DOD Installations:

Monitoring Use of Physical Access Control Systems Could Reduce Risks to Personnel and Assets

GAO-19-649: Published: Aug 22, 2019. Publicly Released: Aug 22, 2019.

Additional Materials:

Contact:

Diana Maurer
(202) 512-9627
maurerd@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In November 2009, an Army officer shot 45 people at Fort Hood, Texas. Four years later, a Navy contractor shot 16 people at the Navy Yard in Washington, D.C.

DOD increasingly uses physical access control systems to screen people who want to enter military installations. The systems scan credentials and check them against FBI and other government databases. However, we found that DOD didn't know the extent to which its installations were using these systems because the Army, Navy, and Marine Corps have not monitored their use.

We recommended that DOD monitor the use of these systems and resolve technical issues to improve their performance.

A service member checks a stopped car at the main gate on McConnell Air Force Base, Kansas.

A person in a military uniform checks a car stopped at a checkpoint.

A person in a military uniform checks a car stopped at a checkpoint.

Additional Materials:

Contact:

Diana Maurer
(202) 512-9627
maurerd@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Defense (DOD) has issued guidance on accessing its domestic installations and strengthening physical access control systems (PACS)—used to scan credentials to authenticate the identity and authorize individuals to access DOD installations. Specifically, DOD has recently issued guidance directing the fielding of PACS and has fielded or plans to field such systems at domestic installations. The Defense Manpower Data Center (DMDC) developed the PACS used by the Air Force, the Navy, the Marine Corps, and the Defense Logistics Agency. The Army developed its own PACS. Both types of PACS electronically connect to DOD's Identity Matching Engine for Security and Analysis (IMESA). IMESA accesses authoritative government databases to determine an individual's fitness for access (i.e., whether an individual is likely a risk to an installation or its occupants), and continually vets this fitness for subsequent visits (see fig.).

PACS Connect to IMESA to Validate the Identity of Individuals and Continuously Vet Their Fitness for Access to Department of Defense Installations

PACS Connect to IMESA to Validate the Identity of Individuals and Continuously Vet Their Fitness for Access to Department of Defense Installations

The Air Force and DLA have monitored their installations' use of PACS, but the Army, the Navy, and the Marine Corps have not. Army, Navy, and Marine Corps installation officials stated that they do not monitor PACS use at their installations because there is no requirement to do so. Because the Army, the Navy, and the Marine Corps do not monitor PACS use and DOD does not require that they do so, those military services do not have the data they need to evaluate the effectiveness of PACS and make informed risk-based decisions to safeguard personnel and mission-critical, high-value installation assets. DOD, Army, Navy, and Marine Corps officials agreed that monitoring installations' use of PACS would be beneficial and could be readily accomplished without significant cost using existing technology.

The Army and DMDC have used a tiered approach and established helpdesks to address PACS technical issues. The Army has established performance measures and goals to assess its approach, which has improved the ability to resolve technical issues. DMDC, however, does not have performance measures and goals, and thus lacks the information needed to evaluate its PACS' performance and address issues negatively affecting operational availability.

Why GAO Did This Study

In November 2009, an Army officer killed or wounded 45 people at Fort Hood, Texas; 4 years later in September 2013, a Navy contractor killed or wounded 16 people at the Washington Navy Yard in Washington, D.C. Independent reviews conducted in the aftermath of these shootings identified physical access control weaknesses at DOD installations.

The conference report accompanying the National Defense Authorization Act for Fiscal Year 2018 contained a provision for GAO to assess DOD's installation access control efforts. GAO (1) described actions DOD has taken to develop guidance on physical access to domestic installations and to field PACS at these installations, (2) evaluated the extent to which DOD has monitored the use of fielded PACS at these installations, and (3) evaluated the extent to which DOD has implemented an approach for addressing PACS technical issues and assessing associated performance. GAO analyzed DOD guidance on physical access control requirements, and visited installations to discuss with installation command and security force officials their experiences using PACS. This is a public version of a sensitive report that GAO issued in May 2019. Information that DOD deemed sensitive has been omitted.

What GAO Recommends

GAO made five recommendations, including that DOD monitor installations' use of PACS and develop appropriate performance measures and goals for resolving technical issues to improve PACS performance. DOD concurred with GAO's recommendations.

For more information, contact Diana Maurer at (202) 512-9627 or maurerd@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Intelligence requires that DOD components (including the military departments and the Defense Logistics Agency) monitor the use of PACS at their installations. (Recommendation 1)

    Agency Affected: Department of Defense

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of the Army should ensure that the Office of Provost Marshal General monitors the use of PACS at Army installations. (Recommendation 2)

    Agency Affected: Department of Defense: Department of the Army

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of the Navy should ensure that the Commander, Navy Installations Command, monitors the use of PACS at Navy installations. (Recommendation 3)

    Agency Affected: Department of Defense: Department of the Navy

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of the Navy, in coordination with the Commandant of the Marine Corps, should ensure that the Commander, Marine Corps Installations Command, monitors the use of PACS at Marine Corps installations. (Recommendation 4)

    Agency Affected: Department of Defense: Department of the Navy

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Personnel and Readiness develops appropriate performance measures and associated goals for the timely resolution of the Defense Biometric Identification System technical issues to facilitate improved PACS performance. (Recommendation 5)

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 16, 2019

Sep 5, 2019

Sep 3, 2019

Aug 20, 2019

Aug 15, 2019

Jul 31, 2019

Jul 26, 2019

Jul 11, 2019

Jun 28, 2019

Looking for more? Browse all our products here