The General Services Administration’s (GSA) insider threat program (ITP) is failing to adequately protect GSA personnel, facilities, and systems from insider threats, according to a recent report from the agency’s Office of Inspector General.
“We found that GSA’s ITP does not consistently collaborate across the agency to proactively prevent, detect, mitigate, and identify insider threats,” the report says. “For example, the ITP is unaware of and does not monitor insider threat risks from employees who receive termination proposals but retain access to GSA systems and facilities. Additionally, the ITP Senior Designated Official is failing to provide the annual insider threat report to the GSA Administrator as required.”
The report also said GSA fails to consistently deactivate IT accounts from employees who have decided to leave the agency, or who have been terminated. Additionally, the agency does not collect and destroy personal identity verification cards from these employees within the required time frames – putting GSA at a “heightened” risk of insider threats, the IG report says.
“Taken together, these deficiencies expose GSA information to theft or loss, facilities to damage, and personnel to actual or threatened harm; and create gaps that can be exploited in other ways to undermine GSA’s ability to effectively carry out its operations,” the report says.
The report also highlighted that GSA disbanded its insider threat working group in November 2017, after the agency received its “full operating capability designation from the National Insider Threat Task Force.” According to the report, GSA determined the working group was no longer necessary after receiving this designation.
“The decision to disband the GSA Insider Threat Working Group violated GSA policy. It also eliminated the ITP’s only established means of formal collaboration with GSA’s staff offices,” the report reads.
As for recommendations going forward, the report suggests GSA enhance its “cross-organizational communication and collaboration with the ITP to improve information sharing and the ITP’s access to insider-threat-related data.” Another recommendation is to improve oversight of the employee separation and termination process.
Katy Kale, acting GSA administrator, said GSA agreed with the report’s recommendations. She also noted that since the insider threat working group was disbanded, “collaboration has taken place on a routine but informal basis.”
“Insider threat issues are given a high level of priority throughout GSA in order to maintain the security of the agency and its employees while safeguarding personnel privacy,” Kale said.
The IG’s investigation was conducted between October 2018 and August 2020, during the Trump administration.