Description of Issue:

This is a sample issue to discuss and updated graphic for the the enterprise pacs section

Details of Issue:

We need to revise the graphic

Description of Issue:

• Suggest removing the “Deploy a PACS” section
• Move the referenced standards information to the “Aligning Facility Security Level and Authentication” section

Detailed Suggestions:

• Remove the “Deploy a PACS” section
• Move the referenced standards (FIPS 199, 200, and NIST SP 800-53, Revision 4, etc.) to the “Aligning Facility Security Level and Authentication” section, where security categorization and security controls are discussed. Simply state what the agency needs to do to comply with these standards.
• Who is the target audience for the information about NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”? Suggest removing this information.
• For referenced documents cited in main body, use only identifiers and titles (e.g., FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems”). Full citations will be included in a "Standards and Policies" section.

Link to Additional Guidelines:

• https://github.com/GSA/ficam-pacs/blob/staging/README.md

Link to Navigation (Outline) Issue:

#2

Link to the Content Page for Contributors:

• https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/deploy/

Description of Issue:

The minimum viable navigation items for the PACS playbook need to be decided on

Details of Issue:

Current navigation items are:

• Introduction
• Basics of a PACS
• Getting Started
• Use Cases
• FAQ
• Contribute

References (Docs, Links, Files):

• https://github.com/GSA/ficam-pacs/blob/staging/_config.yml

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

• https://github.com/GSA/ficam-pacs/blob/staging/_config.yml

Description of Issue:

• Revise the “Introduction” section to briefly state the PACS Playbook’s purpose, target audience, and major topics list.

Detailed Suggestions:

• Delete the “Background” section.
• Delete the “Physical Access Control System Playbook” title. (The Playbook title will appear in Federalist web view.)
• Revise the second paragraph to read: “This Playbook will help physical access control systems architects, engineers, and project managers implement physical access control systems (PACS) that work with Personal Identity Verification (PIV) cards. It will walk you through how to:”
• Revise the bullet list to read:
  o Understand enterprise physical access systems
  o Align facility security level (FSL) and authentication
  o Procure a PACS
  o Identify training
  o Locate related standards, policies, and guidance”

Link to Additional Guidelines:

https://github.com/GSA/ficam-pacs/blob/staging/README.md

Link to Navigation (Outline) Issue:

#2

Link to the Content Page for Contributors:

https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/

Description of Issue:

• Identify the target audience and revise accordingly
• Clarify whether the recommended training for PACS projects applies to only Federal Government team members
• Use consistent terms for roles
• Restructure to improve the logical flow of information and revise content for clarity

Detailed Suggestions and Questions To Consider:

• Restructure this section. Change “What Training Is Required?” to Training (level 1 heading) and add 3 subsections:

  o Technical Roles and Responsibilities (level 2 heading). State briefly each role’s responsibilities.
  o Recommended Training (level 2 heading). State briefly the recommended training for each role.
  o Opportunities (level 2 heading). (Renamed from “Where Can I Get Training?”)

• The target audience for this section is unclear. Is the audience government only? Does it consist of “physical access control system architects, engineers/implementers, and project managers,” as stated in the Playbook introduction? Do the roles, “IT support personnel, administrators, operators, and technicians,” all belong to the “engineers/implementers” group?

• Add a purpose statement upfront. For example: “This section identifies recommended training for Federal Government team members who support PACS implementation projects.” If appropriate, add: “Contractors should possess the required certifications and skills at contract start; however, continuous training and development for contractors is recommended.” (Correct for accuracy, as needed.)

• Provide links to where an agency user can buy or attend the training options (aligned with submitting their annual training plan and using their annual training budget).

• Identify what, if any, additional training would be needed if “agency IT support personnel and application administrators…are trained by individual PACS manufacturers.”

• How would an operator get this training: “Operator training should be tailored to [an] agency’s policies and procedures, the individual’s role within [an] agency, and [the] facility’s PACS configuration”?

• The "project manager" is mentioned in the first sentence of this section. Does the PM fulfill the “procurement” role? What training is required?

• Would a CPP apply (i.e., those who manage security programs) to a role on a PACS implementation project?

• What PACS implementation role would need a CSPM—a PACS architect?

• Remove statements that don’t add value (for example, “the team as a whole must have a wide range of knowledge and experience” and “some training will be general,” etc.).

• Tighten content; remove filler.

• Remove technical details about PACS covered in other sections.

Link to Additional Guidelines:

• https://github.com/GSA/ficam-pacs/blob/staging/README.md

Link to Navigation (Outline) Issue:

• #2

Link to the Content Page for Contributors:

• https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/train/

Description of Issue:

The ACC Playbook needs to be migrated to GitHub Markdown to become the "PACS Playbook" to allow for continued development.

Details of Issue:

A number of organizations have worked on this Playbook over time. The Playbook's migration to GitHub Markdown will allow the community to openly collaborate and contribute to its further development.

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Revisions are needed. New content may be needed. Expected outcome is a clear, cohesive, well-written, and useful PACS guide.

Link to the Content Page for Contributors:

https://github.com/GSA/ficam-pacs/tree/pacs-playbook/pages

Description of Issue:

• Update the "Enterprise Physical Access Control Systems" section with current information, practices, and graphics
• Restructure to improve the logical flow of information
• Revise content for succinctness and clarity

Detailed Suggestions:

• Revise with the target audience in mind
• Add a purpose statement upfront
• Structure titles and content for logical flow of information
• As needed, migrate pertinent information from the "FICAM Roadmap" to PACS PLaybook
• Update with current information and practices
• Revise content for succinctness and clarity
• Remove descriptions of outdated practices and all non-essential information
• Use bullets, steps, and checklists wherever possible (for example, use a bullet list of reasons to consider enterprise-wide physical access control systems, not “An Enterprise PACS management system can help reduce human error, reduce costs, and provide a unified view of all identities and their privileges.”)
• Remove subjective statements (for example, “The ATO process can be costly and tedious and involves each PACS vendor, who may need to update or patch its software to fix security flaws.”)
• Update/modernize graphics to use newer visuals and icons
• Remove references to the FICAM Roadmap
• Don't include document reference details. (These will be included in a "Standards and Policies" section.)

Link to Additional Guidelines

https://github.com/GSA/ficam-pacs/blob/staging/README.md

Link to the Content Page for Contributors:

https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/enterprisepacs/

Description of Issue:

• Search is not fully integrated with pacs.idmanagement.gov.

Details of Issue:

• IDManagement.gov Search results do not present items from pacs.idmanagement.gov site

Steps to recreate issue:

• Identify phrase on site (for example "Credential holder data repository", hosted on "https://pacs.idmanagement.gov/what-is-pacs/"
• Paste phrase in search box and submit
• Review results page.

Steps taken to resolve issue:

• Reviewed config.yml
• Compared configuration across playbook sites where search is functional.
• Enabled sitemap gem as requested by Search.gov support team. Confirmed indexing was successful.
• Awaiting feedback from Search.gov team on next steps.

References (Docs, Links, Files):

N/A

If a New Page or Content is Needed, Expected Outcomes:

N/A

Link to the Content Page for Contributors:

N/A

Description of Issue:

On the draft training information page - add information and cross-reference (link) to the interagency security council training site

Details of Issue:

There are online training modules maintained by DHS and interagency security council (ISC)
Some of the training modules are available for both federal and non-federal

References (Docs, Links, Files):

https://www.dhs.gov/interagency-security-committee-training

Description of Issue:

• Create a new major section: “Aligning Facility Security Level (FSL) and Authentication”
• Under this section, combine 2 existing, major sections: “Determine Facility Risk” (previously "Selecting Determining Facility Risk") and “Select Authentication Mechanism” (previously "Selecting the Appropriate Authentication Mechanism")
• Update this section with current information, practices, and graphics
• Restructure to improve the logical flow of information and revise content for clarity

Detailed Suggestions:

• Combine 2 existing, major sections: “Determine Facility Risk” and “Select Appropriate Authentication Mechanism." Include the subsection: "Determine Authentication Factors" (previously "What Authentication Mechanisms Are Available?")
• Revise with the target audience in mind
• Add a purpose statement upfront
• Structure titles and content for logical flow of information
• Remove outdated practices and non-essential information. Update content with current information and practices.
• For the audience's benefit, use FIPS 199 and other Standards' terminology (for example, security categorization terms should be "low-, moderate-, and high-impact"), rather than creating different terms. Clarify that the security area categories, "controlled, limited, and exclusion" relate to "risk-based PIV authentication mechanisms for different areas within a facility," per NIST SP 800-116. Eliminate confusion between the Playbook's two similar terms, security categorization and security area categories. SP 800-116, uses the term, "boundaries" (in one case), for "controlled, limited, and exclusion."
• Use bullets, steps, and checklists wherever possible (for example, convert the “What Do I Need in My Site/Agency?” information to a checklist and move to an upfront location in Playbook [location – TBD]).
• Incorporate standard operating procedures (SOPs) and lessons learned from federal agencies
• Ensure compliance with federal policies and standards
• Update/modernize/clarify graphics using newer visuals and icons
• Combine tables that repeat similar information (for example, Tables 1-3)
• Remove references to deprecated documents (for example, FICAM Roadmap, Field Manual 3-19.30, etc.)
• Limit referenced documents lists in main body
• For referenced documents cited in main body, use only identifiers (e.g., NIST SP 800-116) and titles. Full citations will be included in a "Standards and Policies" section.

Link to Additional Guidelines:

https://github.com/GSA/ficam-pacs/blob/staging/README.md

Link to Navigation (Outline) Issue: #2

Links to the Content Pages for Contributors:

https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/facilityrisk/

https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/authmech/

Description of Issue:

Add search

Details of Issue:

• The site needs to be live
• the analytics are updated
• the site is added to the idmprod search search.gov
• the search string added to config
• search added to the top level navigation - replaces "view site code"

See branch in piv-guides repo for example (not live) of the search addition

Description of Issue:

Define the navigation and flow for the target audience

Details of Issue:

Current navigation was built from a whitepaper model versus a digital content model

Description:
This page should separate the concepts of PACS Technology from Standalone vs. Enterprise PACS deployment. These are three separate topic areas. Many PACS vendors, prior to FICAM compliance, supported both standalone and the ability to scale that capability to Enterprise wide access control. PACS Technology speaks to FICAM compliance (using strong auth from PIV/PIV-I/CIV) vs. traditional technologies (ISOProx, iCLASS, Indala, magstripe, barcode, etc.). Here may cover the changes to PACS technology to support strong auth with PKI, revocation status through CRL, etc.

Issues:

1. Instead of "Types of PACS" I would recommend language like "Deployment Models for PACS". This gets to the heart of standalone vs. Enterprise deployment. It allows discussion of the, still ongoing, needs for standalone (SCIF, SBU but operationally sensitive enough of an area to warrant local control) vs. enterprise overarching goals (Insider threat, CDM, who is where right now).
2. PACS Technology should be described to incorporate "deployed technologies" vs. FICAM compliant technologies. This allows the introduction of:
3. Deployed technologies
   - Architectures
   - Technology
   - Capabilities and risks
4. FICAM compliant technologies
   - Topologies
   - Technology
   - Capabilities and risks
5. Then discuss migration objectives of FICAM for PACS.
6. Discussion of standalone vs. enterprise within the context of FICAM
   - Support for Insider Threat, CDM, etc.
7. Discussion on technology selection
   - FICAM compliance
   - Directives/Memoranda/Standards/Guidelines for compliance

Description of Issue:

Update jQuery to latest stable version.

Details of Issue:

N/A

References (Docs, Links, Files):

N/A

If a New Page or Content is Needed, Expected Outcomes:

N/A

Link to the Content Page for Contributors:

N/A

Description of Issue:

Update the “Procurements” section:

• Consider rewording this section as FAQs
• Ensure that information is current
• Restructure to improve the logical flow of information and revise content for clarity
• Focus on federal agencies’ needs

Detailed Suggestions:

• Revise with the target audience in mind
• Add a purpose statement upfront
• Link to the GSA’s Approved Products List – PACS Products and consider rewording this section as FAQs
• Restructure subsections to improve the logical flow of information
• For the first section, combine “How Do I Buy a Compliant PACS?” with the content from “What is a GSA APL-Listed PACS?”
• Include lessons learned from federal agencies, as appropriate.
• Remove non-essential information (for example, remove “Why Does My Agency Need This?” section)
• Tighten content and eliminate redundancies
• Use bullets, steps, and checklists, as appropriate for FAQs
• Remove all vendor-focused information, including links to the FIPS 201 Evaluation Program webpage
• Change "IdentityManagement.gov" to "IDManagement.gov."

Link to Additional Guidelines (README):

https://github.com/GSA/ficam-pacs/blob/staging/README.md

Link to Navigation (Outline) Issue: #2

Link to the Content Page for Contributors:

https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/procure/

Description of Issue:

• Suggest removing the PIV and PIV-I Considerations section
• In the “Aligning Facility Security Level and Authentication” section, link to resources that provide detailed PIV information (and PIV-I if needed). (Some links provided below.)
• Provide a brief PIV discussion (including PIV-I if needed), as it relates to Enterprise Physical Access Control Systems in the “Aligning Facility Security Level and Authentication” section

Details of Issue:

• Remove the PIV and PIV-I Considerations section
• Provide a brief PIV discussion (including PIV-I if needed) as it relates to Enterprise Physical Access Control Systems in the “Aligning Facility Security Level and Authentication” section, under the ACC Playbook’s former subtitle, “What Authentication Mechanisms Are Available?” (Suggest subtitle change to “Determine Authentication Factors.”) Some statements could be extracted from the ACC Playbook’s “PIV and PIV-I Considerations” for this discussion.
• Link to resources that provide detailed PIV information (and PIV-I if needed) in the “Aligning Facility Security Level and Authentication” section, “Determine Authentication Factors” subsection. For example:
  o www.piv.idmanagement.gov
• Under the “Aligning Facility Security Level and Authentication” section, “Determine Authentication Factors” subsection, provide links to PIV-related standards and policies if needed. (Footnotes may be used to provide these links.) For example, use these links:
  o https://piv.idmanagement.gov/#where-can-i-find-the-standards)
  o https://csrc.nist.gov/projects/piv/piv-standards-and-supporting-documentation
  o https://csrc.nist.gov/Topics/Laws-and-Regulations/executive-documents/HSPD-12
• "Does PIV-I affect Federal agencies and employees?" section: PIV-I advantages aren't relevant to PACS focus.
• Information on PIV card readers and availability through the GSA’s Approved Products List (APL) should be mentioned in the Playbook (location – TBD); however, differences between PIV and PIV-I readers shouldn't be included.
• Move specific links (OMB Memoranda, etc.) to the “Standards and Policies” section, unless there is an important reason to call out a policy/standard.
• When citing documents, use only document titles in the main body. Provide full citations in the “Standards and Policies” section.

Link to Additional Guidelines:

• https://github.com/GSA/ficam-pacs/blob/staging/README.md

Link to Navigation (Outline) Issue: #2

Link to the Content Page for Contributors:

• https://federalist-proxy.app.cloud.gov/preview/gsa/ficam-pacs/pacs-playbook/pivandpivi/