Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
More than 14 years have passed since the George W. Bush administration issued a directive to ensure federal workers and contractors are who they say they are when entering federal buildings. But the Government Accountability Office said progress has been lacking, especially in the digital age.
In a Dec. 20 report, GAO said that the agencies were taking steps to improve security, but not quickly enough. Of the five selected agencies reviewed by GAO, several issues came up in regards to the physical access control systems (PACS) — which verify identification information at many agencies — including cost, lack of clarity on the procurement of systems and difficulty adding new technology to the legacy systems.
The General Services Administration approves the technologies and the vendors for PACS, and the White House sets the parameters.
PACS include personal identity verification (PIV) cards, card readers and any other technology that electronically confirms employee and contractor identities in order to validate their access to facilities.
PIV cards consist of critical information, including employment status and any security clearance information, embedded in a microchip. As technology continues to evolve, compliance with the need for upgraded security systems is even more critical.
Lori Rectanus, director of the physical infrastructure team at GAO, said a lot of the issues with compliance stem from lack of oversight and record-keeping. She said that under the 2004 directive, the White House — specifically the Office of Management and Budget — should be keeping records of agency progress in developing and implementing those PACS.
“Agencies have not made a lot of progress, primarily because no one’s been asking questions about what are [they] doing, what are [they] buying, what efforts are [they] making for governmentwide information to know who’s buying what and are [they] compliant,” Rectanus said on Federal Drive with Tom Temin. “We really don’t know where agencies are and what progress has been made. [OMB has] the key responsibility for overseeing and enforcing this process. They are the ultimate arbiter of people’s budgets.”
The GAO report highlighted several small steps OMB and GSA has taken to promote compliance across the agencies.
First, several memos were published by OMB to clarify agencies’ responsibilities in making sure their buildings were secure. One memo, published in 2011, cited Department of Homeland Security guidance to agencies requiring them to use allocated funds to upgrade their access systems before other projects were done. The GAO report found that OMB would be unable to track such progress without baseline data.
The report also mentioned GSA’s implementation of the Approved Products List, identifying the products that met federal requirements through testing and evaluation. Agencies are required to use this list to procure the equipment for PACS.
The Interagency Security Committee, chaired by DHS along with 60 federal departments and agencies, is required to develop security standards across the federal government — except for the military agencies. ISC is “well-positioned to determine the extent that PACS implementation challenges exist across its membership and to develops strategies to address them,” the report said.
More than a decade later and agencies are still having trouble implementing these systems. Compliance currently sits at less than 10 percent, Rectanus said.
Defense Department, a good example
One agency has made significant progress on its own.
“I do think the Department of Defense is further ahead than the civilian organizations. They have their version of the PIV card and I think it’s used pretty widely to govern access to different facilities and different locations,” Rectanus said. “I don’t know about their procurement of equipment, but I’m sure there are a lot of lessons that we can learn, especially from some of their more secure facilities where you know, by necessity they’ve had to really protect access to them.”
GAO recommended two solutions:
OMB must determine and regularly monitor a baseline level of progress in terms of PACS implementation.
ISC should assess the extent of strategies to address governmentwide challenges to implementing PACS.
When it comes to the slow progress, does this lack of information and technological upgrade mean government facilities aren’t as secure as they should be?
Rectanus said if the security of federal buildings across the government is based solely on these PIV cards talking to readers, the lag could create bigger problems.
“If you believe that’s the way that we keep our facilities secure, that’s not happening.” Rectanus said. “So, yes, we do run the risk of either nefarious actors pretending to be government employees and contractors getting into buildings or even employees themselves are disgruntled or contractors who may be getting in inappropriately and getting access to places that they shouldn’t.”