GAO Gives Agencies Mixed Grades on Digital IDs

Getting Remote Workers Credentials Hard for Some Agencies
GAO Gives Agencies Mixed Grades on Digital IDs
Congressional auditors gave the Office of Management and Budget and select federal agencies it reviewed mixed grades in complying with a presidential directive to issue secure identifications to government employees and contractors to access federal information systems and facilities.

In a report issued Tuesday, Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards, the Government Accountability Office said OMB and federal agencies have made progress but have not fully implemented the requirements of the 2004 Homeland Security Presidential Directive-12 to establish identification standards for federal employees and contractors.

(Story continues after the chart)

See Also: Conversational Cyber Insurance: How Cybersecurity and Cyber Insurance are Interwined

GAO attributed the mixed progress to a number of obstacles agencies have faced. Specifically, auditors say, several agencies reported logistical problems in issuing credentials to employees in remote locations, which can require costly and time-consuming travel. In addition, GAO said, agencies have not consistently established effective ways to track the issuance of credentials to federal contractor personnel or to revoke those credentials and the access they provide when a contract ends.

"The mixed progress in using the electronic capabilities of PIV credentials for physical access to major facilities is a result, in part, of agencies not making it a priority to implement PIV-enabled physical access control systems at all of their major facilities," GAO said in the 75-page audit.

GAO also said a lack of prioritization has kept agencies from being able to require the use of personal identification verification credentials to obtain access to federal computer systems as has the lack of procedures for accommodating personnel who lack PIV credentials.

Agency officials told GAO that a lack of funding has also slowed the use of PIV credentials for physical and computer access. And, GAO said, the minimal progress in achieving interoperability among agencies is due, in part, to insufficient assurance that agencies can trust the credentials issued by other agencies. "Without greater agency management commitment to achieving the objectives of HSPD-12," the audit said, "agencies are likely to continue to make mixed progress in using the full capabilities of the credentials."

Still, the auditors had encouraging words as well. GAO credited OMB, the Federal Chief Information Officers Council and the National Institute of Standards and Technology for steps taken to promote full implementation of HSPD-12. GAO specifically cited February guidance issued by OMB emphasizing the importance of agencies using the electronic capabilities of PIV cards to access to federal facilities and information systems.

GAO said the agencies it reviewed - departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, Interior and Labor as well as NASA and the Nuclear Regulatory Agency - have made substantial progress in conducting background investigations on employees and others and in issuing PIV cards.

But, GAO said, these agencies made only fair progress in using the electronic capabilities of the cards for access to federal facilities and limited progress in using the electronic capabilities of the cards for access to federal information systems. In addition, auditors said, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.