The General Services Administration has neglected tracking of the building entry badges and personal identity verification cards used by employees and contractors, according to a pair of reports released Wednesday by the agency’s inspector general.
“These security control weaknesses increase the risk of unauthorized access to the 8,603 facilities managed by GSA,” auditors warned. “Unauthorized access to a federal facility increases the risk of a security event, such as an active shooter, terrorist attack, or theft of government property, as well as exposure of government sensitive and contractor proprietary information.”
In conflict with a 2004 presidential directive on homeland security, GSA continues to “issue facility-specific building badges with unique designs, data elements and security features,” said the report on badges. Unlike the standardized PIV cards designed by the National Institute of Standards and Technology, auditors wrote, “building badges are more susceptible to identity fraud, tampering, counterfeiting and exploitation, and they cannot be rapidly authenticated electronically.”
In addition to being unregulated, GSA’s badges create security risks because the agency often fails to collect and destroy them once they expire or the employee is no longer eligible to enter.
Even when PIV cards are used, said the second report, they aren’t tracked properly. This meant that 638 contractor employees were found to be unfit after background investigations, yet GSA’s credentialing system records did not reflect that result. As many as 169 remain active in the system.
Auditors, following surveys and visits to 14 GSA regional offices, also found staff who were inadequately trained on the issuance of building badges. “We also found that GSA cannot determine the extent of these problems because it does not centrally monitor the management of building badges issued by its staff,” the watchdog said. In addition, data that are collected are not always reliable, the report said.
GSA’s official policy is to issue PIV cards to all employees and long-term contractor employees needing access to GSA-managed facilities. The limited specific exceptions allowing building-specific badges rather than the standardized PIV are intended for temporary contractors, non-U.S. citizens, child-care workers and visitors.
“While GSA officials reported that they periodically validate the credentialing system data, they are unable to determine if these examples are the result of poor record keeping practices or if there are in fact active GSA contractor employees with non-existent, incomplete, or unfavorable background investigations,” the auditors wrote.
The inspector general’s reports made 13 recommendations for addressing security risks, including increasing use of standardized PIV cards, better tracking when credentials expire and enhancing internal controls to improve data accuracy.
GSA largely agreed with the recommendations, saying it will work with the Homeland Security Department’s interagency security council to implement them.