The General Services Administration’s mismanagement of the personal identity verification cards it issued to contract employees raises significant security concerns, according to a report from agency's inspector general.
The General Services Administration’s mismanagement of the personal identity verification (PIV) cards it issued to contract employees raises significant security concerns, according to a report from agency's Office of Inspector General.
The cards can be used “to gain unauthorized access to GSA buildings and information systems, placing GSA personnel, federal property, and data at risk,” stated the Nov. 4 report, which examined PIV management between February 2017 and August 2019. The new report builds on an OIG 2016 audit that found the agency couldn't account for 15,000 of the PIV cards it issued to its contractors. The report also said GSA didn't collect PIV cards from 445 contract employees who failed background checks.
The more recent audit showed GSA activated 39,090 contract employee PIV cards, but the OIG's review of data from the GSA Credential and Identity Management System (GCIMS) showed the agency could not account for 14,928, or 38%, of those cards. It said over 2,100 of those cards had been issued to contract employees who were removed from the contracts they were working on. The remaining 12,806 cards were for contracts that had expired, it said.
GSA's uneven management of the cards stems from using unreliable data to track the cards, and scattershot, informal procedures to get them back from contractors, according to the report.
Every year GSA issues thousands of PIV cards to contractors who access physically secure areas and federal buildings, as well as IT systems and facilities, said the OIG. The agency is required by law to get those cards back, or disable them, if those contract employees no longer work on the contract, or the contract expires.
The IG found that some GCIMS data used by the agency's Office of Mission Assurance to manage PIV card issuance, status and recovery for both federal and contract employees was inaccurate and incomplete. The report said some critical data fields in the system managing PIV issuance, including those for contract numbers, job titles, and point-of-contact numbers, had inaccurate data. All of those data fields are critical to track and recover the cards, according to the report.
Unaccounted-for cards pose security risks to federal facilities, even if their onboard card reader capabilities have been inactivated, since some federal facilities aren't protected by card readers. The report redacted some of the possible consequences those unaccounted-for cards could have.
The report recommended GSA continue efforts to account for the cards, including updating GCIMS data and reporting unrecovered cards to the Department of Homeland Security.
The IG also recommended more collaboration among GSA's managers of services and staff offices on enforcement and policy for PIV issuance and recovery.
In an Oct. 16 letter to the OIG, GSA Deputy Administrator Allison Brigati said the agency had taken steps to address the concerns, including setting up a dashboard to track PIV card lifecycles, as well as a series of automated emails to agency employees who request PIV cards for contractors about expiring cards.
This past September, said Brigati, GSA's chief acquisition officer and acting human capital officer also issued a policy memo that set baseline training for PIV management.
This article was first posted to FCW, a sibling site to GCN.
NEXT STORY: Threats to election likely to extend for weeks