PACS Vendor Support

We build and operate a vendor-side testing environment aligned with the public requirements in FIPS 201-3, NIST SP 800-73, SP 800-76, SP 800-78, SP 800-116, the GSA Enterprise PACS Implementation Guide, and the published FRTC. This environment exercises the same categories of behavior that vendors will encounter during the official evaluation, including:

• PIV authentication sequences
• Certificate path validation and revocation handling
• CHUID/PIV data model interpretation
• Reader/Controller/Panel decision behavior
• Error handling and response messaging
• Trusted certificate root selection
• Mapping certificate fields to access decisions

All testing performed by SynchroCyber uses only the publicly available test descriptions and does not involve GSA-owned tools, non-public procedures, or internal evaluation mechanisms.  The purpose is to identify issues early and help vendors enter the formal evaluation in a fully prepared state.

If SynchroCyber assists a vendor with pre-submission testing and is later assigned to support the official evaluation of that same product. In that case, we disclose this relationship to GSA before any evaluation work occurs. Participation only proceeds if GSA reviews the disclosure, determines that any conflict can be mitigated, and provides explicit approval.

• Executing the public FRTC test cases in a vendor-side environmentVerifying authentication correctness (CAK, BIO, BIO-A, CHUID, CHUID-CAK)
• Testing behavior with PIV, PIV-I, CAC, and ICAM Test credentialsEvaluating reader, controller, and panel behavior against published requirementsIdentifying logic, certificate validation, or standards misalignment
• Preparing a test environment aligned to public FIPS 201, NIST, and ePACS requirements
• Helping reduce the likelihood of resubmission by addressing avoidable issues early

• Trust-chain validation debugging (Root → Intermediate → Credential)
• Correct installation of trust anchors and required Federal PKI CAs
• Validating OCSP/CRL configuration and revocation-checking behavior
• Troubleshooting authentication failures
• Ensuring the correct handling of revoked, expired, or malformed certificates
• Understanding PIV-I and cross-certified trust chain behavior
• Identifying certificate-validation logic issues in readers, controllers, and middleware

• Checking reader authentication mode behavior
• Reviewing controller decision logic and error-handling
• Validating CHUID interpretation
• Exercising biometric and certificate-based authentication flows
• Verifying handling of revoked or unknown credentials

This helps ensure consistent device behavior and alignment with expected FRTC outcomes.

• System and network topology diagrams
• Trust path and certificate validation flow diagrams
• Configuration guides for controllers, readers, and validation servers
• Product documentation required by GSA/MSO
• Mapping vendor capability claims to FIPS 201 requirements
• Technical responses to Evaluation Program inquiries

• Mapping PACS identity data to USAccess records
• Supporting PACS provisioning through SynchroSIP integrations
• Ensuring PIV attributes and lifecycle changes flow correctly into PACS
• Supporting ICAM governance and identity quality requirements

• Reproducing findings and identifying root-cause issues
• Fixing design, configuration, and certificate-validation problems
• Updating and retesting components using the public FRTC requirements
• Preparing a corrective action plan for GSA resubmission