A new report from the Office of the Inspector General (OIG) found that the Veterans Health Administration (VHA) puts veterans’ sensitive information and facility security at risk by not following requirements about documenting personal identity verification (PIV) cards returned by contract personnel.
The review team examined a random sample of 46 professional service and healthcare resource contracts to determine if contractors returned their PIV cards, as required. But they found there was no proper documentation to prove contractors’ personnel had returned their PIV cards.
The VHA procurement manual requires the contracting officer to obtain a list of all employees who were issued PIV cards, which allows them access to VA facilities and information systems during their tenure at the VHA and ensures all PIV cards were returned.
Failure to document PIV card returns has been a security concern previously reported throughout government agencies, including at the General Services Administration, which failed to account for 15,000 access cards, according to a 2020 OIG report. The Federal Acquisition Regulation guidelines require contracting officers to maintain proper documentation indicating former contract personnel return PIV cards.
As a result, there is an increased risk that unauthorized individuals could access VA facilities or exploit information systems unnoticed. Even if subsequently detected, it could be too late to stop harm in the facility or the misuse or distribution of veterans’ personal information.
The OIG made ten recommendations to the VHA to address noncompliance with requirements for PIV cards, including ensuring contracting officers maintain evidence of a contractor-provided list of issued PIV cards and that all PIV cards were returned to the issuing or designated office before contract closeout. The report also recommended that the agency establish periodic reviews and new specific supervisory responsibilities for contracting officer oversight around the PIV card documentation process.