Treasury shifted HSPD-12 path on audit findings, report shows

The Treasury Department switched plans for how it will implement secure identification cards and services under the Homeland Security Presidential Directive 12 initiative from developing its own system to using managed services from the General Services Administration.Auditors persuaded the Internal Revenue Service, which leads the HSPD-12 effort for Treasury, to conform to GSA’s shared approach because IRS had lagged in meeting milestones on its own, according to a report from the Treasury Inspector General For Tax Administration (TIGTA) posted June 22.As a result, IRS notified GSA in May of its intention to use GSA services. IRS will have a better chance at meeting subsequent milestones for developing ID cards that meet HSPD-12 requirements, TIGTA said.“We believe the IRS was taking unnecessary risks, not only because its costs are likely to exceed the GSA solution, but because it was taking resources away from tax administration duties, increasing the likelihood of its cards being incompatible with other agencies, and likely will be delivering its system later than other agencies,” said Margaret Begg, assistant IG for audit for information systems programs, in writing the report on behalf of Michael Phillips, deputy IG for audit.GSA should be able to issue cards less expensively than agencies doing so independently because of economies of scale, TIGTA said.IRS has coordinated with GSA’s implementation schedule for the issue of initial cards in Treasury expected next month, said Daniel Galik, chief of IRS mission assurance and security services, in a response to TIGTA.Under HSPD-12 deadlines, agencies must verify and complete background investigations and issue ID cards for all employees with less than 15 years of service by October. IRS will have to integrate any new systems necessary to operate with the new ID cards into existing security, personnel and other systems, TIGTA said.Last fall, IRS contracted with GSA for 100 ID cards to comply with the requirements for Personal Identity Verification (PIV) cards because it failed to produce and distribute its own ID cards. IRS, at the time, did not plan to use GSA for additional ID cards for future milestones.“Despite assigning 68 employees and contractors to this effort, the IRS had not yet purchased the hardware and software necessary to produce the identification cards and did not expect to complete the program until September 2010, two years after the Office of Management and Budget mandated deadline,” Begg said in the report. The audit took place from June through December 2006.IRS completed required steps in 2005 for PIV’s initial phase to develop procedures for registering employees, issuing cards and maintaining the card system and to publish a manual of step-by-step instructions for PIV requirements. The agency said it could meet card’s technical specifications for Treasury at less expense, but it did not provide TIGTA with cost projections. IRS believed it was in a better position than GSA to produce and distribute the PIV cards at all Treasury locations, provide compatible technology to identify and authenticate employees and produce and distribute ID cards for the large number of temporary employees that the IRS hires during tax return filing season.IRS stuck to that belief in part because the cards GSA provided last fall contained errors. GSA subsequently canceled its contract with BearingPoint and stopped production of the PIV cards.In April, GSA awarded EDS a $66.4 million contract to run its HSPD-12 Managed Services Office. As early as July, EDS will begin opening 225 fixed and mobile HSPD-12 enrollment stations nationwide.