Fast Facts

In November 2009, an Army officer shot 45 people at Fort Hood, Texas. Four years later, a Navy contractor shot 16 people at the Navy Yard in Washington, D.C.

DOD increasingly uses physical access control systems to screen people who want to enter military installations. The systems scan credentials and check them against FBI and other government databases. However, we found that DOD didn't know the extent to which its installations were using these systems because the Army, Navy, and Marine Corps have not monitored their use.

We recommended that DOD monitor the use of these systems and resolve technical issues to improve their performance.

A service member checks a stopped car at the main gate on McConnell Air Force Base, Kansas.

A person in a military uniform checks a car stopped at a checkpoint.

A person in a military uniform checks a car stopped at a checkpoint.

Skip to Highlights
Highlights

What GAO Found

The Department of Defense (DOD) has issued guidance on accessing its domestic installations and strengthening physical access control systems (PACS)—used to scan credentials to authenticate the identity and authorize individuals to access DOD installations. Specifically, DOD has recently issued guidance directing the fielding of PACS and has fielded or plans to field such systems at domestic installations. The Defense Manpower Data Center (DMDC) developed the PACS used by the Air Force, the Navy, the Marine Corps, and the Defense Logistics Agency. The Army developed its own PACS. Both types of PACS electronically connect to DOD's Identity Matching Engine for Security and Analysis (IMESA). IMESA accesses authoritative government databases to determine an individual's fitness for access (i.e., whether an individual is likely a risk to an installation or its occupants), and continually vets this fitness for subsequent visits (see fig.).

PACS Connect to IMESA to Validate the Identity of Individuals and Continuously Vet Their Fitness for Access to Department of Defense Installations

PACS Connect to IMESA to Validate the Identity of Individuals and Continuously Vet Their Fitness for Access to Department of Defense Installations

The Air Force and DLA have monitored their installations' use of PACS, but the Army, the Navy, and the Marine Corps have not. Army, Navy, and Marine Corps installation officials stated that they do not monitor PACS use at their installations because there is no requirement to do so. Because the Army, the Navy, and the Marine Corps do not monitor PACS use and DOD does not require that they do so, those military services do not have the data they need to evaluate the effectiveness of PACS and make informed risk-based decisions to safeguard personnel and mission-critical, high-value installation assets. DOD, Army, Navy, and Marine Corps officials agreed that monitoring installations' use of PACS would be beneficial and could be readily accomplished without significant cost using existing technology.

The Army and DMDC have used a tiered approach and established helpdesks to address PACS technical issues. The Army has established performance measures and goals to assess its approach, which has improved the ability to resolve technical issues. DMDC, however, does not have performance measures and goals, and thus lacks the information needed to evaluate its PACS' performance and address issues negatively affecting operational availability.

Why GAO Did This Study

In November 2009, an Army officer killed or wounded 45 people at Fort Hood, Texas; 4 years later in September 2013, a Navy contractor killed or wounded 16 people at the Washington Navy Yard in Washington, D.C. Independent reviews conducted in the aftermath of these shootings identified physical access control weaknesses at DOD installations.

The conference report accompanying the National Defense Authorization Act for Fiscal Year 2018 contained a provision for GAO to assess DOD's installation access control efforts. GAO (1) described actions DOD has taken to develop guidance on physical access to domestic installations and to field PACS at these installations, (2) evaluated the extent to which DOD has monitored the use of fielded PACS at these installations, and (3) evaluated the extent to which DOD has implemented an approach for addressing PACS technical issues and assessing associated performance. GAO analyzed DOD guidance on physical access control requirements, and visited installations to discuss with installation command and security force officials their experiences using PACS. This is a public version of a sensitive report that GAO issued in May 2019. Information that DOD deemed sensitive has been omitted.

Skip to Recommendations

Recommendations

GAO made five recommendations, including that DOD monitor installations' use of PACS and develop appropriate performance measures and goals for resolving technical issues to improve PACS performance. DOD concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense 1. The Secretary of Defense should ensure that the Under Secretary of Defense for Intelligence requires that DOD components (including the military departments and the Defense Logistics Agency) monitor the use of PACS at their installations. (Recommendation 1)
Open
DOD concurred with this recommendation and identified actions that USD(I) was taking or planned to take to implement this recommendation. The DOD originally planned to begin drafting a new volume of DoD Manual 5200.08; however, the ongoing pandemic has caused delays pushing the creation of DODM 5200.08, Volume 1, Physical Security Program: Rules, Regulations, and Requirements, into the summer of 2021. This new regulation will require DoD Components with installation access control responsibility to monitor the use of their PACS at their installations.
Department of the Army 2. The Secretary of the Army should ensure that the Office of Provost Marshal General monitors the use of PACS at Army installations. (Recommendation 2)
Open
DOD concurred with this recommendation and identified actions that the Army was taking or planned to take to implement this recommendation. The Army expects to incorporate this recommendation into guidance by 9/30/22.
Department of the Navy 3. The Secretary of the Navy should ensure that the Commander, Navy Installations Command, monitors the use of PACS at Navy installations. (Recommendation 3)
Open
The Department of the Navy has incorporated this recommendation into the revision of SecNavInst 5500.35, which mandates the Services' (Navy and Marine Corps) use of the PACS to the maximum extent possible and requires each Service monitor the use of their PACS. SecNav (DUSN) monitors the use of PACS by requiring Services to provide monthly reporting of PACS statistics on a recurring basis. The revision of SecNavInst 5500.35 is already in final staffing and expected to be approved by December 31, 2020.
Department of the Navy 4. The Secretary of the Navy, in coordination with the Commandant of the Marine Corps, should ensure that the Commander, Marine Corps Installations Command, monitors the use of PACS at Marine Corps installations. (Recommendation 4)
Open
The Department of the Navy has incorporated this recommendation into the revision of SecNavInst 5500.35, which mandates the Services' (Navy and Marine Corps) use of the PACS to the maximum extent possible and requires each Service monitor the use of their PACS. SecNav (DUSN) monitors the use of PACS by requiring Services to provide monthly reporting of PACS statistics on a recurring basis. The revision of SecNavInst 5500.35 is already in final staffing and expected to be approved by December 31, 2020.
Department of Defense 5. The Secretary of Defense should ensure that the Under Secretary of Defense for Personnel and Readiness develops appropriate performance measures and associated goals for the timely resolution of the Defense Biometric Identification System technical issues to facilitate improved PACS performance. (Recommendation 5)
Open
DOD concurred with this recommendation, and identified actions that USD(P&R) was taking or planned to take to implement this recommendation. The Defense Manpower Data Center (DMDC) has completed a portion of recommendation #5 by assessing and analyzing the help desk support and technical solution services being provided. The actions necessary to improve the efficiency and effectiveness of the contract support by increasing the acceptable quality levels defined in each contract has budgetary impacts that require subscriber approval. DMDC anticipates resolution of this budgetary issue by September 30, 2022.

Full Report

GAO Contacts