GAO Gives Agencies Mixed Grades on Digital IDs
Getting Remote Workers Credentials Hard for Some AgenciesIn a report issued Tuesday, Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards, the Government Accountability Office said OMB and federal agencies have made progress but have not fully implemented the requirements of the 2004 Homeland Security Presidential Directive-12 to establish identification standards for federal employees and contractors.
(Story continues after the chart)
See Also: Conversational Cyber Insurance: How Cybersecurity and Cyber Insurance are Interwined
GAO attributed the mixed progress to a number of obstacles agencies have faced. Specifically, auditors say, several agencies reported logistical problems in issuing credentials to employees in remote locations, which can require costly and time-consuming travel. In addition, GAO said, agencies have not consistently established effective ways to track the issuance of credentials to federal contractor personnel or to revoke those credentials and the access they provide when a contract ends.
"The mixed progress in using the electronic capabilities of PIV credentials for physical access to major facilities is a result, in part, of agencies not making it a priority to implement PIV-enabled physical access control systems at all of their major facilities," GAO said in the 75-page audit.
GAO also said a lack of prioritization has kept agencies from being able to require the use of personal identification verification credentials to obtain access to federal computer systems as has the lack of procedures for accommodating personnel who lack PIV credentials.
Agency officials told GAO that a lack of funding has also slowed the use of PIV credentials for physical and computer access. And, GAO said, the minimal progress in achieving interoperability among agencies is due, in part, to insufficient assurance that agencies can trust the credentials issued by other agencies. "Without greater agency management commitment to achieving the objectives of HSPD-12," the audit said, "agencies are likely to continue to make mixed progress in using the full capabilities of the credentials."
Still, the auditors had encouraging words as well. GAO credited OMB, the Federal Chief Information Officers Council and the National Institute of Standards and Technology for steps taken to promote full implementation of HSPD-12. GAO specifically cited February guidance issued by OMB emphasizing the importance of agencies using the electronic capabilities of PIV cards to access to federal facilities and information systems.
GAO said the agencies it reviewed - departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, Interior and Labor as well as NASA and the Nuclear Regulatory Agency - have made substantial progress in conducting background investigations on employees and others and in issuing PIV cards.
But, GAO said, these agencies made only fair progress in using the electronic capabilities of the cards for access to federal facilities and limited progress in using the electronic capabilities of the cards for access to federal information systems. In addition, auditors said, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies.