Termination Process and Oversight of General Services Administration (GSA) Issued Facility Access Cards in GSA Controlled Space in Both Owned and Leased Facilities

Number: 7640.3 ADM
Status: Active
Signature Date: 09/16/2016
Expiration Date: 03/31/2024

1.  Purpose.

This directive defines the oversight and termination process of GSA issued Facility Access Cards (FAC) in General Services Administration (GSA) controlled space.  Below is a phased approach to eliminate the use of FACs while providing alternate access controls and processes.  

2.  Background.

The Homeland Security Presidential Directive (HSPD)-12 Policies for a Common Identification Standard for Federal Employees and Contractors is outlined in the following Federal mandates:

     a.  Office of Management and Budget (OMB).

          -  M19-17 Enabling Mission Delivery through Improved Identity, Credential, and Access Management

          -  M05-24- Implementation of HSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors.

          -  M06-18- Acquisition of Products and Services for Implementation of HSPD-12.

    b.  National Institute of Standards and Technology (NIST).

          -  Federal Information Processing Standard (FIPS) 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Computer Security Division Information Technology Laboratory August 2013.

3.  Definitions.

     a. Facility Access Card (FAC).  Any identification card issued by GSA for facility access that is not consistent with HSPD-12 or the mandates above. 

     b. FAC system.  Any system that grants access to GSA controlled space, to include lobbies, parking garages, or IT closets, where the primary communication of the system is not compatible with FIPS 201 because it fails to meet the standard of the Federal Identity Credential and Access Management established by the Federal Chief Information Officers Council and the Federal Enterprise Architecture. 

4.  Scope and applicability.

This Order is applicable to all Physical Access Control Systems (PACS), to include systems that were once listed on the GSA Approved Products List that do not meet the Federal Identity, Credential and Access Management  Standard, established by the Federal Chief Information Officers Council.