VA errors compromise identity verification credentials

The Veterans Affairs Department may have issued more than 157,000 personal identification credentials with a compromised ability to authenticate the identity of the individuals who received the credentials, according to a new report from the Office of Inspector General.

Belinda Finn, assistant inspector general for audits and evaluations, recommended in the Sept. 30 report that the department immediately direct the VA Enrollment Centers to stop issuing new credentials until the control deficiencies are addressed.

“Because of missing procedures and significant control lapses in Enrollment Center operations, VA has compromised the integrity of all Personal Identity Verification credentials issued to date,” Finn wrote.

VA officials said they had taken immediate action to mitigate the risks uncovered in the report by reviewing the questionable credentials, and Finn said that response was acceptable.

Related coverage:

VA two years behind schedule on issuing secure ID cards, OIG says

The VA needs to correct the identified deficiencies and formally accredit the Homeland Security Presidential Directive-12 program. Until that happens, its identity credentials cannot be used governmentwide.

Finn estimated the cost to remediate the deficiencies at approximately $6.7 million, and said the cost would continue to increase if additional credentials are issued.

Overall, the VA may have issued at least 147,000 credentials without determining whether applicants are known or suspected terrorists and presented genuine and unaltered identity source documents, Finn wrote in the report.

Also, VA may have issued at least 5,100 credentials without verifying applicants’ background investigations, and 5,600 credentials where staff circumvented separation of duty control requirements.

Finn made six other recommendations, and VA officials agreed with all of them.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Fri, Oct 7, 2011

The big problems are in the processes and people involved in assessment of systems throughout the federal government. Generally speaking, many of the "security specialists" hired to assess and validate the results do not have the fundamental skills required nor the ability to recognize the technical flaws in systems and how they are administered. Moreover, the government workers involved with the systems are usually bumbling fools that have been with the organization for years and promoted from one position to another working their way from tour guide to Information Systems Security Manager. When the Security Authorization package is presented to the CIO ... all that usually comes back are stupid comments about someone's name being misspelled, a wrong phone number, or poor grammar. It's not up to the IG to watch each system from inception to production ... it's up to the agencies to hire the right people and fire the idiots (including contractors and government).

Thu, Oct 6, 2011

At my location the leadership was told several times that the system and the process would not work!

Thu, Oct 6, 2011

The VA went out of their way not long ago to NOT hire known security specialists, instead hiring a "favorite" candidate at many locations. I know, I AM a security specialist and blew away the creds of those hired. The open job reqs were dismissed - "we've decided not to do the job that way" they wrote in their letters. Recently a staff member I know at a local VA called both their privacy officer and their security officer "a couple of clowns". Did I mention I'm a disabled vet as well as a security specialist? I guess the HR person spent the night before listening to Judy Collins: "Send in the clowns..." They are getting what they deserve.

Thu, Oct 6, 2011

The VA has repeatedly failed in its feeble attempts to control the security of the data of the servicemenand women that it serves. ANd now this... WHAT IS GOING ON OVER THERE? This isn't rocket science. It is about time you get someone in place that can spell S-E-C-U-R-I-T-Y.

Thu, Oct 6, 2011

This comes down to a lack of qualified persons implementing security standards. FISMA works... If you do it the right way and evaluate your risks and make sure these items can be found, documented, and corrected. The VA recently had a contract go out to assistance with the CIO for such issues. It should have been found months ago. Its so frustrating to see these things happen when they are totally preventable.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group