FOR IMMEDIATE RELEASE
March 30, 2016
The U.S. General Services Administration (GSA) Office of Inspector General (OIG) issued two reports today concluding that GSA-managed facilities are at an increased risk of unauthorized access due to GSA’s lack of controls over facility specific building access badges and deficiencies in GSA’s management of Homeland Security Presidential Directive 12 (HSPD-12) Personal Identity Verification (PIV) cards issued to contractors. Unauthorized access to these facilities increases the risk of a security event such as an active shooter, terrorist attack, theft of government property, or exposure of sensitive information.
Background
HSPD-12, issued in August 2004, recognized a need to eliminate the wide variations in the quality and security of identification used to gain access to federal facilities where there is potential for terrorist attacks. HSPD-12 established a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and contractor employees in order to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. The Office of Management and Budget issued instructions regarding this directive, requiring all federal executive departments and agencies to conduct minimum background investigations and issue PIV cards to all employees and contractors requiring long-term access to federal facilities or information technology systems.
It is GSA’s policy to issue PIV cards to all employees and long-term contractor employees needing access to GSA-managed facilities. GSA’s credentialing policy outlines specific and limited circumstances in which GSA may issue non-HSPD-12 compliant facility specific building badges, such as for temporary contractor employees, some non-U.S. citizens, childcare workers, and visitors.
During its evaluations, the OIG sought to: 1) determine whether key controls over GSA’s process for issuing, managing, and terminating HSPD-12 PIV contractor employee cards are sufficient and effective; and 2) review GSA’s use of building badges and determine if the use of building badges increase the risk of unauthorized access to GSA-managed facilities.
The OIG’s Findings – Contractor PIV Cards
The OIG found significant deficiencies in GSA’s processes for managing GSA-issued contractor PIV cards and for ensuring the completion of contractor employee background investigations. In addition, the OIG found deficiencies in GSA’s tracking and maintenance of contractor employee background investigation data stored within its credentialing system.
The OIG found that GSA does not consistently collect and destroy PIV cards from GSA contractor employees who have left, are terminated, or are no longer needed for contract performance. When a contractor employee’s PIV card is not collected and destroyed at the end of a contract, the security risks of unauthorized access to a federal facility significantly increase. The OIG also found that some contractor employees use expired PIV cards to access GSA-managed facilities. GSA cannot determine the extent of these problems because it does not track the collection or destruction of expired contractor PIV cards in its credentialing system.
In addition, the OIG found that some GSA regions have not been fully successful in issuing PIV cards to all long-term contractor employees. Three of GSA’s eleven regions permit exceptions to GSA’s PIV policy and do not issue PIV cards to certain types of long-term contractors, such as those who do not require access to GSA IT systems. In such cases, GSA circumvents the policy that requires issuance of PIV cards to all long-term contractor employees by issuing non-PIV building badges.
We also found that the credentialing system used to manage information about GSA contractor employees has significant data reliability deficiencies. For example:
-
For 638 contractor employees found to be unfit after background investigations, the credentialing system records did not reflect the negative adjudication results. Of the 638 contractor employees found to be unfit, 169 have an active status in the credentialing system. Nine of these contractor employees had been issued PIV cards. GSA is unable to determine whether those PIV cards were collected and destroyed, as it does not track such information.
-
Sixty active contractor employees whose credentialing record indicated that GSA had issued them a PIV card had no background investigation information recorded in the system.
-
2,099 active contractor employees with initial investigations more than one year old did not have a final determination on file.
While GSA officials reported that they periodically validate the credentialing system data, they are unable to determine if these examples are the result of poor record keeping practices or if there are in fact active GSA contractor employees with non-existent, incomplete, or unfavorable background investigations. Data accuracy is critical to ensure contractor employees have an appropriate active or inactive status, a completed and favorable background investigation, and use an unexpired PIV card for facility access.
The OIG’s Findings – Building Badges
The OIG found widespread use of facility-specific building badges at GSA-managed facilities. These building badges are often issued by GSA to employees and contractor employees instead of, or in addition to, the required HSPD-12 PIV cards. These building badges are more susceptible to identity fraud, tampering, counterfeiting, and exploitation, and they cannot be rapidly authenticated electronically.
As noted above, some GSA regions circumvent GSA’s credentialing policy by issuing non-HSPD-12 compliant building badges to certain long-term contractors. In addition, GSA sometimes issues non-HSPD-12 compliant building badges in multiple-tenant federal facilities where the tenants have voted to allow the use of such badges to access the facility because of the costs associated with issuing PIV cards and the existence of legacy physical access control systems that are not compatible with PIV cards.
The OIG found serious security risks with the use of building badges in GSA-managed facilities, including:
-
Contractor employees with active building badges who had been determinedto be “unfit” due to unfavorable background investigations;
-
Inactive contractor employees who had active building badges;
-
Building badges without expiration dates issued by GSA to contractor employees;
-
Instances where non-GSA tenant agencies had issued building badges to GSA contractor employees;
-
Staff who were inadequately trained on the issuance of building badges; and
-
Building badge information technology systems that were unsecure.
The OIG also found that GSA cannot determine the extent of these problems because it does not centrally monitor the management of building badges issued by staff.
Recommendations
The OIG makes 13 recommendations for GSA to address security risks associated with its deficient management of HSPD-12 PIV cards issued to contractors and its use of building badges. Recommendations include that GSA should develop a policy to stop issuing local building badges to employees and contractor employees who are required to receive PIV cards; develop a secure solution for allowing physical access to GSA-managed facilities to individuals who are not required to receive PIV cards; enforce GSA policies and federal regulations regarding the retrieval and destruction of PIV cards from inactive contractor employees; and develop internal controls to better ensure compliance with retrieval and destruction requirements and improve data accuracy in GSA’s credentialing system.