This story was updated to include comment by GSA spokeswoman Jackeline Stewart on October 21, 2014 at 10:10AM.
There’s a downside to the General Services Administration’s highly touted open-floor plan: theft, or the prospect of it. In a new report, the agency’s inspector general chides employees for forgetting to stash away “highly pilferable” government property, such as laptops.
Since the agency tore down its corner offices to enlarge common areas last year, employees have had to share work stations in big, open spaces. Rather than lock their belongings behind office doors at the end of the day, they safeguard valuables in lockers and file cabinets. While other agencies are copying GSA in efforts to save money and enhance collaboration among employees, the IG report suggests employees are having trouble tweaking their habits to fit the new reality.
“The transition to a more collaborative workspace has increased security risks for vulnerable assets and sensitive information as GSA employees adjust to taking new steps to physically secure property and information in their personal workspaces,” the report said.
IG staff prowled about after hours one July night. They found plenty of goodies in unlocked drawers, cabinets and lockers. There were laptops, an ID card with access to the building and architectural drawings marked “sensitive but unclassified.” On top of desks, the inspectors spied performance reviews and other documents containing personally identifiable information. In addition, they nabbed a contract file with source selection information that, if made public, could have far-reaching consequences.
The evidence also suggests some GSA employees worry more about being locked out than securing their belongings. The inspectors found a combination code to a bay of personal lockers placed on top of the lockers and a code to a door lock taped to the back of that door. In open drawers, the inspectors found keys to several filing cabinets.
Despite the inspectors’ bounty that night, GSA reported just five thefts last year at its headquarters, according to Federal Protective Service. This calendar year, there have been five reports of lost or stolen laptops throughout the entire agency, according to GSA spokeswoman Jackeline Stewart.
“While any loss or theft is unacceptable, this suggests that the problem is a manageable one,” she said in a statement, adding that the agency’s technology has security features that make it hard for an unauthorized user to access data. For example, GSA laptops require two-layer authentication. The agency’s IT team remotely can wipe data from mobile devices reported missing, she said.
Yet the agency is taking the IG’s warning seriously.
“We agree GSA can make improvements to our approach to securing sensitive information,” Chief of Staff Adam Neufeld wrote in response to the report. “We understand that an open, mobile office may present new challenges to how we secure our space, but we have taken steps to ensure that our employees are aware of how important this is to our work and our agency.”
How much can that locker hold?
The IG staff grabbed the laptops, documents and other sensitive items, leaving notes behind. Many employees who received the notes contacted the IG office, but did not know what had been taken from their work space. To date, the inspectors are waiting on other employees to come forward to get their property. No one has claimed the ID card, which belonged to a former GSA contractor but allowed entry into the building at the time of the report.
The episode offers a snapshot of a broader issue. Over the past year, GSA received just one report that items containing personal information had been left unsecured, suggesting employees are either not following protocol, or simply do not notice breaches of personally identifiable information.
The findings point to a logistical problem, too: One employee whose laptop was confiscated complained to inspectors that the computer did not fit inside their locker after they had stored their shoes and other stuff in it. The report suggests GSA may have to rethink the size of the lockers. In his response, Neufeld said each section of GSA received all of the file storage space it had requested. A recent audit found more than a quarter of the storage units, on average, unused, he said.
The IG credits GSA for prodding employees, through posters, emails and blogs, to lock away valuables at the end of each workday. Since the IG issued the report, GSA has doubled down on its efforts, launching “an extensive campaign” to educate staff on security policies, Neufeld wrote. In addition to the emails, office signs and posts to an internal social media site, the agency plans to install messages on all computers to help employees remember to lock away their laptops and sensitive items, he said.
Visitors soon will get only temporary IDs that expire after one day. In addition, they will need GSA employees to escort them through the building. The agency has been developing these measures since before the IG released its report, Stewart said.
White House gives agencies the lead role in combating ID theft