>> All right everyone, again, our next group.
Let's move on to the next discussion,
that being, project planning.
What you know.
What you don't know.
What you should know.
Our group's going to explain how
to identify the essential elements
of a physical access control system deployment
and the different stakeholders that are involved to ensure
that they are addressed in the procurement.
This ensures you can maintain the security of the facility
and minimize the impact on operations
when deploying a GSA approved products listed system.
So, let's welcome back Lars Suneborn
of the Secure Technology Alliance
to moderate this discussion.
>> Ah, you thought you got rid of me, huh [laughs]?
All right, first of all, thank you again
and thank you both Mike Kelly and Roger Orr [phonetic]
for that work and effort that you have put into this.
And we have talked about different facilities
and we have the Pentagon -- the Pentagon Complex.
And the reason we selected the Pentagon Complex or many reasons
for that matter, is that it represents
so many different aspects.
It is a huge facility, both campus
and remote site with high-rises.
You have one system -- one access control system --
that is shared by multiple agencies.
You have multiple agencies share one facility
with their own access control system integrated.
And we have identities that are mapped up in most.
We have the very large facility
where we have both agency classified information
and visitors coming in.
So with this, I'll turn it over here
to Roger Orr and Mike Kelly.
>> Thanks Lars.
Yeah, just for a way of kind of background, I met Mike in 2001.
We were both working at actually Department of State
on a contract for them when they were first cutting
over smart cards and using smart cards for the physical access.
left that project; actually got involved with the writing
of the government interoperability smartcards
standards when that was before the sort
of the HSP-12 went to bearing point.
Served as the physical access team leader
on the TWIC program [phonetic].
I called Mike up again, I go, "You want to play
with smartcards and physical access?
And he wasn't smart enough to run away
from me [background laughter].
We were at bearing point for a number of years.
I actually joined a manufacturer for a couple years,
and in '09 I got a call that says, "Hey, how would you
like to do physical security at the Pentagon?"
I'm like, "Sounds interesting."
They said, "Okay, come in for an interview."
and I'm like, "Okay, I don't know what door to go to."
It's a big building.
And so, little to say, I didn't know what door I was going
to go into; and two or three weeks later I ended
up being there.
And I think what I had learned up to that point,
and what we applied -- and I think is very important --
is you can't look at this as a procurement of equipment.
It is a business process change.
So one of the things -- one of the first things I did,
as I was onboarding, I collected all the documents;
all the processes.
And I wrote down why I was doing what I was doing to come in.
I didn't come in saying, "Hey, we didn't need to put
in a PKI reader, we didn't need -- I came in to learn a process
and to see how we could better enable that process.
>> Thank you Roger; very informative.
I'm turning over to Mike and let you get a brief introduction
of your background here too.
>> Yeah. Roger's already covered most of our background.
We've chewed a lot of the same dirt, [background laughter] so,
a few diversion paths, but one of the things that intrigued me,
and still to this day impressed me
about the Pentagon is just the size and scope,
and if there's a use case to come across,
I think we came across it.
And just to give you an idea, when people think
of a Pentagon reservation, it's -- it's not just the Pentagon.
The Pentagon Force Protection Agency had not only the
reservation itself, but a number
of other lease facilities throughout the national
capital region.
So we have a responsibility not just for reservation
but for a whole bunch of other buildings go along with it.
That varied depending on --
the number varied depending on leases
and how many leases were in force at time.
From a personnel standpoint we talked about --
earlier this morning about assets.
You know, people's one of the biggest assets.
You know, we're looking at 75,000 permanent party.
And we're looking at peak throughput at one entrance
to the building of 5,000 people an hour.
So, looking at those kinds of numbers and then you add
to that visitors, you know,
where we do 250,000 visits a year.
And then we also have a permanent partner turnover
of 30%.
So there's a lot of very large numbers here that have
to be accounted for as we, you know,
move them through this program.
>> When you have that many visitors and you have
that much turnover, you have to have a huge database somewhere,
so just to give us a sense of scope here,
what number of records or user records were your systems
designed to host?
>> You know, I don't want to get into specifics of the --
>> Okay. Right.
>> I think the bigger point about records and --
you know, it was funny.
As most of you, we had to go through --
you know, you get the webinar training and they say, hey,
computer security -- this.
And one of the things that actually came out of
that was Systems of Records notice.
>> Yes. Yep.
>> And I think that's a real important one.
Mike talked about it earlier in legal.
You know, make sure you have a Systems of Record Notice
and make sure that it's up-to-date
and that it's covering everything that you're going
to be doing when you transition.
Again, looking at this as a business process.
That was a -- you know, that --
that like, hey, that little training bit
and there was a bleep in the training bit
and then you start following --
it turned out to be a pretty big effort,
and it wasn't something I was originally aware of.
And then how are you going to manage this data and taking data
out of the system's a pretty dangerous thing to do;
most people don't like to do it because, you know,
you delete the wrong record.
Now you've got to go back and recreate that.
So there's been sort of a temptation in the past
that once in you're never out.
Well, that is probably going to be in violation
of your Systems and Records Notice.
>> Right. Some of you big --
when you have this to be SOR registered,
who provided that service?
Was that something that was done in-house?
Or was that procured as an outside service?
>> Generally, that's something that's done in-house
and that's something that the agency has to maintain.
It's usually inside counsel.
And that can honestly, some of the times we had a lot of issues
of tracking down who was responsible.
We were dealing at times
with three different communications agencies.
Then you just start, who's got the -- and it turned out,
in that particular case, one of the interesting things was it's
who -- it's the Public Affairs guys that handle it.
So -- but in the -- and I'm sure each agency's going
to be different who handles
and manages your Systems and Records Notice.
>> Yeah.
>> Be aware that you're going to have to deal with that.
And if you don't put that into your contract
or you're not accounting for it, you could be sitting there,
and that could actually be one of the things that holds you up.
>> Right. I got one more thing on the same topic here.
You have one axis control system where you have a common interest
and many agency's personnel share that.
So how did you deal logistically
with the agency A owning the access control system,
and agency B, C, D, and E having their usage records in there?
>> Yeah. I think that was something that was unique
for this particular facility.
Pentagon Force Protection Agency, by charter,
was responsible for the perimeter protection.
When you got inside the facility,
there was no requirement
to actually have one unified PAC system.
However, some components within the facilities chose
to tie into that system.
So we had a mix.
We had some people tied into the main system or the perimeter.
In which case when they registered in our system --
>> Mic.
>> When they registered into our system,
they could also be registered and have access
to their own individual spaces.
Otherwise, it was a two-step process.
They registered into our system for the perimeter,
and then they turned around and had to re-register a second time
into their own systems.
So again, it's really personal.
You know, it's organizational preference.
And some people like that level of control.
They don't want to seed that to anybody else.
That's one of the things
when you're characterizing your organization, that you have
to really plan for and understand how you're going
to address each one of these spaces.
>> Yeah. I would even go one further.
Start looking at category as in people and places.
So, you're really going to come into --
you know, everybody thinks about okay, employees and contractors.
You're probably now dealing with actually two types of visitors.
You're dealing with a PIV credential visitor
and a non-PIV credentialed visitor.
How are you going to manage those?
You may even break that down separately
to PIV credentialed people in your organization and not PIV'd.
Or, you may even go as far as people in our organization
that are government employees we'll treat one way;
contractors we'll treat another.
So start deciding policy-wise how you're going
to manage different people, you know?
And whether those people would be assigned to that facility,
what are you going to do if somebody
from your own agency comes to that facility, are you going
to automatically give them privileges?
You know, I've heard some of that being said.
A lot of places wont.
So, you've got to decide hey -- and this again is policy-driven
and a business process.
The other thing is, what is the facility?
You know, it was interesting, unfortunately, Derek was one
of our government leads that was going to be here.
He was talking about, he's now over at FDIC.
And this sort of gets to your --
he's now got a facility at the Empire State Building.
You know, so he's got a whole different thing he's got to deal
with that he's so much targeted as the building is.
>> Right. Right.
>> Then he's got a whole procedures and policy to get him
in the building and he doesn't have much control over that.
And then he's got procedures and policies
to get him into his suite.
>> Right. So when you talk about all these visitors
that are coming, they're both with credentials that was issued
from your own agency, in this case DOD, and credentials
that you can trust from other agencies and the non.
How did you merge that into the access control database?
An external discipline management system
that you integrated, or was it part of the PACS
or how did you procure the services?
>> It was definitely external.
We also leveraged the PIV data model because one of the things
in the PIV data model is it tells you what kind
of person you've got there, you know,
whether they're a contractor or what agency they're
from and who owns them.
So, that does allow you to set up some rules about, you know,
how you're going to manage those people when you can automate
that to a certain extent.
>> Okay. Do you give PIV cardholders
and CAK [phonetic] cardholders this same fiscal access?
Or do you differentiate between those?
Well remember, we -- one of the things we talked
about earlier this morning was the difference
between what I use for credential and who's making
that authorization decision and where that decision's made.
They are not the same thing.
So, just because I accept a credential, whether it's a PIV,
a CAK, or you know, a bubblegum wrapper, it doesn't matter.
I have two different pieces of this process.
One is to authenticate the individual; that identity.
And then the second is to assign the privileges.
And those are two distinct pieces.
>> Mm-hm.
>> So -- and we actually strove
to make sure we separated those processes.
>> Yeah. And one of the things that was kind of real telling,
when I first got there,
the access control system could not cache everybody
that entered in the building.
So this led to a situation where you could literally come
up to the turnstile; you could literally be provisioned
for the building, and because the memory was out on the panel,
your card wouldn't work.
So they would -- you'd show your card to the officer.
The officer would say, "Yeah, let me --
" He'd just let you in because he didn't trust the access
control system.
The system wasn't basically designed
to be big enough to handle that.
By the time I left, they'd actually came back --
or one of the last things they did was a Fourth of July party.
Wasn't even going into the building;
just entering a part of the perimeter.
And the change was not only did they have a handheld reader
out there, but they wouldn't even let me
in until they verified electronically
that my credential was good.
>> Right.
>> So there's a whole different process;
it's a different thinking.
And it used to be this thinking of hey, the badge was good.
It was -- you know, they didn't question the security
of the printing or any of that.
It was that you had the right -- you know, right-looking badge.
>> Right.
>> And they didn't even really know
if the privileges were current or not.
>> Right.
>> To go into the other way, where I don't really trust
that you're supposed to be here even though you have the correct
credentials until I authenticate you.
>> Right. Right.
>> So, there is a big change in mindset that has
to take place on a lot of levels.
>> When you talked about these messages and everybody coming
through this -- a few common entry points, with the amount
of visitors that you have processed through there
on a per-hour basis, especially peak hours,
it doesn't take much extra transaction time
for everybody before you have a starting line lining
up in the back of the door.
So how did that enter your comparison
and your throughput analysis
when you had the Legacy equipment there and then
when you started to do full PIV certification?
>> It was a big deal.
So to give you an idea of how bad this got, one of the things
that we -- they decided is they wanted full-height turnstiles.
The architect took the vendor's specifications
on what the throughput on turnstile was.
Turns out, the way the vendor rated the turnstile throughput
was the motor's going at 24 rpms, so if you stick somebody
in every wedge of that turnstile you could theoretically get 24
people a minute through the turnstile.
Now anybody who's been
in security knows that's totally unrealistic,
but that was how the architect designed it.
It was a -- it was funded through Melcon [phonetic]
and it ended up that we had to go back and turn in the money
and go for another line of funding
in the Congressional budget.
And the second time around,
we had some actual throughput testing
where we had an actual turnstile set up; we did the numbers.
We actually modeled this in some fire egress software,
so we knew how bad the backups would be.
You know, some of the stuff you get into, particularly,
you get these surges particularly
when [inaudible] would come in.
So you've got to really look at what your design
and what's going to stress you.
And the other side of it is, you know, people sometimes think,
"Oh the lines aren't a big deal."
Well, if you look at a lot of the attacks, like in Iraq,
they're attacking the line.
The line is a security risk.
You need to say, hey, how -- you know, balance, you know --
you balance security of getting people
through versus how deep you authenticate them.
Or you have to put more places for them to authenticate.
>> So if you have to put more turnstiles in there,
that could potentially lead to reassign of the lobby.
>> Not only that, but -- and I, you know, again,
we get into some of these were controlled --
the National Planning Commission?
NCPC -- ?
>> Yeah, National Capitol Planning Commission.
>> Yeah. So it had to go through review boards
and architectural boards and stuff like that.
So yeah, you're -- it's really important
to have your process design and define what it's going to be
and understand what it's going to do.
Because you could be spending a lot of money going back,
you know, and like I said,
they hired a very reputable architecture firm.
The architect who did
that turnstile calculation just didn't even ask twice.
They just said, "Hey, what's your throughput?"
And that was a design that was done even before I got there,
and it was almost six or seven years before those turnstiles
were put in.
So that's how long these things can take.
>> Yeah. I think the big lesson there is --
especially the bigger the scale,
is don't just take everything at face value.
Find a way to validate as much as you can.
Smaller or lower risk; whether it's a slow rollout,
lab testing; modeling.
Do as much as you can to verify the assumptions
that you're making before you put these things into production
and find out these lessons the hard way,
and start disenfranchising customers.
Because as soon as you start doing that, you're going
to start to lose faith in the system;
people won't trust the system.
Going back to what Roger was describing earlier.
Well, we know this system doesn't work; go ahead
and we're just going to use a flash pass and let you
in the building until the system catches up.
>> Right.
>> You don't want to lose the faith in that system.
>> So now that -- [clears throat] excuse me --
now that it comes to the point that you may have
to do some fairly significant architectural changes
to what you have, you don't just go to the local security people
or to the security manager and say, "Hey,
we're going to need more funding for this."
You have to have buy-in.
So how far up the food chain did you get to get buy-in
for your project of what you were actually trying
to accomplish here?
>> As far up as you can [background laughter].
I actually got invited
to the Senior Identity Protection Coordination
at the Deputy DO DECIO come down and brief the agency leadership.
You can't emphasize enough finding somebody
that understands what you're doing at a very senior level,
or somebody that you educate to say, hey, go forth.
The other thing is just plain ole public outreach.
You can't do enough of it.
We made videos.
We made posters.
We made basically PowerPoints that were put up on kiosks.
We went to the graphics people
and actually had a logo designed and branded.
There -- one person's job at one point for almost two years,
was just about public outreach.
>> Yeah.
>> And the other piece of this is, don't be afraid of feedback.
Don't -- you know, engage your stakeholders honestly and make
that -- cast that net as wide as you can.
The more feedback; the more people you have involved
in terms of giving you ideas.
What's going to work; what's not going to work.
When you're looking at it from different perspectives in terms
of impact on operations and how you're going to migrate things,
that feedback is invaluable, and it can keep you
from making some serious mistakes.
So when you're looking at your team,
look for some honest brokers to give you feedback
from different perspectives and making sure you have those types
of people on your team.
I think that's also invaluable.
>> Right. And so get this combo buy-in and support
from top leadership and the common other cases here too,
you have to be clear when they ask, "Why are you doing this?
What is it we're trying to protect here?"
So, I'm sure that you have to have a list of assets.
So what were considered the primary asset that you went
to top leadership to get buy-in for this?
>> Well, and this goes back
to what I was talking about this morning.
It's beyond just saying that we have to comply.
So, the different spaces, you know, you have spaces
with classified information.
You have places with personnel information or contracts
or financial -- I mentioned those this morning.
You may have drugs or weapons or different kinds
of critical infrastructure.
Look at spaces inside your facilities that have things
like incredible infrastructure for heating, ventilation,
air conditioning, networks, power.
All those types of spaces have different types of risks
and that's where you go through.
And the more of those risks that you can quantify
and demonstrate, that's going to make it easier
for you to get your support.
It's got to go beyond regulation and compliance.
>> Yeah. If you just look at it as checking a box, hey,
I've got an APL-approved system, you're not going to make it.
It's -- and I mean that was --
that's actually been seen in some other installations.
They slammed in an APL system.
It took too long; it backed people
out the door and it got shut down.
You have to make it a business process.
It has to be that the system supports the people;
that not the people complying and conforming to the system.
Because at some point what will happen is somebody will say,
"Hey, tear it out."
Looked a lot at -- you know, example --
a lot of the stuff we talk about in the APL covers, basically,
transactions at the door.
Nothing really covers, "Hey,
how do I securely get this person in?
How do I securely say they should be privileged?"
You know, nothing looks at what kind of digital signatures
that should be put on a request for access,
and those aren't out there.
You know, but yet, if I sit here and I say, hey,
I'm going to put this great PKI reader on the door,
but yet way that that door gets privileges it just sends some
sort of an unsecure email to the Security Director,
then that's your weak link.
>> Right.
>> If you don't look at it as a whole, as a business process,
you're -- you really are probably not going
to get a very functional system; if one that functions at all.
>> Right. And you have to come into there, your --
the agency and individual reputation too, you know,
that says, well this is the last site we're going to attack,
because we would probably not survive an attack on this;
we have to do someplace else.
So kind of the reputation there too would be at stake.
>> Mm-hm.
>> So now you have all of this, and you're going to come here
and you're getting support from the top management
and they're going to say,
well we have all these access control systems out there;
we have all of this stuff.
Why can't we do it with what we have?
>> It really depends on what you have.
I mean, you may be able to do it with what you have;
you may be able to do it
with what you have with extra licensing.
You may be able to do it with what you have plus hardware.
That's, you know, again, the whole title of the session;
what you know, what you don't know, and what you need to know.
And I think from a procurement person, you know,
you're starting to hear --
if you're not hearing this language,
and somebody is saying, "Hey, I want to buy this."
Then probably what you know is that you need
to start hiring somebody that's going to develop these questions
and ask them for your facility.
And is going to look at your facility.
I don't know what your expertise at your facility is.
You know what your expertise at your facility.
And that's -- really the important thing is, you know,
you could almost approach this, and I don't want
to play a procurement person.
God bless Lynne; she wants
to be GSA superhero [background laughter].
You know, you know, that whole whether you want
to design right now.
You want to design, build; or you just want to build.
What I -- what we see as an industry is we see a lot
of stuff where they're saying, "Hey,
I don't want to pay for designs."
Design's expensive.
The reason design's expensive --
and good designs are very expensive,
this is an inner process with expensive people.
You don't get the junior guy out there
that has the experience that's going to come in there
and sit there with you, and look at everything you've got,
and it's not going to be cheap.
And it's hard, you know, which at the end
of the day you show paper.
If you put a new reader on the door; you put a new widget,
you know, that's pretty easy to say, "Hey, yeah, we got it."
And check the box and we're done.
But at the end of the --
you know, if you come back at the end of six months
and you're not using the widget,
you really haven't done yourself that good of a favor.
What we see a lot is widget procurement
without a whole lot of design.
>> All right, so that design and what you need to procure,
that comes from what you were talking about here.
The analysis with this is what we can do with this,
and this is what we need to do.
>> Right. And the other one --
and Mike talked about this is, who's your HJ?
You know, authority having jurisdiction.
Classic and physical access control.
The number one guy you had to worry
about was the Fire Marshal.
That was your number one guy you had to worry about.
And that varies
from location-to-location; facility to facility.
Some places, you know, you've got exclusive jurisdiction.
One of the easiest places I ever worked was a museum.
They had exclusive jurisdiction of that museum.
They had one guy that was in charge of all the fire,
and basically, he would lock people in fires.
He didn't care.
He didn't want the art getting out.
I've been other places where it's mixed
and they'll work with you.
And I've been in jurisdictions the Fire Marshal says,
"If you don't bring me approved plan;
I'm not going to let you build it."
And then you ask him, "Well, what do I need to change?"
And he goes, "You're the expert; go figure it
out [background laughter]."
>> That's helpful [laughs].
>> Yeah.
>> Yeah, that's a -- I think that's a good takeaway.
The Fire Marshall -- the local Fire Marshall is one very
important person.
And he or she can say, "You don't occupy this building
until you put some exit panic hardware
on there that I approve."
And that goes from in the same city from Fire Marshal
and fire district to another.
And you had what, how many districts
and how many jurisdictions?
You've covered several states.
>> I was -- it was three states plus the District of Columbia.
>> Yeah, and --
>> But 85, I think, on average,
it's probably 85 facilities total
across those jurisdictions.
So, and then when you go down into, you know, local levels
into townships and what have you, that number went
up even more as the number of people we had to deal with.
>> Yeah. And then, like, you get to certain cities like Chicago,
you've got to put everything into conduit.
It's the local electric code.
>> Yeah. Yep.
All right.
So, now you have -- now you have the [inaudible].
You have a whole lot of regulatory requirement.
We talked a little bit about that then.
So what contracts and what procurement vehicles did you use
for this?
There must have been a little bit of everything?
>> Yeah. It actually started out they used some stuff
from Huntsville; small business.
But primarily where this --
we finally ended up was Schedule 70, Sin 13262.
And so we got the expertise for that, you know,
and they had the qualification for Sin 13262.
>> So that covers both the services,
such as what we talked about, you know, the gap in the houses.
And then some of the hardware that you were buying?
>> That's correct.
>> Okay. And then --
>> Now, there were other vehicles used, you know,
other -- and this is another really good one.
It was a whole another contractor involved in IT.
Another contractor involved installing the actual PACS.
We were doing the identity management.
So you guys are going to have to manage multiple contractors
that are trying to eat each other's dog food.
[ Laughter ]
>> That -- that was pretty graphic [laughs].
>> Sometimes it gets that bad, too.
>> Right. So, those services, what, they were procured
from outside sources you're saying?
Or there's some that was provided in-house?
>> So, there was some -- some
of the stuff was the agency's own, you know, contracts.
Some of the contracts were held
by other organizations when in DOD.
And then, you know, you start giving into say,
it's a lease GSA facility, then you've got
that going on too, you know?
>> Right.
>> You know, and then you've got a landlord/tenant situation.
>> All right, my favorite example
of requirement coordination,
we actually had two facilities linked
with a piece of fiber optic cable.
And we had two different organizations controlling each
end of that same piece of fiber.
So, you know, that kind of detail
and that kind of coordination.
And you need to understand what level you need to go down to,
to make that coordination
to make these projects come off without a hitch.
>> Right.
>> And they both had their own contractors.
>> Yeah.
>> Right. Wow.
>> So now you've gotten to the point
where you have done your buy-in; you've got your budgets.
You have done the GAP analysis and now you're going
to start looking at what actually do we need,
and you have your risk assessment here.
And you have all kinds
of conflicting vectors going in here.
You have something where the public has access,
and you have something where you have classified information
up to TS and beyond.
>> Mm-hm.
>> So how did you do with the --
how did you deal with the risk assessment
and the facility/security level,
and what's behind each one of these doors?
>> Well, let's separate risk assessment
from facility security level first.
Because we talked about this,
this morning a little bit, and --
>> Yeah.
>> And the IC standard up to the point
that it addresses right now is fantastic to get into.
You know, and it's fairly easily understandable methodology
to determine your risk in your facility as a whole.
But it doesn't help you for access control entirely.
So I just want to make sure that we understand that.
When you're starting to get into the spaces, just like we talked
about this morning, knowing what assets you have;
knowing what spaces they're in.
Knowing what you need to do to protect those based on the risk
of those assets, and what the impact
on the organization's mission will be if you had a compromise
at that particular asset.
You know, if I've got a relatively critical asset
but I have several ways to get it throughout the facility,
then maybe I -- it's not as critical for me
because my impact is low.
But knowing where those assets are, whether it's material,
equipment, people, information --
whether it's paper information
or computer information, you have data.
Knowing where that information is and how it's protected
and what the risk is, is --
that's really essential for all of this.
And when you have a multi-tenant facility such as we had,
you know, 26 DOD components, knowing who the people were,
to be able to go in and talk to those people and say,
"If you want to work together,
we need you to help us identify those assets
and know what your requirements are."
So that's --
>> So there was -- there's stakeholders
from many different organizations.
>> Yes.
>> And they were all part of your project team
that you're now beginning to form?
So --
>> Yeah. And some of it wasn't necessarily a formal part of,
you know, a regular part of the project team.
They would come in and out depending
on where we were in the process.
So we needed help identifying the assets within their spaces
to help them define what they wanted to protect.
Some of them, like I said earlier, some of them said,
"Sorry, we're going to handle this on our ourselves.
You get up to -- you get us in the building
and we'll take our own space.
And don't worry about it.
You don't need to know what's beside --
>> Right. Yeah.
>> Inside the next door; that's fine.
>> That's fine.
>> We can do it that way.
>> Yeah.
>> If you want us to help and work with you,
that's how we're going to have to do it.
>> Right. So, one of the points here is that you don't need
to know exactly what's behind that door.
That's something that they --
the space owner security people can deal with on their own.
>> Yeah.
>> There's two solutions, right?
All the time, and at the end of the day it comes
down to time and budget, right?
How much money do I have and how much money does the person I'm
trying to help; maybe I have a way
to save them money also; maybe I don't.
And maybe they're willing; maybe they aren't.
Maybe they have a sufficient budget to take this on,
on themselves, and not need to leverage it.
okay?
>> Right.
>> Do you have a question?
[ Inaudible Question ]
>> So you're asking about what would be the best contract
vehicle to use?
>> Yeah.
>> Oh geeze, you're asking the wrong guy [laughs].
I mean -- I mean honestly, you know, at the end of the day,
you know, what happens is you --
firm fix is what most everything I've seen come out.
I've seen -- and that's usually
because they've just got to control the price.
If you -- you know, you can do T&M not to exceed,
and that may -- if you're just going for design,
that may be a real good way to go.
You know, what happens with firm fix,
quite honestly beyond the other side, is you always put fluff
in it to over -- you know, somebody asked earlier today,
"Do I need a walkthrough or are the plans good enough?"
The simple answer is, the plans may be good enough
but I'm probably going to put more risk on it.
So if I have more risk,
that ends up being more cost to the government.
So, you know, on the other side, if you run into something,
you know, just say, "Hey, I don't know; I don't understand."
You may start with small T&M and then look
at going into a firm fix.
Steve?
>> Okay.
>> I've always wanted to know, because you know, I haven't been
to the Pentagon in like, ever.
First off [inaudible].
How do you get 5,000 people through on the metro entrance,
and I believe, identify and authenticate them?
>> Wouldn't you like to know [background laughter]?
And you're not going to know.
[ Background Laughter ]
>> All right.
>> What kind of decisions did you make?
>> Would you be able to repeat your question for [inaudible]?
>> Sure. So, I mean, good job on the panel.
I'm enjoying this a lot.
But the big question to me has always been how do you get those
5,000 people through at the metro entrance, and you know,
how do you identify and authenticate them, and --
>> We're not going to go down that path, Steve.
And for obvious reasons.
The thing is, that you have to design your facility,
and this is what it really gets down to.
And then maybe you have to go back to get funding like we did,
to increase the entrances.
You know, if -- and that's the thing you've got
to do is decide what level you're going
to authenticate those people, and then what is
that going to require?
And that actually required a very significant amount
of funding, and that's, you know, ongoing.
>> All right.
There was a different question there, I thought?
[ Inaudible Question and Laughter ]
>> Yeah, I got a second question.
What obstacles do you come across as far
as multiple tenant/agencies when you're trying
to put them all on the same system?
>> The biggest thing to me that we experience
from my perspective is a policy/procedural issue.
All right?
So knowing that -- knowing exactly; communicating
between you and your tenants.
Knowing what's going to be required for them
to get into a building.
Knowing when they have the ability to get
into the facility; out of the facility.
Those types of things like coordination
and things is the biggest challenge.
Remember, if they actually subscribe and let us help them,
they also got rid of the responsibility
of monitoring; responding to.
They let us take care of that piece for them.
So those are a huge burden administratively
and procedurally off of their shoulders.
But making sure that they had that piece of mind
that they could control access; the authorization
into their space without any of the other overhead involved
in that kind of coordination, I think,
was the biggest challenge for us.
>> I have a little bit of a challenge
in that sometimes people had to be read into programs.
And, you know, making sure that the people that were
on the administrative side were actually read
into some of the programs.
That, you know, and again, it was always about the --
how audits and who's doing it?
Data?
>> Right. Right.
>> Jordan?
>> So, a question from online from Lauren.
What would you recommend the government do to streamline
and improve coordination among the various contractors?
>> That is really going to come down to your core.
Right? Your core has to sort of be in there and understand
that hey, everybody's in it to make some money.
What's a reasonable fee and how, you know,
how do I write the contracts
so that they manage with each other?
And, you know, defining the lines.
And it usually, a lot of times it comes down to who's going
to be responsible at the end of the day, right?
>> Yeah. I think defining the roles and responsibilities are
by far the most important issue there.
If you go in one direction you have a gap
where each contractor may think somebody else is doing
something, and then when the schedule slips
or there's a budget overrun;
they're all pointing their fingers at somebody else.
Conversely, you'll have multiple contractors responsible
for the same thing.
And you have this overlap.
So if you don't identify clearly those roles and responsibilities
up front, and I think that that's the most important thing
that you can do to get that interaction
and that coordination going.
>> Right. And that -- I think you hit it right on there.
Responsibility's assigned right from the front.
And then when everyone --
all the different stakeholders have had their personal
responsibility leading their group,
then when the task is completed,
and officials sign off procedures that --
our piece of -- this piece --
this detail of this project is now down; go to the next.
>> Right.
>> Okay. Questions?
We've got some good questions here already.
>> I think one of the things, you know, just kind of --
don't bite too much off.
You're asking about, you know, what contract you use and --
if you're not sure, do as small as you can for what, you know,
a very narrow and defined scope.
You know, so if you're not sure, do a small -- maybe T&M design.
The thing is, is if you try to bite off too much,
then your senior leadership, like you said,
is going to be like, "Hey, you aren't doing anything."
So make sure you have that senior leadership
and you do produce at the end of the day.
That's -- that's going to be important.
>> Right. You touched on something there Roger,
that is one thing to gain
and achieve the senior leadership support
in the beginning.
>> Right.
>> Then you got to keep it.
>> Right.
>> Right.
>> Yeah.
>> Yeah, and another part
of keeping it is not just breaking this into small,
measurable, successful pieces, but also when you go
to do your deployments.
You know, make sure you have strategies
as you roll out these pieces.
How are you going to test this in advance
so that you're reasonably sure you're going to succeed?
And then when you get to that point
where you're actually rolling this out, what happens
when everything goes south?
You know, what are your rollback plans?
What are your recovery plans?
How do you restore operations?
And how has this been communicated
to your customers to your population?
Most of the time when we would roll out a new capability,
a new section, a new facility,
in addition to doing the common sense, you know, the backups
and those types of checks, we would close a facility
on a Friday afternoon; send everybody home.
We'd start doing the cutover.
And then say, if we hadn't done it --
if we hadn't gotten to where we need to be by Saturday,
we'd start rolling back so that
when everybody came back Monday morning, all we had to say,
"Sorry, we had to postpone the rollout,
but your operations are not impacted;
you can still come in and work."
And that kind of -- that kind of confidence that that instilled
in senior leadership in communicating the expectations
up front really helped us to keep that support.
>> Yeah. I mean, telling your senior leadership
on Saturday evening instead of Monday morning that you're going
to be at a certain place, is a lot better.
>> Right. Right.
Very good.
Communication in networks.
Communication.
Communication.
Communication.
When you select all your vendors and all your contractors
and everything else; all the people that are involved there,
do you have any prerequisites when --
in selecting both companies and people
in the various organizations?
>> Work with your friends
for like 20 years [background laughter].
>> That's a good prerequisite.
>> The only bad thing about that is they'll tell stories
about your earlier life
and flying objects [background laughter].
>> Well, let's not go there,
but if there are no further questions, ladies and gentlemen,
let's gather back together for our final panel
at 2:15 pm Eastern time.
Thank you all.
[ Applause ]
For more infomation >> China becomes first country to land on far side of the moon - Duration: 1:32. 
For more infomation >> Skoda Fabia - Duration: 1:09. 
For more infomation >> Opel KARL 1.0, 75pk Innovation ** Nieuw en toch Euro 1.350,- korting ** - Duration: 1:05. 
For more infomation >> Semi Goes Over Bridge In Crash On E-470 - Duration: 0:45. 
For more infomation >> 5G, Fake-Alexa-App, Apple, Chang'e 4 | Kurz informiert vom 03.01.2019 - Duration: 2:17. 
For more infomation >> A Liquidação que você quer começou na Americanas.com! - Duration: 0:31. 
For more infomation >> Assista Antes que Apaguem! Este Sabonete Esta Causando CÂNCER e Você Usa Sem Saber 👀 - Duration: 2:48. 
For more infomation >> Volkswagen Golf e-Golf - Duration: 1:10. 
For more infomation >> Giorgio Manetti ride e canta ma sui social lo stroncano: "Vai a lavorare…" | Wind Zuiden - Duration: 4:01. 
For more infomation >> Come Cambiare I Pedali Della Bici - Duration: 3:14. 
For more infomation >> Luciano Pavarotti - Quando le sere al placido (Luisa Miller - Verdi) - Duration: 5:47. 
For more infomation >> Pubblicità 2019 - RBA - il tuo T-Rex - 20s (2-gen) - Duration: 0:21. 
For more infomation >> Pubblicità 2019 - Lidl - offerte intimo - buone feste - dal 3 gennaio - 30s (2-gen) - Duration: 0:31. 
For more infomation >> Pubblicità 2019 - Centauria - La grande letteratura italiana - Manzoni - 15s (2-gen) - Duration: 0:16. 
For more infomation >> Grávida pode fazer limpeza de pele com cosméticos? - Duration: 1:14. 
For more infomation >> Volvo V40 1.6 D2 R-Design PANODAK NAVI LEER - Duration: 1:13. 
For more infomation >> Volvo V40 1.6 D2 R-Design / NAVI / CAMERA / ADAP. CRUISE CTR. / AIRCO-ECC / LM-VELGEN - Duration: 0:49. 
For more infomation >> Border wall debate: Compromise isn't a dirty word, Democrat lawmaker says - Duration: 3:28. 
For more infomation >> Macron mérite-t-il tant de haine? - Duration: 6:24. 
For more infomation >> What is Hidden Variable Theory? | Christopher Timpson, Chiara Marletto, Gerard 't Hooft - Duration: 2:40. 
For more infomation >> Melhores Musicas Rock Romanticas Internacionais Anos 70 80 90 - Só Românticas - Duration: 1:19:46. 
For more infomation >> Shawn Mendes - Lost In Japan (Live From Dick Clark's New Year's Rockin' Eve 2019) - Duration: 3:07. 
For more infomation >> 5 Books If You Hate New Years Resolutions | #BookBreak - Duration: 8:56. 
For more infomation >> Celebrate Fresh - COBS Bread - Duration: 0:16. 
For more infomation >> How To Go From £0 a Month... to £2500 a Month... With A Rent To Rent - Property Investment Strategy - Duration: 4:30. 
For more infomation >> Rustic Beautiful The 14 Ft Custom Thow Tiny House Off Grid | Lovely Tiny House - Duration: 3:40. 
No comments:
Post a Comment