CMS Sources Sought: Physical Access Management (PAM) Development and Maintenance


PAM is a subsystem of the CMS Electronic Security System (ESS) that provides automation of physical security processes at CMS facilities using a web portal and automation scripts.

PAM was developed using a commercial off the shelf framework called GroupAssure, and under the previous Physical Security System Customization contracts, CMS has created custom modules that automate physical access related activities and employs authentication with agency Personal Identity Verification (PIV) credentials.

CMS requires the current system, which includes several Linux and Windows servers, receive regular patch management, hardware maintenance, and system administration to stay in compliance with Federal Information Security Management Act (FISMA) regulations and maintain its Authority to Operate on the CMS network. In addition, the contractor will maintain, develop and test the PAM web application and databases.

Contractors should have extensive knowledge of system administration practices such as executing Corrective Action Plan (CAP) milestones and closing open Plans of Action and Milestones (POAMs) for identified system weaknesses. The PAM web portal is built on a variety of technologies and the contractor should have extensive knowledge on the following areas:

  • Hypertext Preprocessor (PHP) and Active Server Pages (ASP)
  • Physical Access Management (PAM) Development and Maintenance Sources Sought #A220065
  • MySQL and MSSQL databases
  • Apache and Internet Information (IIS) Web Servers
  • VMWare VCenter Server
  • Simple Object Access Protocol (SOAP) web services
  • Linux and Windows Server administration
  • Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)
  • Public Key Infrastructure, OpenSSL and certificate management
  • Client-side certificate authentication
  • Secure Shell (SSH)
  • Representational State Transfer (REST) Application Programming Interface (API)

The following requirements are meant to provide potential responders with an overview of the types of support that would be required. Note: this list is not meant to be all inclusive:

  1. Develop enhancements and bug fixes for existing PAM web portal source code using HTML, JavaScript, Hypertext Preprocessor (PHP) and Cascading Style Sheets (CSS).
  2. Develop new modules for PAM that will automate physical access activities.
  3. Perform software testing using open source technologies to scan and perform penetration testing on new PAM source code for each release.
  4. Participate in Section 508 testing of new code to ensure all web applications are fully accessible.
  5. Participate in system audits to determine the confidentiality, integrity and availability of data that resides on PAM servers.
  6. Execute Corrective Action Plan (CAP) milestones and close open Plans of Action and Milestones (POAMs) for identified system weaknesses.
  7. Develop operator and user training materials and conduct training for new PAM modules and enhancements.
  8. Perform regular patch management, hardware maintenance, and system administration of the PAM infrastructure.
  9. Use web services such as Simple Object Access Protocol (SOAP) to communicate with systems to provide automation such as Physical Access Control Systems (PACS), and Smart Card Management Systems (SCMS).
  10. Create, review, and update system and user documentation.
  11. Provide customer support for the PAM mailbox.

XFactor Members can access the documents here.

To register for a free XFactor trial, read more here.



Please enter your comment!
Please enter your name here