding the best way to achieve a compliant PACS.


Once you have determined the appropriate authentication mechanisms based on a facility‘s risk, make decisions based on the best PACS solution and how to fund its implementation.


Implementation Tip

Agencies frequently occupy leased space where the landlord controls the exterior physical security. If the existing system cannot process the PIV card for physical access, establish an access point at the entry to the agency- controlled space to meet PIV card authentication requirements.