Procurements

A good starting point that will help you understand Physical Access Control System procurements is GSA’s PACS Customer Ordering Guide.

This page provides a sample PACS Procurement Checklist. You can reuse or tailor this checklist according to your agency’s practices. The checklist highlights common procurement activities as they relate to the following roles:

Information Technology or Physical Security Engineers (ENG)
Project Managers (PM)
Procurement Officers (PO)
Chief Information Officers (CIO)
Chief Security Officers (CSO)

Agency staff are encouraged to participate in steps where their roles are listed in bold underlined font.

PACS Procurement Checklist

PACS Procurement Checklist	Recommended Participants
1. Identify your agency’s need to procure or upgrade a PACS.	ENG	PM	PO	CIO	CSO
Determine whether your agency has a similar effort underway or other projects that could impact the procurement. Determine why the agency needs to procure or upgrade a PACS. Perform a cost-benefit analysis.
2. Develop a PACS project charter.	ENG	PM	PO	CIO	CSO
Identify the PACS project’s executive sponsor. Document a high-level project purpose, scope, and goals. Determine the PACS deployment model required for the project's scope. Identify what standards and requirements need to be addressed (for example, HSPD-12, FIPS 201-2, NIST SP 800-116, Revision 1). Estimate the project's duration.
3. Identify and obtain support from PACS stakeholders (iterative).	ENG	PM	PO	CIO	CSO
Identify your required and optional stakeholders and request their participation. Include national, regional, state, and local stakeholders. Involve stakeholders from agency information technology (IT) teams (for example, architect/engineers, network engineers, security, infrastructure services, directory services, web services). Involve agency facility and personnel support organizations (for example, physical security, building operations, Human Resources).
4. Identify PACS project phases and tasks (iterative).	ENG	PM	PO	CIO	CSO
Document the project’s phases and required tasks. Samples can include: Pre-project planning Site security assessment(s) Develop Statement of Work (SOW) Develop PACS Requirements Document (or Specification) Develop and release Request for Information (RFI) Request for Proposal (RFP)/Request for Quotation (RFQ) Integrator (vendor) evaluation and award Design Implementation Inspections Testing Close-out Sustainment
5. Develop a project schedule (iterative).	ENG	PM	PO	CIO	CSO
Use automated tools or agency software to create a project schedule (that is, project tasks, dependencies, durations, and resources). Share the project schedule with stakeholders to ensure its accuracy and completeness.
6. Conduct a Facility Security Level (FSL) assessment of project-related agency sites and determine Personal Identity Verification (PIV) authentication mechanisms for each site.	ENG	PM	PO	CIO	CSO
For details, see Aligning FSL and Authentication Mechanism. The FSL assessment and chosen PIV authentication mechanisms will form the basis for the PACS requirements document/specification as well as affect the SOW and project costs. The sample survey questions below will help you assess the FSL of each facility and select the right PIV authentication mechanisms: Who will use a facility’s PACS? Include all possible users. What credentials do the facility’s users and visitors have? What facility access risks exist? How can the facility mitigate these risks? What PACS installations does the facility need? What support systems would be integrated into the facility’s PACS (for example, intrusion detection, video surveillance, emergency notification, elevator control)? What PACS integrator or other contractor services does the agency need to solicit bids on? What PACS hardware and software is needed? Your agency’s selected integrator will help select the approved, needed hardware and software through the GSA Acquisitions process (Schedules 70 and 84, Blanket Purchase Orders, etc.). The following are some useful considerations: What are the facility’s common ingress and egress traffic patterns? What throughput speeds are needed? What are the ongoing operational and projected maintenance needs? What are the training needs for PACS administrators, operators, technicians, and users? Which PIV authentication mechanism(s) will be needed to secure the facility?
7. Develop a PACS requirements document or specification.	ENG	PM	PO	CIO	CSO
When documenting PACS requirements, it’s critical to solicit input from your stakeholders. Organize requirements into clear categories (for example, technical, performance, and operational) to help stakeholders give targeted feedback.
8. Release a Request for Information (RFI) to potential service providers.	ENG	PM	PO	CIO	CSO
Create and issue an RFI to vendors that requests specific qualifications and capabilities against PACS requirements.
9. Submit an IT funding proposal following your agency’s budgetary process.	ENG	PM	PO	CIO	CSO
Follow your agency's existing budgetary procedures to submit a funding proposal for the project.
10. Develop an RFP and SOW to solicit GSA-approved integrator bids.	ENG	PM	PO	CIO	CSO
You can reuse the GSA PACS Customer Ordering Guide’s Sample Statement of Work, page 17. For help creating an RFP, see Enabling Strong Authentication with PIV Cards: PKI in PACS Recommended Procurement Language for RFPs Version 1.1. For help with Requests for Quotations (RFQs), see GSA’s eBuy RFQ Online Tool.
11. Solicit bids, evaluate, and award integrator contract.	ENG	PM	PO	CIO	CSO
Include these steps during your bid and evaluation process: Identify members of the evaluation committee. Establish evaluation criteria for bid review. Identify how well proposed integrator solutions meet your needs. Document the award rationale and announce the contract award decision. Upon request, provide a brief explanation of the award rationale to unsuccessful bidder(s).
12. Develop a PACS architecture and migration strategy.	ENG	PM	PO	CIO	CSO
Define a migration strategy to transition facilities to the new PACS solution.
13. Buy products listed on the GSA PACS APL.	ENG	PM	PO	CIO	CSO
After contract award, your integrator will help you: Choose the best PACS topology (that is, an end-to-end solution of hardware, software, a Certificate Validation System, and PIV credential readers) listed on the GSA PACS APL for the PIV authentication mechanisms selected for your facility. Buy the products and additional services you need by using the GSA Multiple Award Schedule (MAS). Your chosen integrator will help your agency choose the right PACS products and services, according to your agency’s preferred GSA purchasing vehicle(s). Want to learn more about GSA Schedules? Training is available: On-demand GSA Schedules Training. For help with GSA Schedules, email the GSA National Customer Service Center at NCSCcustomer.service at gsa.gov or call 1-800-488-3111.

If at any time you have PACS procurement questions, contact the GSA IT Customer Service at ITCSC at gsa.gov or call 1-855-482-4348.

Why Can We Buy Only GSA-Approved Products and Services?

GSA’s FIPS 201 Evaluation Program tests all GSA-listed PACS products, topologies, and services for compliance with FIPS 201-2 requirements. Purchasing products listed on the GSA APL ensures product compliance with FIPS 201-2, secure operations, and interoperability.

What Other GSA Resources Can Help Us?

GSA Schedules - General Information
GSA Schedules - Tools and Resources
GSA Multiple Awards Schedule (MAS)
GSA Multiple Awards Schedule (MAS) Categories
GSA Multiple Awards Schedule (MAS) News and Updates
GSA’s eBuy RFQ online system enables you to post requirements, obtain quotes, and issue orders electronically.
Approved Certified System Engineer ICAM PACS (CSEIP) List. Agencies must use FIPS 201-approved integrators and other contractors. The “lead designer” for FIPS 201-approved integrators must possess a Certified System Engineer ICAM PACS (CSEIP) certification or be certified by another federally recognized certification program.

The next section, Training, outlines PACS personnel roles and responsibilities and lists relevant training and certification programs.