Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

PACS Deployment Models

This page will give you a basic understanding of Physical Access Control System (PACS) deployment models.

What Is a Standalone PACS?

A standalone PACS is a local system that controls physical access to a facility or specific areas within it—for example, a Sensitive Compartmented Information Facility (SCIF). Standalone PACSs are facility-centric, and consequently these systems typically do not connect to enterprise networks. While this deployment model tends to be the most common and uncomplicated method of managing access to controlled areas, it has several challenges.

Standalone PACS’ Operational Challenges

Agencies that use standalone PACSs have encountered operational challenges:

  • Sites must independently control physical access.
  • Agencies see delays with credential transfers or terminations.
  • Employees and contractors must re-enroll their credentials for all federal work sites that they visit.
  • Departments inconsistently apply enterprise-wide security policies.
  • Agencies experience reduced situational awareness (for example, logs cannot be correlated across the enterprise).
  • Agencies with many standalone PACSs see increased human error, such as data entry errors.

Can agencies centrally control physical access for most, or all, of their sites? Yes. The answer is to implement an Enterprise Physical Access Control System.

What Is an Enterprise PACS?

An Enterprise PACS (E-PACS) extends the concept of a standalone PACS to act as a unified, enterprise-wide system that controls physical access at most (or all) sites that belong to an agency. E-PACSs address the operational challenges of standalone PACSs and improve system management, scalability, monitoring, and performance.

E-PACSs rely on the same components as standalone PACSs. However, an essential architectural distinction is that an E-PACS connects to an agency’s enterprise network, whereas a PACS typically does not.

Some agencies need standalone PACSs for their unique sites and missions, but most agencies could benefit from transitioning to an E-PACS.

Would an Enterprise PACS Work for Our Agency?

Here are some key E-PACS advantages to consider:

  • One enterprise-wide system controls physical access for many (or all) agency sites.
  • One employee and contractor enrollment system that connects multiple enrollment locations.
  • One credential registration and provisioning point.
  • One enterprise-wide system for administrators to modify or terminate access privileges.
  • One enterprise-wide system that regularly polls for Certificate Revocation List (CRL) updates and maintains revocation data.
  • Reduced costs for system management, such as patching, server system administration, and software updates.
  • Reduced costs for reporting, such as Federal Information Security Modernization Act [FISMA] reporting.
  • Reduced costs for:
    • Server hardware
    • System security assessment and accreditation

The next section, Aligning Facility Security Level (FSL) and Authentication, explains the processes needed to prepare for a PACS deployment and offers more detail related to the FIPS 201-approved PIV authentication mechanisms.

Return to top

IDManagement.gov

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.

Edit this page