The General Services Administration’s (GSA) mismanagement of Federal contract employees Personal Identity Verification (PIV) cards has put GSA personnel, Federal property, and data at risk, according to a report from the Office of Inspector General’s (OIG).
The report, issued earlier this month, explained that GSA issues an average of 14,500 PIV cards annually, which are used to access GSA buildings and information technology systems, to Federal contract employees. Back in 2016, the OIG performed an initial evaluation of GSA’s management of contract employee PIV cards and found several issues related to GSA’s recovery and destruction of PIV cards. The OIG remained concerned about contractor PIV cards and performed another audit.
For this audit, the OIG analyzed data from GSA’s Credential and Identity Management System (GCIMS), which is the database that manages PIV cards for Federal and contract employees, over the period of February 1, 2017, through August 31, 2019. Over the audit period, GSA issued 39,090 PIV cards issued to GSA contract employees. OIG then looked at GCIMS data as of July 16, 2020. The OIG verified GCIMS data reliability and validity through GSA interviews, data analysis, and Office of Personnel Management inquiries.
During its audit, the OIG found that GSA is mismanaging PIV cards issued to contract employees and cannot account for approximately 15,000 PIV cards issued to contract employees. Additionally, the OIG found that GSA failed to collect more than half of the 445 PIV cards from contract employees who failed their background checks.
“GSA’s poor management and oversight of these cards raises significant security concerns because the cards can be used to gain unauthorized access to GSA buildings and information systems, placing GSA personnel, Federal property, and data at risk,” the OIG wrote in its report.
The OIG said it has identified three factors that are affecting GSA’s management of PIV cards for contract employees: GSA is using unreliable data to track and monitor PIV cards, GSA does not have formal procedures for recovering PIV cards from contract employees, and GSA has not implemented the oversight needed to ensure all PIV cards are recovered from contract employees.
To improve contractor PIV card oversight, the OIG offered two recommendations for the GSA Deputy Administrator.
The Deputy Administrator needs to continue to take action to account for and collect the PIV cards identified in the OIG audit that remain outstanding by:
- “Updating the GSA Credential and Identity Management System records for contract employees to ensure that they are accurate;
- Terminating and recovering all PIV cards no longer needed by former contract employees; and
- Reporting unauthorized cardholders for any PIV cards that cannot be recovered to the U.S. Department of Homeland Security for unauthorized possession of a United States identification card, in compliance [with Federal regulations].”
Additionally, the Deputy Administrator must ensure collaboration between Heads of Services and Staff Offices to require enforcement of current policy and implement a new policy to account for all PIV cards issued to contract employees by:
- “Establishing PIV card recovery procedures that include specific steps to take for lost, stolen, and non-returned PIV cards, including withholding final payment if PIV cards are not returned, as outlined in [Federal regulations];
- Implementing procedures, using the GSA Credential and Identity Management System, that track and monitor GSA’s recovery of PIV cards and include communicating the results to the requesting officials and regional leadership;
- Requiring training on PIV card issuance and recovery for personnel with responsibilities in the PIV card process;
- Coordinating with the U.S. Department of Homeland Security to establish emergency procedures (including when unfit determinations are made) for recovery of contract employee PIV cards, in accordance with [Federal regulations], PIV of Federal Employees and Contractors; and
- Implementing the oversight of requesting officials and the Office of Mission Assurance personnel to ensure GSA maintains accurate contract employee data in the GSA Credential and Identity Management System and retrieves PIV cards.”
The OIG noted that GSA agreed with its report findings and recommendations.