1 Performance Management Presentation Access Control Team Members: Major Billy Alford, Team Leader Bill Brosius, Alex Salah, Cassandra Harris ORS National Institutes of Health 21 January 2004

2 Table of Contents Main Presentation PM Template ……………………………….……………… 3 Customer Perspective……………………….…………….. 7 Internal Business Process Perspective…………………..18 Learning and Growth Perspective…………………………30 Financial Perspective……………………………………….37 Conclusions …………………………………………………45

3

4 Introduction to Access Control Reasons To protect the people, property, and research of the NIH To ensure the Safety & Security of NIH employees NIH research is a National Resource NIH is a part of the Public Health Critical Infrastructure

5 Link between Access Control and Personnel Security One component of Access control is personnel security Positions are designated at a particular Sensitivity Level – Non-Sensitive, Public Trust, or National Security Background investigations are conducted to determine whether a person is suitable for employment in that position NIH Police conducts interim background checks 4679 background checks conducted in FY03 Determination is made on where the individual may be granted physical access Access controls ensure only those authorized may enter This presentation will focus only on access control Personnel security will be addressed during FY04

6 Relationship Among Performance Objectives

7 Customer Perspective

8

9 C1a: Development of the Access Control Program and continuation of formal review for approval 75% completion of development of the Access Control Program Program presented to Associate Director of ORS for Security and Emergency Response Program presented to Associate Director of NIH for Research Services Program presented to Deputy Director for Management of the NIH Will measure implementation once full-approval is granted

10 C1b. Percent of planned installation of card readers and access control systems 100% completion of the 1-for-1 replacement of card readers from previous system in FY03 100% completion of improved access controls for Select Agent Labs in FY03 Will track percent installation of planned new card readers and access control systems in FY04

11 Customer Perspective

12 C2: Percent of Badges issued to those in need of an NIH ID Provide ID/access badges and appropriate authorized access, to those authorized to access NIH campuses and facilities Those in need: All NIH personnel (FTEs, Contractors, Fellows, etc) Others with legitimate business at NIH facilities (Patients, Volunteers, Tenants, Guests, Service Providers, etc) The badge is the access control measure Badge provides Identification – picture ID Verification – proves holder has authorized access

13 C2: Identification Badges Issued-FY03 Note: 10,211 badges issued.

14 Customer Perspective (cont.)

15 Customer Scorecard Methodology Clarified critical customers in FY03 for Access Control Lab Directors Facility Managers Biosafety Officers NIH Radiation Safety Officer Work to design a method to assess customer needs and satisfaction with these customer groups during FY04

16 Customer Perspective What does the data tell you? Completed work to develop Access Control Program, now need full approval so implementation can be tracked 100% replacement all old card readers and improved access controls for select agents during FY03 Issued over 10,000 badges in FY03 44% of badges issued were to contractors

17 Customer Perspective What actions are planned? Gain approval of Access Control Program and begin implementation Install new card readers and access control systems as planned and where requested Work with personnel security to ensure legitimacy of persons badged Develop the Customer Scorecard with OQM, in order to assess customer needs for Access Control

18 Internal Business Process Perspective

19 Internal Business Process Perspective

20 IB1a: Percent of Access Control Measures Implemented for Select Agent Lab and Storage 100% of Select Agent Labs had access controls installed in FY03 Card readers Biometrics

21 IB1b: Percent of Access Control Measures Implemented at Radiological Facilities 30% of Radiological laboratories and storage facilities had access controls installed in FY03 Card readers Door contacts

22 IB1c: Percent of Access Control Measures Implemented at Sensitive IT Facilities Sensitive IT facilities were surveyed in FY03, and access control installations began Survey is still ongoing – “population” of sensitive IT facilities still to be determined LAN closets Server Rooms Computer Rooms

23 IB1d: Percent of Access Control Measures Implemented at Sensitive Mechanical Facilities A survey of sensitive mechanical rooms began and a pilot program for installing access controls is underway Survey is ongoing to locate and assess sensitive mechanical rooms

24 Internal Business Process Perspective

25 Perimeter Security System (PSS) Layered approach to Access Control Perimeter Fence, Visitors Center, Commercial Vehicle Inspection Station (CVI), West Dr Patients Entrance Building perimeter doors Particular floors or office areas, Labs, and particular rooms

26 IB2a: Percent completion of the NIH- Bethesda PSS 90% completion of physical Perimeter Fence 100% completion scheduled for 3 rd Quarter FY04 100% design completion of Temporary Visitors Center 35% design completion of Visitors Center 50% design completion of Patient Entrance 35% design completion of CVI

27 IB2b: Number of card readers per layer/component of PSS 345 card readers installed at/in buildings in FY03

28 Internal Business Process Perspective What does the data tell you? Physical Perimeter Fence will be 100% completed in FY04 Perimeter Security System (PSS) components are mostly in the design phase The majority of our card readers are for interior building spaces

29 Internal Business Process Perspective What actions are planned? Establish a Temporary Visitors Center to centrally process visitors at the Perimeter until Visitors Center complex is completed Change from Visitor “stickers” to Andover-capable cards Begin connectivity of automated access controls at Perimeter Fence Andover capabilities are planned for all layers of the PSS Actively identifying sensitive areas for card reader installation

30 Learning and Growth Perspective

31 Learning and Growth Perspective

32 LG1: Percent of IDP tasks completed Baseline measures need to be established IDPs must be created

33 Learning and Growth Perspective

34 LG2: Hours of skill enhancement by technology type Baseline measures need to be established Technologies must be identified

35 Learning and Growth Perspective What does the data tell you? Need to identify Baselines for measurements Need to identify types of technology with which to improve

36 Learning and Growth Perspective What actions are planned? Baseline team member KSAs and create Individual Development Plans (IDP) Utilize online Police Training Tool for personal KSA building Identify technologies and skills necessary for Access Control team

37 Financial Perspective

38 Financial Perspective (cont.)

39 F1: Number of Badges Issued Unit measure is number of badges issued 10,211 badges issued in FY03 Budget numbers need to be formalized for this program before meaningful unit cost can be calculated

40 F2: Number of Card Readers installed Unit measure is number of card readers installed 345 card readers installed in FY03 Budget numbers need to be formalized for this program before meaningful unit cost can be calculated

41 F3: Number of automated access events 22,026 per day

42 F3: Number of automated access events Unit measure is number of automated access events per day > 22,000 automated access events/day in FY03 As automated events increase, monitored events should decrease Greater use of Andover system will further justify the investment Budget numbers need to be formalized for this program before meaningful unit cost can be calculated

43 Financial Perspective What does the data tell you? Over 10,000 badges were issued in FY card readers were installed in FY03 There were over 22,000 automated access events per day in FY03

44 Financial Perspective What actions are planned? Track similar unit measures during FY04 to understand change over time Develop budget numbers for Access Control Service Group Initiative to increase automated Access Controls in effort to decrease overall security costs

45 Conclusions

46 Conclusions Major Findings: Completed work to develop Access Control Program, now need full approval so implementation can be tracked 100% replacement of old card readers and improvement of access controls for select agents during FY03 Physical Perimeter Fence will be 100% completed in FY04 Perimeter Security System (PSS) components are mostly in the design phase Need to identify baselines for Learning and Growth measures Issued over 10,000 badges, installed 345 card readers, and Andover system experienced over 22,000 automated access events per day in FY03

47 Conclusions (cont.) Initiatives for FY04 Gain approval of Access Control Program and begin implementation Install new card readers and access control systems as planned and where requested Work with personnel security to ensure legitimacy of persons badged Develop the Customer Scorecard in order to assess customer needs for Access Control Establish a Temporary Visitors Center to centrally process visitors at the Perimeter until Visitors Center complex is completed Change from Visitor “stickers” to Andover-capable cards Begin connectivity of automated access controls at Perimeter Fence Andover capabilities are planned for all layers of the PSS Identify sensitive areas for card reader installation

48 Conclusions (cont.) Initiatives for FY04 Baseline team member KSAs and create Individual Development Plans (IDP) Utilize online Police Training Tool for personal KSA building Identify technologies and skills necessary for Access Control team Track similar unit measures during FY04 to understand change over time Develop budget numbers for Access Control Service Group Initiative to increase automated Access Controls in effort to decrease overall security costs