GSA’s mismanagement of PIV cards puts facility, data security at risk, watchdog says
- By Mark Rockwell
- Nov 09, 2020
The General Services Administration’s mismanagement of the personal identity verification (PIV) cards it issued to contract employees raises significant security concerns, according to a report from agency's Office of Inspector General.
The cards can be used “to gain unauthorized access to GSA buildings and information systems, placing GSA personnel, federal property, and data at risk,” stated the Nov. 4 report, which examined PIV management between February 2017 and August 2019. The new report builds on an OIG 2016 audit that found the agency couldn't account for 15,000 of the PIV cards it issued to its contractors. The report also said GSA didn't collect PIV cards from 445 contract employees who failed background checks.
The more recent audit showed GSA activated 39,090 contract employee PIV cards, but the OIG's review of data from the GSA Credential and Identity Management System (GCIMS) showed the agency could not account for 14,928, or 38%, of those cards. It said over 2,100 of those cards had been issued to contract employees who were removed from the contracts they were working on. The remaining 12,806 cards were for contracts that had expired, it said.
GSA's uneven management of the cards stems from using unreliable data to track the cards, and scattershot, informal procedures to get them back from contractors, according to the report.
Every year GSA issues thousands of PIV cards to contractors who access physically secure areas and federal buildings, as well as IT systems and facilities, said the OIG. The agency is required by law to get those cards back, or disable them, if those contract employees no longer work on the contract, or the contract expires.
The IG found that some GCIMS data used by the agency's Office of Mission Assurance to manage PIV card issuance, status and recovery for both federal and contract employees was inaccurate and incomplete. The report said some critical data fields in the system managing PIV issuance, including those for contract numbers, job titles, and point-of-contact numbers, had inaccurate data. All of those data fields are critical to track and recover the cards, according to the report.
Unaccounted-for cards pose security risks to federal facilities, even if their onboard card reader capabilities have been inactivated, since some federal facilities aren't protected by card readers. The report redacted some of the possible consequences those unaccounted-for cards could have.
The report recommended GSA continue efforts to account for the cards, including updating GCIMS data and reporting unrecovered cards to the Department of Homeland Security.
The IG also recommended more collaboration among GSA's managers of services and staff offices on enforcement and policy for PIV issuance and recovery.
In an Oct. 16 letter to the OIG, GSA Deputy Administrator Allison Brigati said the agency had taken steps to address the concerns, including setting up a dashboard to track PIV card lifecycles, as well as a series of automated emails to agency employees who request PIV cards for contractors about expiring cards.
This past September, said Brigati, GSA's chief acquisition officer and acting human capital officer also issued a policy memo that set baseline training for PIV management.
This article was first posted to FCW, a sibling site to GCN.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.