More than 14 years have passed since the George W. Bush administration issued a directive to ensure that federal workers and contractors are who they say they are when they enter federal buildings. But the Government Accountability Office said progress was lacking, especially in the digital age.
On December 20th report, GAO said the agencies were taking steps to improve security, but not fast enough. Of the five selected agencies reviewed by GAO, several problems arose regarding physical access control systems (PACS), which verify identification information in many agencies, including cost, lack of clarity in the acquisition of systems and the difficulty of adding new technology to legacy systems.
The General Services Administration approves PACS technologies and providers, and the White House sets the parameters.
PACS include personal identity verification (PIV) cards, card readers and any other technology that electronically confirms the identities of employees and contractors to validate their access to the facilities.
PIV cards consist of critical information, including employment status and any security authorization information, embedded in a microchip. As technology continues to evolve, meeting the need for updated security systems is even more critical.
Lori Rectanus, director of the GAO physical infrastructure team, said many of the problems with compliance stem from lack of supervision and record keeping. He said that according to the 2004 directive, the White House, specifically the Office of Administration and Budget, should keep records of the agency's progress in the development and implementation of those PACS.
"The agencies have not made much progress, mainly because no one has been asking questions about what they are [they] doing what are [they] buy what efforts are [they] making information at the government level know who is buying what and what [they] okay, "Rectanus said in Federal Drive with Tom Temin. "We really don't know where the agencies are and what progress has been made. [OMB has] The key responsibility of supervising and enforcing this process. They are the ultimate arbiter of people's budgets. "
The GAO report highlighted several small steps that OMB and GSA have taken to promote compliance in all agencies.
First, OMB published several memoranda to clarify the responsibilities of the agencies to ensure that their buildings were safe. One memorandum, published in 2011, cited the guidance of the Department of Homeland Security to the agencies that require them to use the funds allocated to update their access systems before other projects are carried out. The GAO report found that OMB could not track such progress without reference data.
The report also mentions the GSA implementation of List of approved products, Identify products that met federal requirements through tests and evaluations. Agencies are required to use this list to purchase the equipment for PACS.
The Interagency Security Committee, chaired by DHS along with 60 federal departments and agencies, must develop safety standards throughout the federal government, with the exception of military agencies. ISC is "well positioned to determine the extent to which PACS implementation challenges exist among its members and to develop strategies to address them," says the report.
More than a decade later and the agencies still have trouble implementing these systems. Compliance is currently at less than 10 percent, Rectanus said.
Department of Defense, a good example
An agency has made significant progress on its own.
“I think the Department of Defense is ahead of civil organizations. They have their version of the PIV card and I think it is used a lot to govern access to different facilities and different locations, "Rectanus said." I don't know about your equipment acquisition, but I'm sure there are many lessons we can learn, especially from some of its safest facilities where you know, by necessity, they have had to really protect the access "to them".
GAO recommended two solutions:
- OMB should regularly determine and monitor a level of baseline progress in terms of PACS implementation.
- The ISC must evaluate the scope of strategies to address government challenges to implement PACS.
When it comes to slow progress, does this lack of information and technological update mean that government facilities are not as safe as they should be?
Rectanus said that if the security of federal buildings across the government is based solely on these PIV cards that talk to readers, the delay could create major problems.
"If you think that is the way we keep our facilities safe, that is not happening," Rectanus said. "So, yes, we run the risk that nefarious actors pretend to be government employees and contractors entering buildings or even that the employees themselves are unhappy or contractors who can enter inappropriately and gain access to places they shouldn't."
Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.