Personal ID Verification:

Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

GAO-11-751: Published: Sep 20, 2011. Publicly Released: Sep 20, 2011.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

To increase the security of federal facilities and information systems, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in 2004. This directive ordered the establishment of a governmentwide standard for secure and reliable forms of ID for employees and contractors who access government-controlled facilities and information systems. The National Institute of Standards and Technology (NIST) defined requirements for such personal identity verification (PIV) credentials based on "smart cards"--plastic cards with integrated circuit chips to store and process data. The Office of Management and Budget (OMB) directed federal agencies to issue and use PIV credentials to control access to federal facilities and systems. GAO was asked to determine the progress that selected agencies have made in implementing the requirements of HSPD-12 and identify obstacles agencies face in implementing those requirements. To perform the work, GAO reviewed plans and other documentation and interviewed officials at the General Services Administration, OMB, and eight other agencies.

Overall, OMB and federal agencies have made progress but have not fully implemented HSPD-12 requirements aimed at establishing a common identification standard for federal employees and contractors. OMB, the federal Chief Information Officers Council, and NIST have all taken steps to promote full implementation of HSPD-12. For example, in February 2011, OMB issued guidance emphasizing the importance of agencies using the electronic capabilities of PIV cards they issue to their employees, contractor personnel, and others who require access to federal facilities and information systems. The agencies in GAO's review--the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the National Aeronautics and Space Administration; and the Nuclear Regulatory Commission--have made mixed progress in implementing HSPD-12 requirements. Specifically, they have made substantial progress in conducting background investigations on employees and others and in issuing PIV cards, fair progress in using the electronic capabilities of the cards for access to federal facilities, and limited progress in using the electronic capabilities of the cards for access to federal information systems. In addition, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies. The mixed progress can be attributed to a number of obstacles agencies have faced in fully implementing HSPD-12 requirements. Specifically, several agencies reported logistical problems in issuing credentials to employees in remote locations, which can require costly and time-consuming travel. In addition, agencies have not always established effective mechanisms for tracking the issuance of credentials to federal contractor personnel--or for revoking those credentials and the access they provide when a contract ends. The mixed progress in using the electronic capabilities of PIV credentials for physical access to major facilities is a result, in part, of agencies not making it a priority to implement PIV-enabled physical access control systems at all of their major facilities. Similarly, a lack of prioritization has kept agencies from being able to require the use of PIV credentials to obtain access to federal computer systems (known as logical access), as has the lack of procedures for accommodating personnel who lack PIV credentials. According to agency officials, a lack of funding has also slowed the use of PIV credentials for both physical and logical access. Finally, the minimal progress in achieving interoperability among agencies is due in part to insufficient assurance that agencies can trust the credentials issued by other agencies. Without greater agency management commitment to achieving the objectives of HSPD-12, agencies are likely to continue to make mixed progress in using the full capabilities of the credentials. GAO is making recommendations to nine agencies, including OMB, to achieve greater implementation of PIV card capabilities. Seven of the nine agencies agreed with GAO's recommendations or discussed actions they were taking to address them; two agencies did not comment.

Recommendations for Executive Action

  1. Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To ensure that PIV credentials are issued only to employees and contractor staff requiring them, the Secretary of Agriculture should take steps to identify which staff in the "other" category should receive PIV cards and establish procedures for handling such cases.

    Agency Affected: Department of Agriculture

  2. Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency Affected: Department of Agriculture

  3. Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards.

    Agency Affected: Department of Agriculture

  4. Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should develop and implement procedures to allow employees who need to access multiple computers simultaneously to use the PIV card to access each computer.

    Agency Affected: Department of Agriculture

  5. Status: Open

    Comments: The Department of Commerce has submitted documentation of its out-processing procedures, which include PIV-card revocation procedures; however, GAO has yet to receive timeframes for implementing a new PIV-card tracking system.

    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion.

    Agency Affected: Department of Commerce

  6. Status: Open

    Comments: GAO is currently working with Commerce to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Commerce should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including time frames for deployment.

    Agency Affected: Department of Commerce

  7. Status: Open

    Comments: GAO is currently working with Commerce to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Commerce should ensure that plans for PIV-enabled logical access to the department's systems and networks are implemented in a timely manner.

    Agency Affected: Department of Commerce

  8. Status: Closed - Implemented

    Comments: In September 2011, we reported that DHS identified difficulties in monitoring and tracking contractor personnel, especially when contracts begin and end, and attributed it as a reason for not fully complying with HSPD-12 requirements PIV card issuance and revocation. We recommended that the Secretary of Homeland Security establish specific time frames for implementing planned revisions to the department?s tracking procedures, to ensure that PIV cards are revoked in a timely fashion. In its PCI Operations Plan, dated February 10, 2014, DHS, in response to our recommendation, outlined new tracking procedures to ensure PIV cards are revoked in a timely fashion. The plan assigns responsibility for the revocation of the cards, identifies reasons that a card should be revoked, and describes the steps needed to take in order to ensure that the process is completed properly.

    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Homeland Security should establish specific time frames for implementing planned revisions to the department's tracking procedures, to ensure that PIV cards are revoked in a timely fashion.

    Agency Affected: Department of Homeland Security

  9. Status: Open

    Comments: DHS has developed an overall departmental strategy document for using PIV cards at its major facilities. GAO is currently working with DHS to obtain information about specific implementation plans based on this strategy that would address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Homeland Security should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and timeframes for deployment.

    Agency Affected: Department of Homeland Security

  10. Status: Open

    Comments: GAO is currently working with DHS to obtain information about implementation of PIV cards for logical access that would address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Homeland Security should ensure that plans for PIV-enabled logical access to the department's systems and networks are implemented in a timely manner.

    Agency Affected: Department of Homeland Security

  11. Status: Open

    Comments: GAO is currently working with HUD to address this recommendation.

    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Housing and Urban Development should develop and implement control procedures to ensure that PIV cards are revoked in a timely fashion.

    Agency Affected: Department of Housing and Urban Development

  12. Status: Open

    Comments: GAO is currently working with HUD to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Housing and Urban Development should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency Affected: Department of Housing and Urban Development

  13. Status: Open

    Comments: GAO is currently working with HUD to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Housing and Urban Development should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards.

    Agency Affected: Department of Housing and Urban Development

  14. Status: Open

    Comments: GAO is currently working with Interior to address this recommendation.

    Recommendation: To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of the Interior should make greater use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations.

    Agency Affected: Department of the Interior

  15. Status: Open

    Comments: GAO is currently working with Interior to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment.

    Agency Affected: Department of the Interior

  16. Status: Open

    Comments: GAO is currently working with Interior to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should ensure that plans for PIV-enabled logical access to Interior's systems and networks are implemented in a timely manner.

    Agency Affected: Department of the Interior

  17. Status: Closed - Implemented

    Comments: In September 2011, we reported that Labor had a low PIV card issuance rate (80 percent) due to difficulties in issuing cards to personnel in remote field offices via mobile PIV credentialing stations. As a result, Labor had not fully implemented OMB's HSPD-12 requirements, which direct agencies to issue PIV cards to all personnel. We recommended that the Secretary of the Labor make greater use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations. In fiscal year 2012, officials from Labor provided evidence that showed the department had increased its use of mobile PIV credentialing stations to issue PIV cards to field staff. According to documentation, from September 2011 to June 2012, Labor used these stations to issue an additional 1,415 PIV cards. By continuing to use the mobile credentialing systems, Labor has made greater use of portable credentialing systems by issuing PIV cards to a greater percentage of its workforce.

    Recommendation: To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of Labor should make greater use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations.

    Agency Affected: Department of Labor

  18. Status: Open

    Comments: GAO is currently working with Labor to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency Affected: Department of Labor

  19. Status: Open

    Comments: GAO is currently working with Labor to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that plans for PIV-enabled logical access to Labor's systems and networks are implemented in a timely manner.

    Agency Affected: Department of Labor

  20. Status: Open

    Comments: GAO is currently working with NASA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards.

    Agency Affected: National Aeronautics and Space Administration

  21. Status: Open

    Comments: GAO is currently working with NASA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical.

    Agency Affected: National Aeronautics and Space Administration

  22. Status: Open

    Comments: GAO is currently working with NRC to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Chairman of the NRC should develop and implement procedures to allow staff who need to access multiple computers simultaneously to use the PIV card to access each computer.

    Agency Affected: Nuclear Regulatory Commission

  23. Status: Open

    Comments: GAO is currently working with OMB to address this recommendation.

    Recommendation: To address the challenge of promoting the interoperability of PIV cards across agencies by ensuring that agency HSPD-12 systems are trustworthy, the Director of OMB should require the establishment of a certification process, such as through audits by third parties, for validating agency implementations of PIV credentialing systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  24. Status: Closed - Implemented

    Comments: In September 2011, we reported that only 80 percent of DHS's workforce had been issued PIV cards as of March 2011. As a result, DHS had not fully implemented OMB's HSPD-12 requirements, which direct agencies to issue PIV cards to all personnel. To ensure that PIV credentials are issued to all employees and contractor staff requiring them, we recommended that the Secretary of Homeland Security make use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations. In fiscal year 2012, DHS, in response to our recommendation, provided evidence that they leased portable credentialing systems that enable the remote issuance of new PIV cards. Specifically, in September 2011, DHS entered into a two year contract that gave DHS access to 50 portable PIV credentialing systems that will, according to the statement of work, enable DHS to issue PIV cards to approximately 250,000 additional employees and contractor staff. As of September 2012, DHS reported that all required PIV cards had been issued.

    Recommendation: To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of Homeland Security should make use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Dec 18, 2014

Dec 17, 2014

  • government icon, source: Eyewire

    State and Local Governments' Fiscal Outlook:

    2014 Update
    GAO-15-224SP: Published: Dec 17, 2014. Publicly Released: Dec 17, 2014.

Dec 3, 2014

Nov 14, 2014

Nov 13, 2014

Nov 12, 2014

Oct 31, 2014

Oct 30, 2014

Oct 27, 2014

Oct 24, 2014

Looking for more? Browse all our products here