IG: DHS still can't account for expired PIV cards

A Feb. 14 inspector general audit found that the Department of Homeland Security still lacks effective protocols to ensure old contractors can't access their facilities and information systems.

The problems are not new. For the past decade, DHS has struggled put in place management and security strategies around Homeland Security Presidential Directive 12 and the Personal Identity Verification (PIV) cards that are used by employees and contractors to both access physically secure locations and login to computer workstations and information systems.

Previous audits took DHS to task over these deficiencies in 2007 and 2010, and the latest report notes that many of the same issues continue to plague the department today. Among the recurring problems were "significant program and management challenges" to ensuring that contractors do not retain active PIV cards after their work concludes. The department was also criticized for not thoroughly accounting for and collecting expired PIV cards from contractors.

The auditors noted that approximately one out of four PIV cards revoked in fiscal 2016 (or just over 22,000) were for contractors. The real number is likely even higher given the "lack of accountability" around the issue, the report states.

"The potential remains for individuals who misrepresent their identities to circumvent controls, enter DHS buildings and controlled areas, and cause harm to people and assets" as well as gain "unauthorized access to information systems," wrote auditors.

DHS has a contract with XTec for HSPD-12 implementation. The agency in 2013 awarded a 10-year contract that would have shifted that work to HP Enterprise Services, but XTec successfully protested that award and won the business when it was re-bid in 2014. 

The OIG audit, however, places the blame on a lack of prioritization around HSPD-12 requirements at many DHS components. Auditors cite insufficient funding and staffing as well as internal confusion about who within the department was ultimately responsible for oversight of the issue.

DHS has improved in several areas, most significantly in setting up an effective process for issuing PIV cards, bringing DHS in compliance with Federal Information Processing Standards guidance, according to the report.

OIG is recommending a more formal process for collecting, revoking, deactivating and destroying PIV cards for contractors who no longer work for DHS. Auditors also want the department to address its longstanding funding and management issues around the HSPD-12 program.

Department officials concurred with all seven recommendations, telling auditors that officials are piloting a plan inventory active and inactive contractors and implement tighter controls for contractor PIV card management at DHS headquarters. The pilot is expected to be complete by March 2018 and expanded to the management directorate by the end of 2018.

Note: A previous version of this article reported only that a contract for HSPD-12 implementation services at DHS was awarded to HP Enterprise Services in 2013. HP Enterprise Services was awarded the contract, but incumbent XTec filed a successful protest and in 2014 a new bid for HSPD-12 implementation was awarded to XTec. This article was updated on Feb. 22.