Physical access control is a technical and complex business, and enterprise-wide implementation contracts are often incredibly valuable both in terms of security and cost.

So ensuring these systems are deployed correctly is paramount. With this in mind, the U.S. GSA decided to mandate training for any company that wants to be in the government physical access control business. To provide the training, the Smart Card Alliance developed the Certified System Engineer ICAM PACS (CSEIP) program. The training and certification program provides systems engineers with guidance on system set-up and testing to align with government-wide specifications.

Why certify?

The training program is a necessary step toward more effective implementations, explains Lars Suneborn, the alliance’s director of training and lead for the CSEIP program.

“It is crucial that the federal government, especially those responsible for writing procurement documents, as well as respondents to the requests have a clear understanding of the operation of these systems,” says Suneborn. “Too often it is not clearly understood or communicated properly, resulting in costly and time consuming post-installation system modifications.”

This GSA-approved CSEIP program will provide the training and certification required for physical access control engineers employed by commercial organizations that intend to bid on government access control projects. The hope is that the training program will better ensure that implementations for GSA-managed facilities will be installed properly the first time around.

The certification is designed to offer federal agencies a level of assurance that companies responding to bids have the necessary understanding of the goals and objectives of federal ICAM, Suneborn explain. “It shows that the bidding company has the competency to engineer the system correctly so that the procuring agency can achieve compliance,” he adds.

GSA now requires that all billable work performed on these systems must be done using certified system engineers. Federal mandates specify that agencies must procure physical access control equipment that complies with PIV and federal ICAM requirements. “This includes a long list of standards, performance specifications, operational parameters and language of a very technical and complex nature,” Suneborn says.

The program

Developed in alignment with GSA and relevant NIST publications, the course provides systems engineers with the training to implement PKI and federal ICAM architectures for physical access control.

Trainees receive a set of course materials addressing system operation, PKI management and PIV credentials. A comprehensive three-day program includes both classroom training and a hands-on element to teach best practices for system set-up and testing.

The first day is primarily lecture and discussion. The second day includes extensive hands-on lab training on a live physical access control system. The third day is for the written and practical exams to demonstrate understanding of the training principles and application of that knowledge by configuring a FIPS 201-enabled access control system.

Graduation

Participants must score better than 70% on the written exam, while the practical exam is pass/fail based on successfully processing a valid credential and detecting an invalid credential on the test system.

Graduates receive a certificate of completion and are added to an online directory of certified engineers. Federal contracting agents will use the directory to verify that a commercial organization has met the minimum requirements for the bidding and awarding of a contract.

The accreditation is not required for every individual on site, explains Suneborn. Those staff members responsible for system design and those who serve in a in a technical on-site lead capacity must carry the CSEIP certification. “For a small company on a small project, this may be one person, other installations may require more staff to be accredited,” he says.

Because the subject matter is technical and fast developing, regular training refreshers will be made available. Recertification will be required every two years.

The CSEIP program costs $2,495 per person, with Smart Card Alliance members paying a $1,995. The government rate carries a 28% discount at $1,795, and applies to government employees only, excluding commercially contracted employees working for government agencies. Cost of the program covers the entirety of the three-day training program, course materials and written and practical exams.

---

 

Prerequisites for the CSEIP course:

• One or more PACS manufacturer certifications for design and installation
• One year or more of PACS configuration and installation experience
• One or more completed PACS system implementation
• Knowledge and experience with contactless smart cards and readers
• Basic understanding of network technologies

Learning objectives:

• Public key infrastructure basics
• Biometrics for high assurance credentials
• Credentials
  • PIV data model
  • High assurance credentials types
  • Cardholder populations
• Trusted PACS
  • ICAM
  • Authentication methods
• PKI Configuration for trusted PACS  (both classroom exercises and hands-on computer training

Acronym soup of certification program
GSA	General Services Administration
NIST	National Institute of Standards and Technology
PKI	Public Key Infrastructure
PACS	Physical Access Control System
ICAM	Identity, Credential and Access Management
PIV	Personal Identity Verification
CSEIP	Certified System Engineer ICAM PACS