​A few miles from the Pentagon sits the new home of the Department of Defense’s (DoD) Washington Headquarters Service, which provides administrative and operational support to the four military services and the Pentagon. By mid-2012, more than 6,000 workers previously spread out across the National Capital Region (NCR) will have relocated to this 1.8-million-square-foot, twin-towered building as part of the Base Realignment and Closure (BRAC) plan. Officially named BRAC 133, the facility is known as the Mark Center, named for the area in Alexandria, Virginia, where it resides.

The consolidation, which began in August, will allow the Pentagon to cut the expense of leasing more than 2 million square feet across the NCR while fostering work force coordination and cooperation. In addition, the consolidation makes it easier for the Pentagon Force Protection Agency (PFPA), which is the DoD’s security management and police force, to protect the DoD’s employees and contractors from threats like terrorism.

In August and September, I traveled to the Mark Center to meet with Craig Girard, the PFPA project liaison for force protection at the complex, to learn why, despite some criticisms about its location, the Mark Center is considered the new model for government facility security.

Threatscape

The PFPA sees two types of events as most important to defend against: a Fort Hood-style insider threat and an Oklahoma City-style bombing. To do that, the PFPA has blanketed the facility with multiple and redundant security layers using best-of-breed technology. But the decision to build the facility in a congested part of Northern Virginia next to a major interstate highway has raised concerns. Aside from traffic issues, some security experts and watchdog groups say that the facility is vulnerable to an Oklahoma City-style attack in which a truck filled with explosives is parked next to the building. As Girard showed me around, he explained why the PFPA believed it had adequately countered that and other threats.

Secure Envelopes

On one of my visits, Girard and I stood on the glass-enclosed pedestrian bridge that connects the visitor’s parking garage to the security checkpoint. Girard looked at one of the guard booths processing employees as they drove onto the secure campus. Off to my left stood a police officer, watching the pedestrian bridge as tenants and visitors walked toward the first “envelope of security,” as Girard called it.

As the gate arm went up, the car slowly rolled down a narrow lane toward an employee parking garage. “If there [were] some problem at the gate, officers [could] activate those barriers and prevent anyone from getting onto the campus,” said Girard of the K12-rated active vehicle barriers lying dormant at ground level between the guard booth and the parking garage. He also pointed out that the landscape is designed to work in conjunction with bollards that line the building perimeter to prevent any vehicle from getting too close and delivering an explosive payload.

Hundreds of IP cameras help PFPA maintain visual surveillance of the guard platform and the compound’s outside grounds. These feed into the Mark Center’s Security Operations Center (SOC), where operators watching computer screens and mounted flat-screen TVs for threats and alarms have the ability to radio the closest armed private security guard or Pentagon Police officer if necessary.

At the end of the pedestrian bridge, tenants are greeted by a bank of full-height turnstiles that control access to the secure campus beyond. Each employee presents the DoD Common Access Card (CAC) to a contactless reader. Visitors, however, must enter the visitor control center to register, receive a time-controlled badge, walk through a metal detector, and have their bags x-rayed before entering the secure campus.

“The visitor cards are time-controlled,” explained Girard. “They are business hours only, so if you spirit one away, you can’t use it at night.”

The PFPA can also control the card’s time parameters at will for extra security and to accommodate needs. If a visitor’s schedule changes, PFPA can adjust the card accordingly.

After the first envelope of security, employees and visitors must go through another bank of full-height “intelligent” turnstiles, equipped with sensors that can detect tailgating, when a person tries to enter the quadrant directly behind a cleared employee or visitor. When that activity is detected, the turnstile backs the offenders out.

Calibrating the turnstile sensors was a challenge for Derek Nagel, access control branch chief for the PFPA’s Project Integration Directorate, and his team. They had to tweak it just right so that somebody passing through with a big bag or a rucksack wouldn’t trigger an alarm and slow down throughput. Currently, 12 to 13 tenants can pass through each of the four turnstiles per minute.

Tenants and visitors alike can find the turnstiles intimidating if they’ve never worked in such a secure building. Before the Mark Center, 90 percent of these DoD employees and contractors simply flashed their pass in front of a guard to enter a building. Now they’re confronted with futuristic- looking tubes.

“Some people think they’re rocket ships—I mean they literally think they’re being full-body-scanned,” says Nagel. “They don’t understand what these things are doing, so there’s a huge learning curve.”

To help new tenants get comfortable with the turnstiles, Nagel’s team developed training videos and materials, conducted hands-on tenant training sessions, and rolled out a massive education and awareness campaign. A train-the-trainer mind-set has spontaneously emerged from these initial efforts, with knowledgeable tenants teaching newcomers how to navigate the turnstiles. The armed private security guards and Pentagon police officers who are nearby to watch over the lobby can also help tenants use the turnstiles if need be.

Identity Management

What makes the Mark Center stand out is its identity management and access control solution, known as the Privilege Management Program (PMP). This system is a source of pride because it helped the Mark Center become the first building to be compliant with Homeland Security Presidential Directive-12. That directive, issued by President Bush in August 2004, mandated implementation of a government-wide secure identification credential that could be used for physical and logical access to federal facilities and networks.

Under the PMP program, every DoD civilian, military, and contract employee working at the Mark Center must undergo a required background check mandated by HSPD-12 and must be enrolled in the PMP before being issued an HSPD-12 compliant CAC.

As a part of the enrollment process, each person must meet with an agent in the access control division. The person’s biometric and biographical data is processed and stored in the PMP system, which will be tied to the CAC.

The process is thorough but not time-consuming. “The whole process, if you know what you’re doing, only takes three or four minutes,” says Nagel.

Through the PMP, PFPA can grant different access rights for tenants combined with multiple authentication factors. In the most common scenario, tenants will use their CACs alone to get on the campus (one-factor authentication).

They then will use the card again, possibly plus a biometric, to enter the building (two-factor authentication). The lobby turnstiles come equipped with fingerprint and iris scanners but these are not yet in use because of concerns with throughput, a problem Nagel and his team are currently trying to solve. If they cannot find a solution that delivers an acceptable level of throughput, biometrics may be activated only during times of elevated threat.

The next access control layer requires that tenants use their cards to get into their office space, at which point they may have to use both biometric and PIN verification, depending on the required security level (three-factor authentication).

Another exciting aspect of the PMP for Nagel is the possibility of “airline style ticketing” for visitor management. In this scenario, visitors invited by a tenant will be able to go online and feed their information into a PMP-enabled secure Web portal before they arrive at the Mark Center. Then the visitor will “arrive with a printed out boarding pass or have the ability to print locally at a kiosk,” he says.

And there may even be a biometric component to that too eventually. “For recurring visitors who frequent our sites, they could present an iris or fingerprint and be issued a visitor’s badge,” says Nagel. The enrollment process would be one-time only.

Possibly the most important aspect of the PMP is that it leverages open standards, which allows the PFPA to mix vendor products easily. It will also make lifecycle replacement easier, says Nagel.

This will matter even more in the Pentagon, where Nagel is bringing PMP next. Beginning in October, the PFPA’s integrator began upgrading the Pentagon’s more than 5,000 card readers and 2,000 physical access control systems. “The card readers are multi-technology and provide a transitional solution, both magstripe and contactless simultaneously, so PFPA can accommodate a smooth transition from their current building badges to use of the CAC,” says Nagel.

Getting identity management and verification right is a necessity for PFPA, especially at the Pentagon. “How do we better vet employees that are coming into the building?” asks PFPA Director Steven Calvery. “It’s especially acute here at DoD because of what happened at Fort Hood.”

The Mark Center, fortuitously, will give PFPA the ability to answer that question. “The Mark Center has given us the opportunity to deploy some of the technology on a smaller scale and put it in real-life operations so we can deploy it here at the Pentagon,” he says, noting that the Pentagon has nearly four times as many employees as the Mark Center.

Blast Resistance

A major concern, as mentioned, is the threat of a large truck bomb being used to demolish the building and kill and injure a large percentage of its tenants.

In early September, TIME Magazine obtained an internal Pentagon blast study of the Mark Center using hypothetical payloads derived from past terrorist attacks, including the 1983 Beirut, 1995 Oklahoma City, 1996 Khobar Towers, and 1998 Nairobi truck bomb attacks. Its analysis was frightening.

“Several of the studies show the Mark Center would be essentially wiped out,” TIME’s Mark Benjamin reported. “Some scenarios show almost the entire 6,400-worker facility bathed in red, indicating areas with: ‘Many serious injuries and many fatalities in outer offices. Wall and window debris in these areas will be thrown toward interiors and will cause moderate to severe injuries with potential fatalities in inner offices.’”

Whistleblowers and watchdogs have long said the Mark Center was a mistake and couldn’t withstand previous blast payloads delivered in other successful attacks on military and government buildings. As the Project on Government Oversight (POGO) wrote in a letter to Defense Secretary Robert M. Gates in April before the facility opened, “Military explosives experts have told POGO that an eighteen-wheeler full of ammonium nitrate or other military grade explosive could easily be detonated in close proximity to the proposed building, killing hundreds to thousands of DoD and contractor support employees.”

One vulnerability is the possibility that a terrorist could simply park on the shoulder of I-395 and trigger a huge blast. “The building is...less than 164 feet off I-395,” POGO’s letter noted.

Responding to that report, Calvery and William E. Brazis, director of the Washington Headquarters Services, issued a security message to tenants assuaging any fears they might have. “We want to convey to every member of the DoD team at the Mark Center Complex that this facility is one of the safest and most structurally-advanced office buildings in the National Capital Region,” the two officials wrote. In the letter, Calvery and Brazis explained that the Mark Center met the DoD’s antiterrorism standards for force protection and standoff distances.

It’s a point Girard reiterates in person. He says that the standoff distance mentioned by POGO doesn’t take into account the south parking garage running along the side of the building facing the interstate highway. This “actually forms a barrier,” he says. “And that’s one of the reasons that it is where it is.”

Girard further notes that large delivery and construction vehicles capable of delivering big blast payloads receive K-9 explosives screening at the remote delivery facility, which sits about 600 feet away from the building. Adding another layer of security, SOC personnel monitor traffic around the campus to ensure that suspicious vehicles do not get too close to the building, notes Girard.

Peter Stockton, a senior investigator at POGO, however, remains skeptical. Military explosives experts who spoke to him on the condition of anonymity have said the parking garage would not protect the building from a 15,000-pound bomb, (but that’s three times the size of the Oklahoma City bomb). Stockton says that, according to his military sources, even a blast-resistant wall erected between I-395 and the building wouldn’t solve the problem. Stockton also adds that the blast distances around the Mark Center make no sense when compared to the DoD’s decision in 2004 to spend $35 million to reroute a highway away from the Pentagon. Stockton is simply shocked that DoD would spend that kind of money to move one road away from the Pentagon because of car- and truck-bomb concerns and then build another facility next to one of the busiest highways in America, where tractor-trailers are a common sight.

But whether or not the Mark Center was built in the right location is irrelevant now for the PFPA. Security professionals know that they have to play whatever hand they are dealt. “You build the best building with the best security at the place you’re given,” says Girard.