Identity Management

IG: DHS still can't account for expired PIV cards

PIV cards 

A Feb. 14 inspector general audit found that the Department of Homeland Security still lacks effective protocols to ensure old contractors can't access their facilities and information systems.

The problems are not new. For the past decade, DHS has struggled put in place management and security strategies around Homeland Security Presidential Directive 12 and the Personal Identity Verification (PIV) cards that are used by employees and contractors to both access physically secure locations and login to computer workstations and information systems.

Previous audits took DHS to task over these deficiencies in 2007 and 2010, and the latest report notes that many of the same issues continue to plague the department today. Among the recurring problems were "significant program and management challenges" to ensuring that contractors do not retain active PIV cards after their work concludes. The department was also criticized for not thoroughly accounting for and collecting expired PIV cards from contractors.

The auditors noted that approximately one out of four PIV cards revoked in fiscal 2016 (or just over 22,000) were for contractors. The real number is likely even higher given the "lack of accountability" around the issue, the report states.

"The potential remains for individuals who misrepresent their identities to circumvent controls, enter DHS buildings and controlled areas, and cause harm to people and assets" as well as gain "unauthorized access to information systems," wrote auditors.

DHS has a contract with XTec for HSPD-12 implementation. The agency in 2013 awarded a 10-year contract that would have shifted that work to HP Enterprise Services, but XTec successfully protested that award and won the business when it was re-bid in 2014. 

The OIG audit, however, places the blame on a lack of prioritization around HSPD-12 requirements at many DHS components. Auditors cite insufficient funding and staffing as well as internal confusion about who within the department was ultimately responsible for oversight of the issue.

DHS has improved in several areas, most significantly in setting up an effective process for issuing PIV cards, bringing DHS in compliance with Federal Information Processing Standards guidance, according to the report.

OIG is recommending a more formal process for collecting, revoking, deactivating and destroying PIV cards for contractors who no longer work for DHS. Auditors also want the department to address its longstanding funding and management issues around the HSPD-12 program.

Department officials concurred with all seven recommendations, telling auditors that officials are piloting a plan inventory active and inactive contractors and implement tighter controls for contractor PIV card management at DHS headquarters. The pilot is expected to be complete by March 2018 and expanded to the management directorate by the end of 2018.

Note: A previous version of this article reported only that a contract for HSPD-12 implementation services at DHS was awarded to HP Enterprise Services in 2013. HP Enterprise Services was awarded the contract, but incumbent XTec filed a successful protest and in 2014 a new bid for HSPD-12 implementation was awarded to XTec. This article was updated on Feb. 22.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected