Defense-in-Depth: How Key Control Protects Government Facilities

Protecting government facilities and information from security breaches is essential for maintaining national security. Whether you’re a security executive, senior official, legal counsel, or occupational health and safety representative, it's important to do your part to avoid the devastating impact of security breaches.

The Interagency Security Committee (ISC)'s latest guidance, "Security Convergence: Achieving Integrated Security," offers recommendations for integrating information security, physical security, cybersecurity, and information technology. The ISC recommends defense-in-depth, which involves creating multiple barriers to protect against threats across different layers of the organization, from physical access controls to cybersecurity measures.

Electronic key control systems can play an essential role in a defense-in-depth strategy, helping you meet the ISC's guidelines and restrict access to authorized personnel only. Here's how:

Security Countermeasures

Security countermeasures help detect, delay, mitigate, or prevent security threats that could compromise facility security. Alarm systems, access control systems, video surveillance, fences, and barriers are just a few examples of the tools your agency might use.

Electronic key control supports these countermeasures by ensuring only authorized personnel have access to the keys that unlock doors and other access points. If someone doesn’t return a key on time, administrators will receive a text or email alert. This added security helps prevent unauthorized access to sensitive technology, buildings, or data.

Security Controls

Built on the NIST Risk Management Framework, security controls are technical and procedural measures designed to safeguard against unauthorized access to systems and information.

A pivotal part of the framework is recognizing the warning signs of insider threats and reporting them promptly. In addition, the Federal Information Security Modernization Act requires security awareness training that covers the risks associated with agency policies and procedures designed to mitigate risk. Your agency should also provide role-based training to personnel with significant information security responsibilities.

Electronic key control helps reduce the risk of theft, sabotage, or other criminal activity by automatically authenticating users and recording who checks out which keys, when, and why. You can set up the system to sound an alarm or send a text or email alert to the appropriate personnel if red flags arise. Events that trigger an alarm could include:

• Attempting to log in with someone else’s password.
• Retrieving more keys than the user requested.
• Returning a key a user didn’t originally check out.
• Failing to return a key before its due date.
• Cutting power to the machine.
• Taking a key outside the user’s access level.
• Leaving a system drawer open past the allotted drawer open time.

By combining these measures with cybersecurity best practices and employee training, you can help protect your agency’s physical and digital assets from unauthorized access.

Personnel Vetting

When applying to work in a government facility, personnel undergo a rigorous background check. This process may include fingerprinting, criminal history checks, and drug tests. Using this information, the agency can determine if the individual is fit to work in the facility, hold a sensitive position, have access to classified information, and hold a personal identity verification credential.

The ISC recommends identifying each position’s risk level and then determining what security level it requires before assigning a designation:

• Assessing Risk Level: What are the duties and responsibilities of the position? If someone in this position engaged in misconduct, how much could it damage the efficiency or integrity of the service?
• Assessing Sensitivity Level: How much could someone in this job harm national security?

Key control can support personnel vetting by allowing administrators to set up access levels corresponding to specific position types and security clearances. You can review the logs to ensure that individuals aren’t attempting to access certain areas without authorization. In addition, electronic key control systems can be configured to automatically revoke access privileges for individuals who no longer have authorization to access sensitive areas.

Authentication/Identification

When someone seeks access to a secure area, it’s important to have a reliable process to verify their identity using up to three authentication factors. This process may involve using biometrics, such as fingerprint or facial recognition, or smart cards. If the area requires a physical key, electronic key control systems provide an added layer of physical security. Before granting access to certain keys, users will be required to log in via fingerprint reader, proximity card, and/or password.

By implementing multiple layers of security measures and utilizing electronic key control systems, your agency can improve its security posture and comply with the ISC’s guidelines. In this ever-evolving threat landscape, remain vigilant and take proactive measures to safeguard our national security with the highest level of protection possible.