State of physical security: assessing & mitigating risk

SEP 15, 2021

A municipal worker secures c-wire on fencing at a National Guard security post near the Capitol in Washington, D.C., Jan. 16, 2021. (U.S. Air National Guard photo by Master Sgt. Matt Hecht)

Today’s world involves threats that target the systems and information living behind those lights, locks, alarms, security guards and cameras.

The mission of every security enterprise is to safeguard its organization’s people, property, information, and systems. Most security policies, particularly within government organizations, govern the administration of personnel security, physical security, administrative security, systems security, identity management, special access areas, security training and awareness, and other collateral programs. All of these diverse mission sets drive the total security program, and the responsibilities of security professionals leading these programs underscore the challenges in their respective protection platforms. This is especially true within the physical security and access control disciplines.

With this fact in mind, security organizations must remain committed to ensuring that only those persons with a legitimate need to access any given facility are allowed to enter. The first goal of keeping out bad actors is accomplished through background investigation and adjudication. Only those persons who have been vetted to an appropriate level of rigor are granted access.

Security professionals understand that security involves risk and concomitant risk management. Our job is to do everything we can to reduce risk and keep our facilities and employees safe. Effective organizational leadership and security professionals manage their programs by virtue of extensive knowledge, training, and experience. They know the value of comprehensive policies, procedures, processes, and emerging technologies that help guide, improve, and fortify their key security programs.

The foundation of physical security involves proper assessment. Every facility must be assessed for risk and appropriate countermeasures implemented to mitigate any identified risks. In a typical government organization, ordinarily a decision matrix is used to assess the mission criticality at a given facility, the sensitivity of the activities conducted by persons working at the facility, the potential of threats to the facility, the population of persons working and visiting there, and other intangible factors. The outcomes of these risk assessments help officials make decisions about where to position resources to augment security and drive the levels of protection for each individual facility. With this fact in mind, a security attitude must be baked into everything an organization does within its mission sets, mindful that a one-size security solution does not and cannot fit all facilities.

“Physical security” is the footing from which all other security platforms effectively reside and thrive. Once simply considered the application of “lights, locks, alarms, security guards and cameras,” today’s world involves threats that target the systems and information living behind those lights, locks, alarms, security guards and cameras. These threats also target our employees. In today’s environment, I suggest that physical security has become even more important than in years past. For this reason, every unique security discipline MUST coalesce and work in concert within an organization’s physical security structure.

State of the Union of Physical Security

Technology continues to advance at a rapid pace. “Public trust in technology has fallen. Most people are worried that the pace of technology is moving too quickly and that governments don’t understand it enough to regulate it. [People] worry that technology will make it impossible to know if what people are seeing or hearing is real.”[1] Security professionals should be concerned, too, especially when designing security platforms and engaging in protection of their organizational assets.


Artificial Intelligence (AI) is an example of technology having the ability to both enhance and attack security platforms within organizations. Security professionals should learn all they can about AI, or, at a minimum, have access to an AI subject-matter expert for consultation. AI is the ability of a computer (systems) or a robot controlled by a computer to do tasks that are usually done by humans because they require human intelligence and discernment.[2] Specific applications of AI include skilled systems operations, natural language processing, speech recognition and machine vision. In today’s world, AI has gained acceptance due to applications that make our lives easier, and as AI continues to evolve and improve more acceptance is expected. AI, however, is not without security and privacy risks. Security professionals should know what those risks are and where potential vulnerabilities lie.

The term “SMART” technology refers to “self-monitoring, analysis, and reporting technology.”[3] It is a technology that combines AI, machine learning, and big data analysis to provide cognitive awareness to objects that in the past were considered inanimate. Today, SMART technologies have been integrated into many types of security programs across various government and other organizations.

For example, SMART cards, also known as Personal Identification Verification (PIV) or Common Access (CAC) cards, are plastic cards the size of a credit card. The card is embedded with microchips containing data, both personal and organizational, that can allow the holder, among other things, physical access to controlled facilities and logical access to sensitive information systems. SMART cards are programmable in order to limit access as appropriate, using PIN numbers and biometrics as unique identifiers. Companion SMART card readers attached to entry and exit locations, as well as compatible computer systems, are necessary components of the access control platform to inform the technology and make it function as intended. SMART cards are not without vulnerabilities.

One close security cousin of the SMART card technology is the SMART camera. This security platform is a self-contained, individual vision system that includes an integrated image sensor. SMART camera systems can be vital to security missions because they are uniquely suitable for uses where multiple cameras must operate independently and at different times and locations. Facial recognition and iris recognition technology and associated software exists today and may have applications in mission security for some organizations. For some time now, facial recognition capability has been integrated as a security measure into the iPhone, another SMART technology device that can act as a mini-computer and access the Internet and other applications.

The security professional must remain current with respect to advancements in technology and understand the capacities of SMART capabilities if they intend to use the technology within their programs. Knowledge about how systems work and how they can be compromised must be considered along with tactics and strategies to mitigate the risks of potential compromises. SMART technologies, for example, have the capability to monitor itself and make independent decisions and adjustments in changing security operations without human involvement. Security professionals need to pay close attention in order to maintain an effective and stable program.

Progress Made in Physical Security Efforts

In recent years, significant improvements have been made that influence the physical security missions within organizations. The tragic shooting events of September 16, 2013, at the Washington Navy Yard placed the issues of physical security, access control, and personnel vetting front and center in the minds of security professionals across the security landscape. Several after-action reviews conducted in the weeks following the shootings identified security weakness and the need for reform.[4]

Washington Metropolitan Police Department vehicles are parked near Building 197 at the Washington Navy Yard. Police and FBI evidence collection teams are working at the scene where a gunman killed 12 people Sept. 16, 2013. (U.S. Navy photo by Mass Communication Specialist 2nd Class Pedro A. Rodriguez)

The 2015 database hack of the United States Office of Personnel Management (OPM) personnel files involved the exfiltration of sensitive data in the form of millions of federal and contract workers’ SF-86 forms. This breach illustrated the need for more robust internal controls and critical improvements in cybersecurity.

In 2013, Edward Snowden was a government computer intelligence contractor who accessed and leaked highly classified information from the National Security Agency (NSA). The breach he caused illustrated the need for vigorous physical and cybersecurity programs aimed at detecting “insiders” who intend to cause grave damage to our nation.

“Insider Threat,” as it is now known, is a security program implemented at various government agencies that seeks to complement an employee’s initial and re-investigation background investigations with “continuous evaluation”[5] of that employee. The program is intended to protect classified information. Continuous evaluation supplements “continuous monitoring” of an employee’s access to information and “need to know” in order to detect anomalies in a person’s personal and professional behavior and job performance.

Continuous monitoring through physical and cybersecurity assets incorporates data in near real-time from a much broader set of data sources, as compared to information that was previously available in the background investigation process. The initiative focuses on monitoring certain IT systems and incorporates analysis and collation software to aid in the identification of behavioral trends that could be indicative of an insider threat problem. Strict referral protocols are in place to investigate abnormalities. The aim is the detection and mitigation of threats to classified information before any damage can be done.[6] The goal of this program is the protection of classified information, but its applicability to other behavioral issues, including suitability and contractor fitness, is evident.

To meet each of these needs, benchmarking among organizations combined with the development of new programs and improvements of current standards illustrate the willingness among security professionals/organizations to engage in robust collaboration. These are examples of real progress.

Development of Standards for Physical Security

After the 1996 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, “President Clinton issued Executive Order 12977, creating the Interagency Security Committee (ISC) to address continuing government-wide security for federal facilities. Prior to 1995, minimum physical security standards did not exist for nonmilitary, federally owned or leased facilities.” [7]

The ISC falls under the purview of the Cybersecurity and Infrastructure Security Agency (CISA), an operational component within the Department of Homeland Security (DHS). CISA, through the ISC, “provides leadership to the nonmilitary federal community supporting physical security programs that are comprehensive and risk-based.”[8]

“The ISC’s mandate is to enhance the quality and effectiveness of physical security in and the protection of buildings and nonmilitary federal facilities in the United States. The ISC standards apply to all nonmilitary federal facilities in the United States—whether government-owned, leased, or managed; to be constructed or modernized; or to be purchased.[9]

Chief security officers and other senior executives from 64 federal agencies and departments make up the ISC membership. Leadership is provided by the chair, who is the Department’s Assistant Director for Infrastructure Security, the Chief, Interagency Security Committee, and eight standing subcommittees.”[10]

What were once security and protection “guidelines” have since evolved into “requirements”[11] for nonmilitary federal facilities in the United States. The ISC has issued standards and best practices that help federal security professionals implement appropriate security policies and mandatory standards. Their Design-Basis Threat Report[12] represents the most comprehensive federal facility security standard created to date and assists in determining the correct levels of protection for facilities. This standard has now been incorporated with other standards and guidance to create the Risk Management Process: An Interagency Security Committee Standard.

Robust collaboration

Another improvement we have witnessed among security professionals in recent years regarding physical security and other critical infrastructure protection missions has been effective partnering among security organizations. Colleagues are partnering and sharing information at greater rates through regular meetings, conference calls, tabletop exercises and classified briefings. To ensure security and resilience, security professionals are engaging in active-shooter preparedness, bombing prevention, “see something, say something” awareness training, instructor-led training on best security practices, and in-person and online classroom training opportunities.

What Needs to Be Done to Improve Physical Security Processes

Despite improvements in recent years as to how we apply physical security measures across our organizations, risks remain. The practice of identifying potential risks in advance, analyzing all we identify, and taking prophylactic steps to minimize those risks will continue to be a challenge.

Depending on mission and facility level of protection (LOP), it may benefit your organization to consider an armed security guard force or force protection group to mitigate threats and protect employees, facilities, and equipment. This is a critical element to many organizations’ physical security platforms. The benefit to having such a resource is that armed, trained security professionals can deter hostile action and respond to any sort of event quickly and efficiently. They are effective at preventing, detecting and addressing actions that threaten the security of an organization. They can control access to the facility and control parking areas. They have explosive detection capabilities. Their presence often provides a sense of security to employees and visitors resulting in a feel-safe environment.

Importantly, persons performing as security guards or force protection specialists should be vetted before hiring so that the organization knows they are operating with trustworthy and suitable people.

A Pentagon Force Protection Agency officer looks over the Pentagon South Parking Lot. (File photo/DoD photo by Casper Manlangit)

Whether or not your organization chooses to bring on a security force, it is important for the security professional to maintain a good working relationship with local law enforcement, fire services, military and emergency management officials. Mutual aid agreements are arrangements between organizations and jurisdictions that provide a means to quickly obtain emergency assistance in the form of personnel, equipment, materials, and other associated services. Mutual aid agreements are a system and structure in which organizations and jurisdictions can force-multiply resources.

Every security mission would benefit from a clear, understandable, written mutual aid agreement with local law enforcement and other emergency management officials in the event of the critical incident or situation of consequence. If your organization currently does not have this important capability, your security manager should evaluate the need for one.

In the world of physical security, professionals rely heavily on technologies and systems that are fabricated, engineered, assembled, manufactured, and shipped by corporations and enterprises that are likely outside of the security professional’s control. This leaves open the possibility of intentional manipulation and perhaps sabotage at any point in the supply chain and places the organization at risk.

Supply Chain Risk Management

In its simplest terms, a supply chain is a network among an organization and its suppliers who source, produce and distribute specific products. The supply chain represents the steps it takes to get the product or service from its original location to the customer’s destination. Because much of our manufacturing base has moved overseas in recent times, today’s supply chains are often exceedingly complex, convoluted, and can sometimes bridge continents.

In the world of physical security, products obtained through these supply chains are the lights, locks, alarms, cameras, computers, technologies and platforms intended to safeguard an organization’s people, property, information, and systems. Security professionals charged with protecting these assets must be certain that the products they use are free of any defects or vulnerabilities that could compromise anything or anyone the product is designed to protect.

Security professionals can ensure that products or materials in need are free of any compromising defects or vulnerabilities by effectively applying “supply chain risk management” practices to their security programs. Supply chain risk management (SCRM) is the process of identifying, assessing, and mitigating the risks of an organization’s supply chain.[14] In the context of physical security equipment and systems, the SCRM process incorporates the complete planning and management of ALL activities around the sourcing, procurement, receipt, conversion, and placement of products.

Logistics management (LM) is the key to an effective SCRM. LM is the portion of SCRM that controls the planning, flow, storage, delivery, and final implementation of the product, from the point of origin to the point of consumption to meet the security professional’s requirements. If done correctly, effective LM will reduce the threats posed to employees and damage from insider threats.

Executive-level leaders must be invested in the SCRM process along with the security professional. In most organizations, executives make the budgetary decisions and often focus on lowering costs of products and services. When considering the security enterprise and the protection of people, property and information, it is often difficult to quantify the effectiveness of adversary deterrence and the prevention of a security compromise. That said, executive-level budget and procurement decisions concerning security should focus on product quality, vendor and product reputation, manufacturing excellence, and the direct and indirect costs of procuring a product.[15] Following this formula can help ensure the long-term success of the security program, as opposed to simply deciding by price alone.

The National Institute of Standards and Technology (NIST) has developed an online publication to assist security professionals and planners that provides guidance to federal agencies on identifying, assessing, and mitigating supply chain risks at all levels of their organizations. The publication integrates SCRM into agency risk-management activities by applying a multi-tiered, SCRM-specific approach, including guidance on assessing supply chain risk and applying mitigation activities.[16]

Illustrated below are examples of SCRM process flows that can be adapted for use within your organizations during respective planning activities:[17]&[18]

Because organizations are dependent on their supply chains to successfully achieve their security mission, it is vital for security professionals to continually monitor, review, and analyze supplier performance and benchmarks to reduce risk and drive program improvement. In doing so, organizations can identify and address any gaps that pose risk and, at the same time, potentially drive down costs associated with the overall security program.

Needs Assessment to Augment the Supply Chain Risk Management Process

In the context of physical security, it is important to first define your exact mission set and determine exactly who and what you are trying to protect. This is commonly called a “needs assessment.” By doing this, you establish the framework with which you can determine the most appropriate security platforms and systems necessary to protect your organization. To be effective, it is critical that the security professional have a clear understanding of the roles and responsibilities of every stakeholder within their organization, in order to provide the LOP’s the tools they need to do their job.

Security professionals should make it their priority to understand how their programs and services are currently meeting the needs of their stakeholders. Metrics play an important role in this understanding and are used by many to identify gaps and subsequent needs to improve program and service deliveries. One complement to metrics can be to seek input from the stakeholders themselves to identify any problems or security challenges they may be seeing. This can be accomplished through surveys, regular stakeholder meetings and, if necessary, a multi-disciplined task force composed of interested parties. Stakeholder input may, and often does, identify gaps in security programs and services that may not be obvious.


Next, it’s often beneficial to combine your organization’s internal security metrics, along with stakeholder input, with security industry networking and benchmarking opportunities. Find out what the other security organizations are doing. Ascertain what they say works for them. Security professionals can benefit by coordinating with others in the industry who have similar mission sets and protection responsibilities. By comparing missions and activities across various security organizations, the security professional can avoid the costly mistakes made by others. They can identify gaps not previously known and save valuable time and money by directing focus on the most appropriate security platforms and systems necessary to optimize protection activities and functions. Finally, networking can afford an opportunity to combine forces in the procurement process to save precious budget monies. If someone else is also buying what you need, join in for economy of scale to get a better price.



Effective Procurement of Physical Security Systems and Platforms Is Vital

Undoubtedly, the goal of adversaries and foreign intelligence services is to disrupt our operations, target our employees and programs, and intercept information we are responsible to protect. Adversaries attempt to gain advantages by targeting our current and potential security systems and platforms. One tactic adversaries use is to target the security products and systems we purchase from external suppliers. With this fact in mind, it can be useful to engage counterintelligence professionals within your or another organization for their expertise in order to prevent an adversary’s ability to manipulate, re-engineer, or sabotage security products and systems your organization may intend to purchase. Accordingly, I recommend that security professionals invite a counterintelligence expert to become a part of your procurement team when purchasing any sensitive security equipment.

Once a security professional determines what the organization’s security needs are through proper evaluation and assessment, the focus should then move to an evaluation of suppliers for suitability. Effective evaluation must include the counterintelligence assessment previously mentioned, in conjunction with reasonable pricing, quality assurance of materials and service, vendor certifications and reputation within the industry, and product warranties.

One caution: while it is commonplace within procurement and purchasing circles to award contracts to bidders who offer the lowest price, careful consideration must be given to this practice when dealing with security equipment and systems. While complex and painstaking needs assessments and evaluation of suppliers are very useful, intangibles such as brand recognition, interoperability, product features, intellectual property, and computer software may come into play. Consequently, the supplier who offers maximum value, with all intangibles considered, should earn the award.

Threat Streams Impacting Physical Security in the Coming Months/Years

According to the most recent Intelligence Community (IC) Threat Assessment,[22] the United States faces a number of serious threats during the next few years.

According to the IC Assessment, the COVID-19 pandemic will “remain a threat to populations worldwide until vaccines and therapeutics are widely distributed. The economic and political implications of the pandemic will ripple through the world for years.”[23]

Critics of vaccine rollout programs, policies mandating that vaccines be taken (especially among children), mask wearing, and vaccine passports are many. Notable protests and graphic examples of civil unrest have resulted in the United States and abroad. Government facilities and leaders have been the targets of the protesters. As previously suggested, security professionals leading programs and missions that safeguard government employees and facilities should be mindful of these threats and take the necessary force protection precautions. Consideration should be given to using armed security and law enforcement forces if your organization requires these resources and if your mission supports such expenditures. Experienced security professionals know that a strong, visible defense capability can prevent, discourage, or potentially delay an attack on our assets.

Mutating COVID-19 variants and limited vaccine efficacies may require thousands of employees to work remotely. From a continuity of operations and continuity of government perspective, organizations will need to figure out how employees can work remotely in a safe and secure operating environment. Managers and security professionals will continue to be challenged to meet needs and ensure productive outcomes.

Another threat to organizations involves rapidly evolving technology. According to the IC report, “China has a goal of achieving leadership in various emerging technology fields by 2030. China stands out as the primary strategic competitor to the U.S. because it has a well-resourced and comprehensive strategy to acquire and use technology to advance its national goals.”[24] China has long been known to target and steal government secrets and intellectual property through cyber-attacks on our nation’s systems. Our lights, locks, alarms, cameras, systems, and force protection efforts must be state-of-the-art and robust enough to combat any attempt by the Chinese to intrude and exfiltrate information from our systems.

The IC report states that “China can launch cyber-attacks that, at a minimum, can cause localized, temporary disruptions to critical infrastructure within the United States.”[25] The report goes on to say that “Russia will remain a top cyber threat as it refines and employs its espionage, influence, and attack capabilities. Russia continues to target critical infrastructure…”[26] and that “Russia presents one of the most serious intelligence threats to the United States, using its intelligence services and influence tools to try to divide Western alliance.”[27] For those security organizations protecting classified missions, China and Russia — and Iran to a lesser degree — remain the most serious foreign threats in both cyber and intelligence collection.

Terrorist groups, such as “ISIS, al-Qa‘ida, and Iran and its militant allies continue to plot terrorist attacks against U.S. persons and interests,”[28] according to the IC report. This includes, to varying degrees, “targets within the United States.”[29]

Within the United States, federal authorities have been warning state and local officials since early 2016 that leftist extremists known as “antifa” have become increasingly confrontational and dangerous, so much so that the Department of Homeland Security formally classified their activities as “domestic terrorist violence” according to interviews and confidential law enforcement documents.[30]

During 2020, violent rioters targeted the federal courthouse in Portland on several days, clashing with federal, state and local police, and damaging property. On New Year’s Eve 2020, rioters in Philadelphia vandalized several federal buildings.[31]

January 6, 2021, marked the most significant breach of the Capitol in over 200 years.[32] The storming of the U.S. Capitol by protest groups injured dozens of police officers and significantly damaged property. FBI investigators determined that cells of protesters, including followers of the far-right Oath Keepers and Proud Boys groups, had aimed to break into the Capitol.[33]

A congressional after-action report (AAR) of the events on January 6 revealed several failures concerning the application of physical security principles at the Capitol, especially concerning force protection.[34] For example, the FBI and the Department of Homeland Security failed to issue a threat assessment warning of potential violence targeting the Capitol on January 6. United States Capitol Police (USCP) leadership was operating with limited information, which may have lent itself to a failure in preparing both a department-wide operational plan and a staffing plan for the Congressional Joint Session meeting to certify the 2020 election.

The absence of a staffing plan, among other things, prevented officials from knowing exactly where all officers were located. The AAR also determined that USCP leadership failed to provide front-line officers with effective force-protective equipment and associated crowd control or basic civil disturbance tactics training. Communications that day were described as chaotic, sporadic, or, according to many front-line officers, non-existent.[35]

Acting Deputy Homeland Security Secretary Ken Cuccinelli tours the U.S. Capitol to survey riot damage on Jan. 6, 2021. (DHS photo)

Lessons learned from the January 6 event underscore the need for security professionals to strengthen relationships with their IC partners. In doing so, officials can effectively force-multiply resources and information, augmenting their security profiles at the facilities they are responsible for protecting.

The January 6 event elevates the debate about the rise of domestic violent extremist (DVE) groups and raises the specter of future violence against government and critical infrastructure facilities, law enforcement, and elected officials. DHS cautions that throughout the remainder of 2021, racially- or ethnically-motivated violent extremists (RMVEs) and anti-government/anti-authority violent extremists will remain a national threat priority for the United States.[36] Security professionals with government and critical infrastructure protection missions should be mindful of these potential threats and consider appropriate countermeasures for their security platforms.

Lastly, increasing surges in migration by Central American populations should concern law enforcement and other professionals with security missions. Although Customs and Border Protection (CBP) has interdicted over one million persons (through July 2021) entering the U.S. illegally, it remains unclear how many illegals escaped detection and capture and are now inside the interior of the United States. While CBP’s top priority is to keep terrorists and their weapons from entering the U.S., no one can say with certainty whether any terrorists have successfully entered the country and now pose a threat to our security. This fact should greatly concern every security professional with a government or infrastructure security mission.

The Bottom Line

In conclusion, it is important to remember that physical security is the foundation from which all other security platforms effectively reside and thrive. Threats are always evolving, and security must be built into every action we do as an organization. There are always security processes and procedures that we can improve. And no matter how advanced technology, security platforms, and systems become, that fact will never eliminate the need for people — competent and dedicated people — to direct our respective security missions.