US Veterans Administration launches biometric access pilot

The U.S. Department of Veterans Affairs (VA) is advancing a landmark initiative to explore the deployment of biometric authentication for access control within its facilities and IT infrastructure. The initiative is outlined in its Biometric Authentication Proof of Concept Performance Work Statement (PWS).

The VA’s biometric authentication proof of concept reflects a forward-leaning effort to balance innovation with accountability. By introducing biometric access methods in a tightly controlled, evaluative setting, the VA positions itself to make data-driven decisions about adopting advanced identity verification technologies at scale. If successful, the initiative could transform how clinical personnel and staff interact with the physical and digital infrastructure of VA’s vast healthcare system.

The program is being spearheaded by VA’s Office of Information Security (OIS), the project is structured around a comprehensive pilot program designed to evaluate commercial off-the-shelf (COTS) face and iris recognition technologies in real-world VA healthcare settings.

The initiative aims to alleviate friction experienced by clinical staff when accessing restricted spaces or critical systems, especially in sterile or high-tempo care environments. Traditional access methods such as passwords, badges, or physical tokens can be cumbersome, particularly for personnel frequently moving between secure locations, the VA said.

By offering a contactless, biometric-based authentication process, the VA seeks to expedite access while reducing dependency on credentials that are prone to loss, misuse, or phishing. Being tied to individual identity, these biometric modalities also offer the advantage of non-transferability, thereby enhancing the VA’s security posture.

At its core, the proof-of-concept project calls for the contractor to supply, install, operate a COTS biometric authentication solution at a designated VA test site. This may be either a healthcare training facility or an operational medical center. The solution must be deployed in parallel with existing physical access control systems (PACS) to ensure that standard operations are not disrupted.

During the 90-day operational window, VA staff who volunteer for the pilot will be enrolled into the system, which will perform one-to-many matching of face or iris data against on-site biometric databases to determine access eligibility.

The technology must meet strict criteria and must only process the biometric data of enrolled VA staff, excluding protected health information, and operate solely for authentication purposes. The goal is to preserve patient and staff privacy, align with federal security and privacy standards, and maintain compliance with the VA’s internal cybersecurity framework.

The pilot will be assessed on key performance indicators that include match accuracy, operational reliability, ease of use, and user satisfaction. These metrics will form the basis of an impact analysis comparing the biometric solution’s performance to existing access methods.

A significant element of the pilot includes integration with VA’s PACS infrastructure, environmental adaptation (e.g., adjusting for lighting or traffic patterns), and fallback procedures to ensure access continuity. The contractor will be responsible for operator training, enrollment standard operating procedures, end-user support, and the creation of documentation such as solution architecture diagrams, site survey reports, and weekly performance updates.

Following the pilot, the contractor will facilitate a “stand down” phase to remove equipment and restore VA facilities to their original state. However, the PWS anticipates multiple pathways for expansion if the pilot proves successful. These include optional task orders to scale the biometric system across additional VA facilities for physical access or extend its functionality to logical access for VA-owned IT systems and applications. In such scenarios, the solution must be migrated to the VA Enterprise Cloud, integrate with VA identity management and authentication services, and meet zero-trust security standards outlined in OMB and NIST guidance.

Logical access authentication will require support for industry-standard protocols like OpenID Connect, WebAuthn, and SAML, as well as interoperability with PIV cards and existing VA directories. It must also be capable of functioning across a wide range of devices – including desktops, laptops, and mobile clinical workstations – without involving medical devices. A dedicated implementation plan will guide the phased integration, accompanied by performance reports and resource optimization plans to ensure cost-effective cloud usage.

In addition to expanding technical capabilities, the PWS embeds rigorous compliance mandates. The contractor must adhere to the Federal Information Security Modernization Act, NIST Special Publications (e.g., 800-63 for identity assurance), and VA-specific cybersecurity directives. IPv6 compatibility, Trusted Internet Connection compliance, and alignment with the Federal Identity, Credential, and Access Management framework are also required. Hardware and software must be compatible with VA standard configurations and capable of being centrally managed and audited.

Security and privacy are woven throughout the project’s governance structure. All contractor personnel must undergo background checks, submit appropriate documentation, and adhere to VA identity credentialing procedures. Biometric data collected under the pilot is strictly limited in scope and must be stored, processed, and eventually purged in accordance with defined retention and destruction policies.

The project is governed by detailed performance metrics covering technical quality, timeliness, cost efficiency, and management effectiveness. A Quality Assurance Surveillance Plan will guide performance evaluations and deliverables must be submitted in digital formats using approved software standards. Additional requirements related to training, remote access, and secure shipping are addressed in annexes and appendices to ensure compliance at every level of implementation.

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  digital identity  |  identity access management (IAM)  |  identity proofing  |  tender  |  U.S. Government