GSA not tapping data on unauthorized access attempts at federal facilities, report says
The General Services Administration isn't using access card data to mitigate risks on federal property, according to a new report.
The General Services Administration is failing to act on data linked to access cards used to enter federal facilities, according to a new oversight report.
A two-year audit conducted between 2020 and 2022 revealed over 32,000 failed access attempts at GSA-managed facilities, the Office of Inspector General report said, possibly indicating attempts to gain unauthorized access to information technology systems and secure federal facilities.
The IG report also found that GSA was not evaluating the data collected from access cards "to identify and assess the risks to its personnel and federal property,” despite federal guidance recommending agencies monitor access card activity as part of their risk assessment and oversight processes.
GSA operates 132 sites across the country with active access card readers that allow federal personnel with the appropriate permissions to use their card and gain access to certain facilities. Data from all GSA access cards in use is added into the agency's Enterprise Physical Access Control System database, which can provide insights about card usage, access attempts and more.
A majority of GSA building managers contacted for the audit said they do not receive any access card data for their buildings, while those that do receive data only obtain lists about failed access attempts from the prior day. The IG report said that data could be more effectively used to identify potential risks with filtering and trend analysis.
GSA pushed back on the description of the IG findings in a response to the report that noted how the audit was conducted during the height of the COVID-19 pandemic in the United States.
GSA Administrator Robin Carnahan suggested in the response that employees were unable to replace expired access cards during the pandemic as "while credentialing stations were closed," but still had to access federal facilities.
Those employees “still would have been asked” by Department of Homeland Security (DHS) officials “to attempt to use their expired card at a card reader before undergoing secondary screening to enter a facility," Carnahan wrote.
GSA agreed with the IG recommendations, however, which included implementing new procedures to monitor access card data, creating guidance on addressing repeated failed access attempts and using that data to keep building security stakeholders informed.