SBA, IG clash over regulatory details

Small Business Administration officials and the agency's Office of Inspector General disagreed on the security of SBA's personal identity verification cards in a new report.SBA officials said they gave the IG’s office documents that proved they had complied with the Office of Management and Budget’s guidance regarding security certifications and accreditations and earned value management for the cards, according to a letter included in an Oct. 6 report from the IG’s office.“It appears that the documentation did not receive a thorough review [by the IG’s office] prior to the draft [report] being issued,” wrote Robert Danbeck, associate administrator of SBA’s Office of Management and Administration, and Christine Liu, SBA’s chief information officer, in the letter.However, Debra Ritt, SBA's assistant IG for auditing, disputed Danbeck and Liu’s contentions. Ritt wrote that SBA’s documents didn’t prove the program underwent a certification review or followed requirements for earned value management. She also wrote that the IG’s office asked for information to support SBA’s assertions, but Liu could produce none.According to the IG’s report, Liu told auditors that SBA took several approaches that she believed could be substituted for the specific actions called for in Homeland Security Presidential Directive 12.HSPD-12 requires agencies to create ID cards to restrict access to buildings and computer networks to federal employees and contractors who have received background checks and clearances. The cards must be interoperable with other federal agencies’ systems.In the report, SBA officials said they complied with the requirements because their HSPD-12 card-issuance system, named the Identity Management System (IDMS), was a pilot project and didn’t need to be fully certified and accredited. SBA also said the program was fully evaluated and deemed compliant with guidance from the National Institute of Standards and Technology based on early work with the General Services Administration, which is overseeing HSPD-12.The auditors disagreed. Agencies must be certified based on regulations, and guidance doesn’t suggest that a pilot system is exempt from the certification requirements, Ritt wrote.“To date, SBA has still not completed a certification and accreditation of IDMS,” she wrote. Moreover, the system has undergone multiple software and hardware changes, and officials have tested none of the changes for security.SBA officials also objected to other parts of the draft report. The IG wrote that SBA spent $3.3 million and issued 379 PIV cards. SBA officials said the IG didn’t count all expenses. The agency bought the hardware and software to comply with HSPD-12 and paid to integrate the software. It also paid for consultants to help managers set up the program.Auditors wrote that SBA modified the HSPD-12 software, thereby rendering all previously issued PIV cards unreadable. SBA officials said in their letter that a software upgrade affected the display of employees’ photos on PIV cards, but they added a software patch to solve the problem. The IG clarified those statements in the report.