SBA, IG clash over regulatory details

Small Business Administration officials and the agency's Office of Inspector General disagreed on the security of SBA's personal identity verification cards in a new report.

SBA officials said they gave the IG’s office documents that proved they had complied with the Office of Management and Budget’s guidance regarding security certifications and accreditations and earned value management for the cards, according to a letter included in an Oct. 6 report from the IG’s office.

“It appears that the documentation did not receive a thorough review [by the IG’s office] prior to the draft [report] being issued,” wrote Robert Danbeck, associate administrator of SBA’s Office of Management and Administration, and Christine Liu, SBA’s chief information officer, in the letter.

However, Debra Ritt, SBA's assistant IG for auditing, disputed Danbeck and Liu’s contentions. Ritt wrote that SBA’s documents didn’t prove the program underwent a certification review or followed requirements for earned value management. She also wrote that the IG’s office asked for information to support SBA’s assertions, but Liu could produce none.

According to the IG’s report, Liu told auditors that SBA took several approaches that she believed could be substituted for the specific actions called for in Homeland Security Presidential Directive 12.

HSPD-12 requires agencies to create ID cards to restrict access to buildings and computer networks to federal employees and contractors who have received background checks and clearances. The cards must be interoperable with other federal agencies’ systems.

In the report, SBA officials said they complied with the requirements because their HSPD-12 card-issuance system, named the Identity Management System (IDMS), was a pilot project and didn’t need to be fully certified and accredited. SBA also said the program was fully evaluated and deemed compliant with guidance from the National Institute of Standards and Technology based on early work with the General Services Administration, which is overseeing HSPD-12.

The auditors disagreed. Agencies must be certified based on regulations, and guidance doesn’t suggest that a pilot system is exempt from the certification requirements, Ritt wrote.

“To date, SBA has still not completed a certification and accreditation of IDMS,” she wrote. Moreover, the system has undergone multiple software and hardware changes, and officials have tested none of the changes for security.

SBA officials also objected to other parts of the draft report. The IG wrote that SBA spent $3.3 million and issued 379 PIV cards. SBA officials said the IG didn’t count all expenses. The agency bought the hardware and software to comply with HSPD-12 and paid to integrate the software. It also paid for consultants to help managers set up the program.

Auditors wrote that SBA modified the HSPD-12 software, thereby rendering all previously issued PIV cards unreadable. SBA officials said in their letter that a software upgrade affected the display of employees’ photos on PIV cards, but they added a software patch to solve the problem. The IG clarified those statements in the report.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.