In the wake of 9/11, the Federal Government’s secure-the-fort, big idea was to create an identity credential for all federal employees and contractors. Homeland Security Presidential Directive (HSPD)-12 set it all in motion. Today, we know the smartcard-based credential that arose from HSPD-12 as the Personal Identity Verification (PIV) card.

The PIV card is meant to give employees/contractors physical access to federal facilities and logical access to federal information systems. While using a PIV card for logical access has been largely successful and compliant with HSPD-12, implementing PIV-based, physical access control systems (PACS) has been much more difficult to conquer. As a result, HSPD-12 compliance for PACS has largely eluded the Federal Government. The noncompliance reasons are many, but there is now hope for fully achieving HSPD-12’s mandates.

Interoperability With Any Agency’s PIV

Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planetAll Executive Branch employees and long-term contractors, including the entire Department of Defense, have been issued PIV cards. This has been true since 2013. Beyond Passports, PIV cards represent the only other open-standards-based, multi-vendor-supported, identity credential program on the planet.

It seems so simple, where employees/contractors previously used their proximity card to open a federal facility door or go through a turnstile, they should now be able to use their PIV card. However, HSPD-12 took the PIV requirement one step further – compliant PACS must be interoperable with any agency’s PIV. This introduced an entire magnitude of additional complexity.

A compliant, interoperable, PIV-based PACS should work like this: an authorized employee (or contractor) presents a PIV card (contact or contactless) to a card reader to enter whichever federal agency building they have reason to be. Over the last 14 years, in all but a very few cases, the lack of PACS’ HSPD-12 compliance has prevented this from happening.

Secure Credential Policy

Today, less than 1% of the Federal Government’s PACS are HSPD-12-compliant. At most federal facilities, especially those outside the National Capitol Region, a noncompliant PACS works like this: an authorized employee (or contractor) presents a proximity (‘prox’) badge to a proximity card reader to enter his or her agency’s facility. At the fraction of federal facilities with upgraded PACS that work with PIV cards, virtually all such PACS fail to properly use a minimum number of PIV security features before granting access – let alone interoperate with a PIV card from any other agency.

Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 complianceNew federal initiatives frequently suffer from having no policy to enforce their roll-out. That isn’t the case with PACS compliance. Policies have been in place for so long that newer policies like Office of Management and Budget (OMB) M-11-11 (February 3, 2011) remind everyone what the policies said in 2004 and 2006. This year, OMB publicized its proposed OMB M-18-XX (Draft), which will replace M-11-11. OMB M-18-XX’s (Draft) main PACS thrust is, once again, to ensure that everyone understands what the Federal Government’s secure credential policy is. It hasn’t changed since 2004.

It would be tempting to say that PACS technology isn’t mature, but that isn’t the case. In 2013, the Federal Government revamped the PACS portion of the FIPS 201 Evaluation Program and, since that time, all PACS on the General Services Administration’s (GSA) Approved Products List are 100% compliant and interoperable. Yet, on any given day, active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance.

The usual suspects, policy and technology, are not the culprits for this epic delay.

An authorised employee presents a proximity badge to a proximity card reader to enter his or her agency’s facility
An authorized employee presents a PIV card to a card reader to enter whichever federal agency building they have reason to be

Difficulties In Adopting HPSP-12 Compliance For PACS

  • Standards – The Federal Government’s approach to standards is to avoid a great deal of specificity. It’s an unspoken tenet that federal standards must be flexible, promote innovation and avoid disadvantaging any participating market segment. The opposite is true if your goal is interoperability: nearly every detail must be specified. Consider the standards-based success story of chip-based credit cards. When was the last time you used a credit card and it didn’t work? Interoperability failures are nearly unheard of. If you look at the hundreds of volumes of technical specifications that cover minute aspects of every component in credit cards and payment terminals, you quickly realize why it works so well. Nothing is left to chance, nothing is a variable, and there is no optionality.

The Good News: Work to increase viability through deep scrutiny has progressed in recent years. The GSA APL PACS Testing Lab, set up in 2013, annually tests credentials from all PIV issuers against all GSA-approved PACS. This testing has significantly reduced interoperability failures at federal facilities.

  • Collaboration – In the past, physical access practitioners from federal agencies rarely collaborated, unlike their logical access counterparts. This is also true for PACS procurement decision-makers across agencies and facilities.

The Good News: In 2018, an agency trend has emerged where finally physical access, physical security and IT practitioners have begun sitting down to discuss their shared responsibilities. We have already begun to see coordinated budget requests between IT and Security with enterprise architectures positioning PACS as an enterprise service on the network

  • Scale – The Federal Government owns so many buildings that they can’t be counted. Google doesn’t know how many there are and neither does any one government official.
  • Variability – A significant percentage of facilities have unique aspects making a one-size-fits-all approach infeasible.

The Good News: Mature consulting services can now help agencies marry federal requirements with their unique environments to develop robust PACS enterprise architectures. As we see this occurring more and more frequently, a repeatable, achievable, systems-based upgrade of all PACS may be on the horizon.

Active government solicitations are issued for new, non-compliant, proximity-based systems that perpetuate the delay to HSPD-12 compliance
The GSA APL PACS Testing Lab annually tests credentials from all PIV issuers against all GSA-approved PACS
  • Provenance – In many cases, different groups own different parts of a single facility, not all of whom might be subject to, or wish to interoperate with, a high-assurance compliant PACS. For example, GSA manages facilities for Legislative and Judicial tenants who aren’t subject to HSPD-12. Policy dictates that GSA manage the PACS for the front doors of these facilities should be HSPD-12-compliant, despite the fact that these tenants likely don’t have credentials that work with this technology. Sure, these tenants could commercially obtain a PIV-I credential, but almost none have.
  • Economics – It’s difficult for agencies to create their annual security budget requests when HPSD-12 PACS upgrades are in scope, because so many unknowns exist at each facility. To assess the cost, the time to complete, and the facility’s existing equipment inventory, it would be logical for an agency to hire a contractor with PACS expertise to perform a site assessment. Having to do capital planning for an assessment phase in advance of making the annual budget request for the PACS upgrade creates a never-ending cycle of delay. Especially at agencies with multi-year capital planning requirements. Many agencies, trying to avoid this delay cycle, have fallen prey to doing site assessments themselves. This results in their integrators doing their walk-throughs after the contract is awarded. This is the leading cause of PACS upgrade cost overruns.
  • Dependence on the agency’s IT department – Historically, PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise, let alone the Internet. High-assurance PACS that validate credentials from other agencies must now communicate with many different systems on an enterprise network and over the Internet – so much so that the Federal Government reclassified PACS as IT systems.

The Good News: With collaboration increasing between Physical Security Officers (PSOs) and Chief Information Officer (CIOs), we expect this to improve in due course.

  • Resistance to change – This is a classic human factors challenge, and it’s a big one. PSOs have spent decades achieving their positions. PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted. When the value proposition is clear, change is adopted more readily. But security value isn’t easily measured or observed. It is often said that the best performance review for a PSO is to note that nothing happened. And when something does happen, it is necessarily kept quiet so the risk can be remediated without calling attention to the vulnerability in the interim. To date, the value proposition of moving to PIV-based PACS has been entirely based on policy (without corresponding funding in most cases) and through the shock value of white hat hackers, showing how easily most proximity badges can be cloned. This is not the stuff of change agents.
PACS have been deployed on dedicated networks and are rarely ever connected to the enterprise
PIV-based PACS could not be more different from the technologies that proceeded it, and such radical change is often resisted

Are These Challenges A Unique Situation?

No, these PACS challenges are not unique. Cybersecurity initially faced many of the same challenges that federal PACS face today. By 2000, the Federal Government recognized its urgent need to improve cybersecurity practices across its computing infrastructure and issued many policies that required agencies to improve. Improvement was sparse and inconsistent. GSA Schedules were set up to help agencies buy approved products and services to assist them, but this too produced lacklustre results.

The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned a system

Congress enacted the Federal Information Security Management Act of 2002 (FISMA) (now amended by the Federal Information Security Modernization Action of 2014). FISMA mandates an Authority To Operate (ATO) accreditation process for all information systems. The Federal Government found that the best cybersecurity results occurred when enforced at the time an agency commissioned (vs. purchased) a system.

FISMA and ATO accreditation has been highly successful when implementing new systems. These cybersecurity requirements are the closest thing that the Federal Government has to the ‘PIV Police’ today. However, the PIV requirements in FISMA and ATOs currently apply to only logical access for information systems.

The proposed OMB M-18-XX (Draft) mentions that a FISMA PACS overlay to NIST SP 800-53 is forthcoming. The intent of the PACS overlay is to use the army of ATO accrediting officials in the Federal Government and enable them to assess implemented PACS as fit for purpose. This is the first time an enforcement approach has been brought forward that could reasonably succeed.

How Long For HSPD-12 Compliance?

We know that it won’t take another 14 years to achieve HSPD-12 compliance. Pockets of compliance are popping up. Compliant procurements do exist, and the state of PACS across the Federal Government is better in 2018 than in any previous year. Progress to date has been at a constant rate. The question is: what would take for progress to occur at an exponential rate instead? A major attack or compromise involving PACS would certainly hasten upgrades, but let’s hope that’s not the solution.

The energy distribution sector has been riding a wave of security upgrade demands to retrofit their facilities across the U.S.

The energy distribution sector, under nearly constant Advanced Persistent Threat attacks, has been riding a wave of security upgrade demands to retrofit their facilities across the U.S. The potential threat exists for Federal Government facilities as well.

Looking into the federal PACS-compliance crystal ball, we’re beginning to see the faint outline of a multi-faceted campaign of education, budgetary oversight and accreditation of PACS that will ultimately see us past the tipping point. Consider though, at the current rate of PACS enablement, a 50% compliance rate is still far in the future.

When that day arrives, the PIV card form factor may no longer be the key that fits that future lock. (Are you already using a mobile device’s Bluetooth interface to open the door to your office building?) Taking decades to perform a technology upgrade is the aging elephant in the room no one talks about. By the time critical mass is achieved with an upgrade facing these many challenges, there are typically compelling reasons to start over again with the next generation of technology. That cycle may well prove to be the Federal Government’s biggest PACS challenge of all.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Jeff Nigriny President and Founder, CertiPath

In case you missed it

Finding Missing Persons Collaboratively Through AI
Finding Missing Persons Collaboratively Through AI

Smart cities, airports, stadiums, hospitals and other organizations are now liaising with government bodies and law enforcement to propel a new dawn of collaborative security and communication. The influx of new technology coupled with the ever-changing political and social landscapes has meant security is having to evolve. Artificial Intelligence is now allowing law enforcement, security personnel and organizations to a transformational method of fighting crime, maintaining public security and significantly finding persons of interest. AI-powered surveillance cameras Utilising surveillance cameras with implemented AI has revolutionized finding missing persons. Facial Recognition and IREX.ai’s “Searchveillance” have equipped both the public and private sector with the tools to collaboratively work together in finding persons of interest. The influx of new technology coupled with the ever-changing political and social landscapes has meant security is having to evolve Finding missing persons has been an underfunded and challenging issue across society, with many countries having no funding at all after the initial police investigation. Through artificial intelligence, surveillance cameras will never sleep on finding missing people by setting up alerts for once a missing person appears under surveillance. How it’s happening Technology like IREX.ai has delivered an AI collaborative security solution which is implemented into surveillance cameras enabling them to become “smart cameras”. Both public and private sector have not been able to collaborate through utilising their existing cameras, which are now powered by AI-backed smart video technology. With surveillance systems now veering toward becoming cloud based, this now allows an unlimited number of cameras for an organization or city to connect to. The AI platform is helping bringing about a collaborative network to help monitor crowded public areas in real time, something that would have taken a lot of manpower, time and cost to produce. Quicker response through “searchveillance” This has now become a crucial element in the fight against COVID-19. The ability to track and trace has been very effective but this particular AI module may only just be getting started in the fight to find persons of interest. When an individual goes missing or is abducted, every second is crucial along with information gathered. Unfortunately, this brings in human-error, when a person believes they may have seen the person of interest, it can lead law enforcement and authorities critically, in the wrong direction. AI-powered Facial Recognition helps eliminate human-error through 99.5% accuracy success, leading authorities to definitive sightings and factual information through the help of AI. “Searchveillance” enables authorities to liaise with the public and private sector organizations who have implemented the AI into their surveillance to run a single search with the person of interest’s photo. Instantaneously the user receives immediate results of, if and when this person last appeared under surveillance. Long-term missing persons It’s common knowledge that after 72 hours, statistically speaking the chance of finding the individual quickly diminish, but that doesn’t mean people stop searching. This week alone, September 2020, US Marshalls found and rescued 25 missing children in Ohio, many of whom had been missing for years. AI-powered facial recognition helps eliminate human-error through 99.5% accuracy success Implementing AI into surveillance cameras is becoming more frequently adopted around the world, enabling alerts in surveillance cameras and notifying appropriate law enforcement when a missing person appears under surveillance are all extraordinary tools. The alert system from the persons photo in the software. Facial recognition allows law enforcement to receive real-time footage of the missing person and their location. It is of great assistance for law enforcement to simply receive a notification and a real time feed of individual they are looking for. Security is becoming a more collaborative effort In light of recent events throughout the world, with protests surrounding police brutality, rioting, violence and deaths, security is evolving and it has to. Enabling technologies and building security collaboration and communication platforms is assisting in the fight to find missing people. It’s not just smart cities and smart airports who are providing a fishing net for find persons of interest, it’s also stadiums. The Superbowl and other major sporting events generate some of the biggest human slavery and trafficking busts of the year. Stadiums are now harnessing the responsibility to help counteract this and set up these alerts, utilize the AI in their cameras and collaborate with authorities, thus playing their part in finding persons of interest. IREX.ai has helped deliver the AI and the platform for collaborative security and communication, as technology grows and becomes more in our lives than we care for it to be, you often forget of the results it can provide, such as reuniting a family.

In Pursuit of Providing a Safe and Secure Environment in the Workplace
In Pursuit of Providing a Safe and Secure Environment in the Workplace

All public properties are faced with a diverse and complicated set of safety and security risks, from health and safety to violence, terrorism, natural disasters, fires, political and environmental. Reducing safety and security risks requires the hands-on support of all operating teams, not just the security team, each playing their part in the pursuit of providing a safe and secure environment for all customers and staff. The challenge is twofold, one many still rely on antiquated logbooks, checklists, and manuals to manage the broad spectrum of safety and security risks. And two, the resources we rely on to complete the tasks necessary to improve safety are generally junior, inexperienced, and not particularly loyal to the business. Continuing to rely on these outdated and complicated management practices is risky and could be very costly. It leaves organizations exposed to safety and security related incidents, it is unreliable, reactive, resource intensive, and easily debatable. Complex risks To complicate matters, as safety and security risks continue to grow more complex, the corresponding operating costs are also on the rise. Regulatory fines, commercial insurance premiums and lawsuits are increasing year over year, making non-compliance with safety regulations a risk no one can afford. Not only is business continuity a concern, but when something goes wrong, the negative impact on the brand/reputation and resulting legal liabilities and regulatory fines will cost dearly. We envision a world where physical safety is managed with the same commitment as digital and financial security At Zendelity, we envision a world where physical safety is managed with the same commitment as digital and financial security; where all safety and security risks are managed with the same level of due diligence and accountability. A day in the life To understand just how much risk these outdated management practices are exposing operations to and how complicated managing safety and security has become, we will look at just a single weave in the web of corporate safety and security. It’s a simple, yet common safety risk, one that every operation is faced with, the ‘slip and fall’ accident.  It’s the perfect example of a safety risk that no operation is immune to, it touches multiple departmental silos and when it happens you can be sure the executive management team will know all about it. Consider this for a moment, according to the Ontario Workplace Safety & Prevention Services (WSPS), 80 workers are injured every day because of a fall - that's one every 20 minutes and the cost to the organization is approximately $59,000 per injury. Now consider this, in Ottawa, Canada, on average it snows 63 days a year. Each time it snows, all public entrance ways will need to be shoveled and salted a minimum of twice per snow fall, halfway through and at the end. In the case, of an elementary school, hotel, hospital, apartment complex or commercial building, that has 9 entrance ways leading to the great outdoors that will translate to a minimum of 1132 net new tasks that must be completed per year on top of all the other daily safety requirements. Now ask yourself this, how often do you suppose one of those entrance ways are missed?  At an average cost of $60K for a slip and fall accident, I’m not sure I would want to play the odds. The challenge is not the job, that is simple enough, the challenge is making sure it gets done in the first place. While responsibilities are listed in safety manuals, requirements change based on the amount of snow or weather conditions making it hard for staff to remember the rules. Communicating requirements to staff is often done with paper-based checklists that are being updated, reprinted, and manually distributed. To measure and manage compliance, completed checklists are collected, and results manually compiled.  Inspections are invested in, to identify potential procedural errors, and catch negligence before someone gets hurt. Access to the data necessary to verify work and understand how the team is actually performing is time-consuming to consolidate, outdated and nearly impossible to verify. The stakes are getting higher The focus and priority of safety and security have been growing year over year While COVID has recently put the spotlight on safety procedures and the risk of a slip and fall is a simple example of the daily safety risks companies face, the focus and priority of safety and security have been growing year over year. Today more than ever before our physical safety and security is at increased risk, the threat of natural disasters, terrorism, violence or political actions has never before been at this level. Today people are equally as concerned for their physical safety as their financial and personal information. On top of the fear uncertainty and doubt in the minds of customers and staff, all businesses are facing an increase in operating costs, related to safety and security, according to: The Insurance Journal, commercial property insurance is expected to increase by an average of 20% in 2020, in one part due to the extreme catastrophic weather and wildfires since 2017 which have had a direct impact on pricing. A survey by U.S.-based Marsh LLC found that rates for directors and officers liability insurance rose more than 100% in the UK in Q2 as insurers fear that the pandemic will lead to hefty litigation claims. Occupational Safety and Health Association, for a willful violation, in which an employer knowingly failed to comply with an OSHA standard or demonstrated a plain indifference for employee safety, the maximum penalty has increase to $134,937/violation in 2020. The National Safety Council, the average cost of a workplace fatality and preventable death is now $1.19M. In addition to the legal and regulatory requirements, organizations are also faced with the new ‘see through economy’ where nothing is secret. Social media has created a world where it is no longer possible to keep even the smallest of incidents out of the public eye, exposing the brand in ways never before seen. When something goes viral, everyone, including customers, prospects, business partners, investors, etc. will know about it. To put the power of social media into perspective, consider a study by Cornell University, who found that hotels can expect to see an increase of 39% in their average daily rate if they can increase their score by just one unit on TripAdvisor, say from 3.5 to 4.5! A 39% increase in revenue is a huge incentive to protect the brand from the negative connotation of a safety and security incident taking place on your property, even if it’s as simple as a slip and fall accident. We envision a world where… At Zendelity, we envision a world where all organizations have a system of record for all types and levels of safety and security actions and issues. Where the safety and security team have a 365-degree view of all safety risks across the property and access to the real-time data necessary to improve response times. Where managing operating compliance is as simple as viewing a dashboard, running a report or receiving an automatic notification. We envision a time where operations will promote their ‘safety and security score’ as a badge of honor, as a means of competitive differentiation.  Similar to a ‘5-star hotel’, customers and guests will look for a ‘safety and security report card’ and those with a good track record will differentiate. Safety and security have become a complicated web We envision a world with smarter cities, where emergency services are able to respond faster and with more accuracy when they arrive on site due to improved situational awareness. Where both the on-site emergency response team and the emergency responders can act as one, to reduce the risk and improve safety during an incident. Safety and security have become a complicated web, the operating practices you employee to manage that risk will determine your success. So, ask yourself this, are the logbooks, checklists, and manuals really still good enough, are you willing to stake your business on it?

Protecting Retail Staff in a New Era: Live-streaming Body Cameras
Protecting Retail Staff in a New Era: Live-streaming Body Cameras

This year has been characterized by uncertainty and extraordinary strain, which has fallen heavily on all manner of key workers. Alongside our celebrated healthcare professionals, carers and the emergency services, those working in essential retail have proved themselves to be the backbone of our society during this challenging period. As people try to grasp onto normality and cope with the unexpected changes taking place in every aspect of their lives – including the way they are allowed to shop – it’s no surprise that tensions are now running higher than ever. Retail crime was already on the rise before the pandemic struck, with the British Retail Consortium finding that at least 424 violent or abusive incidents were reported every day last year. The Co-op recently reported its worst week in history in terms of abuse and antisocial behavior, with 990 incidents of antisocial behavior and verbal abuse suffered by staff between 20th and 26th July. 990 incidents of antisocial behavior and verbal abuse suffered by staff between 20th and 26th July To manage the increased risks currently faced by retail employees, businesses must adopt new initiatives to safeguard their staff. Growing numbers of retailers including the Co-op and Asda have equipped their in-store and delivery staff with body worn cameras to enhance safety and provide them with peace of mind, as well as to discourage altercations from taking place at all. Traditional tech Body worn cameras are nothing new and have been used within the law enforcement industry for years. Traditional devices are record-only and can be used to record video evidence able to be drawn upon ‘after the fact’ should it be needed as an objective view of an event and who was involved. These devices can also be used to discourage violent or verbally abusive incidents from occurring in the first place. If a customer is approached by an employee, they are likely to think twice about retaliating if they know their interaction is being recorded. This stance is supported by research from the University of Cambridge that found the use of body worn cameras improves the behavior of the wearer and those in its vicinity, as both are aware of the fact it can act as an objective ‘digital witness’ to the situation. However, record-only body worn cameras do leave much to be desired. In fact, the same University of Cambridge study found that, in the case of law enforcement, assaults against officers wearing these devices actually increased by 15%. This could be attributed to those being recorded being provoked by the presence of the camera or wanting to destroy any evidence it may hold.  Out with the old, in with the new Live-streaming enabled body worn cameras provide the benefits of record-only devices and more Fortunately, there is a better option. Live-streaming enabled body worn cameras provide the benefits of record-only devices and more. Live-streaming capabilities are able to take ‘after the fact’ evidence one step further and provide the wearer with ‘in the moment’ safety and reassurance. With these devices, if a retail employee is subject to a volatile situation with a customer, they can trigger live video to be streamed back to a central command and control room where security officers will be able to take the most appropriate course of action with heightened and real-time situational awareness. Having access to all of the information they could need instantly will enable security personnel to decide whether to attend the scene and diffuse the situation themselves or to take more drastic action if needed, before any harm has been caused. This capability is especially valuable for lone workers who don’t have access to instant support – such as delivery drivers, in-store or warehouse staff and distribution operators to name a few. The pandemic has also doubled the number of consumers who do their regular grocery shopping online, leading to potential supply and demand issues resulting in unhappy customers.  Live-streaming body worn cameras rely on uninterrupted mobile connectivity to excel, as they are not connected to any physical infrastructure. To minimize the risk of the live video stream buffering or freezing – a real possibility for delivery drivers who can be working anywhere in the country – retailers should look to deploy devices capable of streaming in real-time, with near zero latency footage, even when streaming over poor or constrained networks. To get the most out of their tech, retailers should also look to implement devices that can be multi-use and can be deployed as a body worn camera or a dashcam to record any incidents that may occur while driving.    Novel threats   This year brought about a new threat that retailers must protect their staff from While not to the same extent, retail workers have always been subject to a level of potential physical or verbal abuse. However, this year brought about a new threat that retailers must protect their staff from. The COVID-19 pandemic has been the cause of many of the new threats facing employees, but is also a threat in itself. To mitigate this, retailers should look to introduce remote elevated temperature detection cameras in their stores, which analyze body temperature and sound an alarm when somebody’s temperature exceeds a certain threshold – as this could indicate the presence of a potential fever. When deployed on the same cellular network as live-streaming enabled body cameras, these tools can be linked to a central command center and the alarms viewed remotely from any connected device. This means a network of cameras can be monitored efficiently from a single platform. Ensuring the protection and security of retail workers has come to the fore this year. With the risk of infection in high-footfall locations, such as supermarkets, and the added pressure that comes with monitoring and enforcing safety guidelines, retail staff are having to cope with a plethora of new challenges. Retailers should adopt innovative technologies within their stores and delivery trucks, such as live-streaming enabled body cameras and remote elevated temperature screening solutions, to minimize the threat faced by their employees and provide them with instant support and reassurance should it be required.