Watchdog: GSA needs to account for contractor PIV cards

The General Services Administration continues to have problems with managing identity cards it issues to contractors to access its buildings and IT systems, according to a report from agency's Office of Inspector General.

The report, issued on Nov. 4, covers an audit period between February, 2017 and August, 2019. It builds on an OIG 2016 audit that found the agency couldn't account for 15,000 of the Personal Identity Verification (PIV) cards it issued to its contractors. The report also said the agency didn't collect PIV cards from 445 contract employees who failed background checks.

The more recent audit, said the report, showed GSA activated 39,090 contract employee PIV cards. The report said the OIG's review of data from the GSA Credential and Identity Management System (GCIMS) showed the agency could not account for 14,928, or 38%, of those cards. It said over 2,100 of those cards had been issued to contract employees who were removed from the contracts they were working on. The remaining 12,806 cards were for contracts that had expired, it said.

GSA's uneven management of the cards stems from using unreliable data to track the cards, and scattershot, informal procedures to get them back from contractors, according to the report.

Every year GSA issues thousands of PIV cards to contractors who access physically-secure areas and federal buildings, as well as IT systems and facilities, said the OIG. The agency is required by law to get those cards back, or disable them, if those contract employees no longer work on the contract, or the contract expires.

It found that some GCIMS data used by the agency's Office of Mission Assurance to manage PIV card issuance, status and recovery for both federal and contract employees was inaccurate and incomplete. The report said some critical data fields in the system managing PIV issuance, including those for contract numbers, job titles, and point-of-contact numbers, had inaccurate data. All of those data fields are critical to track and recover the cards, according to the report.

Unaccounted-for cards pose security risks to federal facilities, even if their onboard card reader capabilities have been inactivated, since some federal facilities aren't protected by card readers. The report redacted some of the possible consequences those unaccounted-for cards could have.

The report recommended GSA continue efforts to account for the cards, including updating GCIMS data and reporting unrecovered cards to the Department of Homeland Security.

The IG also recommended more collaboration among GSA's managers of services and staff offices on enforcement and policy for PIV issuance and recovery.

In an Oct. 16 letter to the OIG, GSA Deputy Administrator Allison Brigati said the agency had taken steps to address the concerns, including setting up an agency dashboard to track PIV card lifecycles, as well as a series of automated emails to agency employees who request PIV cards for contractors about expiring cards.

This past September, said Brigati, GSA's chief acquisition officer and acting human capital officer also issued a policy memo that set baseline training for PIV management.