Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards
GAO-11-751
Published: Sep 20, 2011. Publicly Released: Sep 20, 2011.
Skip to Highlights
Highlights
To increase the security of federal facilities and information systems, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in 2004. This directive ordered the establishment of a governmentwide standard for secure and reliable forms of ID for employees and contractors who access government-controlled facilities and information systems. The National Institute of Standards and Technology (NIST) defined requirements for such personal identity verification (PIV) credentials based on "smart cards"--plastic cards with integrated circuit chips to store and process data. The Office of Management and Budget (OMB) directed federal agencies to issue and use PIV credentials to control access to federal facilities and systems. GAO was asked to determine the progress that selected agencies have made in implementing the requirements of HSPD-12 and identify obstacles agencies face in implementing those requirements. To perform the work, GAO reviewed plans and other documentation and interviewed officials at the General Services Administration, OMB, and eight other agencies.
Overall, OMB and federal agencies have made progress but have not fully implemented HSPD-12 requirements aimed at establishing a common identification standard for federal employees and contractors. OMB, the federal Chief Information Officers Council, and NIST have all taken steps to promote full implementation of HSPD-12. For example, in February 2011, OMB issued guidance emphasizing the importance of agencies using the electronic capabilities of PIV cards they issue to their employees, contractor personnel, and others who require access to federal facilities and information systems. The agencies in GAO's review--the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the National Aeronautics and Space Administration; and the Nuclear Regulatory Commission--have made mixed progress in implementing HSPD-12 requirements. Specifically, they have made substantial progress in conducting background investigations on employees and others and in issuing PIV cards, fair progress in using the electronic capabilities of the cards for access to federal facilities, and limited progress in using the electronic capabilities of the cards for access to federal information systems. In addition, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies. The mixed progress can be attributed to a number of obstacles agencies have faced in fully implementing HSPD-12 requirements. Specifically, several agencies reported logistical problems in issuing credentials to employees in remote locations, which can require costly and time-consuming travel. In addition, agencies have not always established effective mechanisms for tracking the issuance of credentials to federal contractor personnel--or for revoking those credentials and the access they provide when a contract ends. The mixed progress in using the electronic capabilities of PIV credentials for physical access to major facilities is a result, in part, of agencies not making it a priority to implement PIV-enabled physical access control systems at all of their major facilities. Similarly, a lack of prioritization has kept agencies from being able to require the use of PIV credentials to obtain access to federal computer systems (known as logical access), as has the lack of procedures for accommodating personnel who lack PIV credentials. According to agency officials, a lack of funding has also slowed the use of PIV credentials for both physical and logical access. Finally, the minimal progress in achieving interoperability among agencies is due in part to insufficient assurance that agencies can trust the credentials issued by other agencies. Without greater agency management commitment to achieving the objectives of HSPD-12, agencies are likely to continue to make mixed progress in using the full capabilities of the credentials. GAO is making recommendations to nine agencies, including OMB, to achieve greater implementation of PIV card capabilities. Seven of the nine agencies agreed with GAO's recommendations or discussed actions they were taking to address them; two agencies did not comment.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Agriculture | To ensure that PIV credentials are issued only to employees and contractor staff requiring them, the Secretary of Agriculture should take steps to identify which staff in the "other" category should receive PIV cards and establish procedures for handling such cases. |
Closed – Implemented
In July 2015, USDA developed a credential matrix, in response to our recommendation, that allows the agency to determine part time employees' and non-Federal employees' need for a PIV card and procedures to issue the cards. As a result, USDA is closer to meeting the HSPD-12 program's objectives of issuing PIV cards to all personnel requiring access to federal facilities and systems.
|
| Department of Agriculture | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner. |
Closed – Implemented
In July 2015, USDA officials provided a list showing that, in response to our recommendation, all major facilities that identified the requirement to have PIV-enabled physical access had completed the transition. The list showed a total of 242 segments, consisting of over 400 USDA facilities, had been PIV-enabled for physical access. As a result, USDA is closer to meeting the HSPD-12 program's objectives using the PIV credential to enhance control over access to federal facilities.
|
| Department of Agriculture | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards. |
Closed – Implemented
In September 2015, the Federal Chief Information Officer and the Special Assistant to the President and Cybersecurity Coordinator published the results of the Cybersecurity Sprint that showed that 35% of all USDA's users are using strong authentication for their network accounts. While USDA did not meet the 75% goal for unprivileged users set by the President's Management Council for the Cybersecurity Sprint, it has achieved reasonable progress by increasing from the previously reported level of 15%. Further, in September 2015, USDA officials reported that, in response to our recommendation, it established the use of an alternative credential to address the short-term employee population that only requires limited access for those individuals 6 months or less. As a result, USDA is closer to meeting the HSPD-12 program's objectives using the PIV credential to enhance control over access to federal network and information systems.
|
| Department of Agriculture | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should develop and implement procedures to allow employees who need to access multiple computers simultaneously to use the PIV card to access each computer. |
Closed – Implemented
In July 2015, USDA developed a waiver request form, in response to our recommendation, that allows staff to formally request a waiver for deviating from the mandatory requirement for PIV cards be left in all machines after login under all circumstances and certify that associated risks have been evaluated and determined acceptable. As a result, USDA is closer to meeting the HSPD-12 program's objectives using of the PIV credential to enhance control over access to federal systems.
|
| Department of Commerce | To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion. |
Closed – Not Implemented
As of January 2018, Commerce has not implemented the recommendation. Moreover, the agency has not demonstrated an intent to address the recommendation
|
| Department of Commerce | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Commerce should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including time frames for deployment. |
Closed – Implemented
In fiscal year 2012, we verified that Commerce, in response to our recommendation, had developed plans that outline the implementation of HSPD-12 compliant physical access control systems. For instance, Specifically, these plans state that, by the end of FY2015, agency personnel should be able to use their PIV cards to physically access any of Commerce's operating units housed within its headquarters complex that they need to access. As a result of implementing our recommendation, Commerce has developed plans that will help it comply with HSPD-12 guidance that requires agencies to use PIV credentials as the common means of authentication for access to agency facilities.
|
| Department of Commerce | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Commerce should ensure that plans for PIV-enabled logical access to the department's systems and networks are implemented in a timely manner. |
Closed – Implemented
In July 2015, the Federal Chief Information Officer and the Special Assistant to the President and Cybersecurity Coordinator published the results of the Cybersecurity Sprint that showed that 88 percent of all Commerce users were using strong authentication for their network accounts. As a result, Commerce is closer to meeting the HSPD-12 program's objective of using the PIV credential to enhance control over access to federal networks and information systems.
|
| Department of Homeland Security | To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Homeland Security should establish specific time frames for implementing planned revisions to the department's tracking procedures, to ensure that PIV cards are revoked in a timely fashion. |
Closed – Implemented
In its PCI Operations Plan, dated February 10, 2014, DHS, in response to our recommendation, outlined new tracking procedures to ensure PIV cards are revoked in a timely fashion. The plan assigns responsibility for the revocation of the cards, identifies reasons that a card should be revoked, and describes the steps needed to take in order to ensure that the process is completed properly.
|
| Department of Homeland Security | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Homeland Security should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and timeframes for deployment. |
Closed – Implemented
DHS, in response to our recommendation, issued a Physical Access Control Systems Implementation Plan to be completed by its component agencies, which establishes steps, goals and timeframes for modernization. As of May 2015, all components have provided implementation plans to the Chief of Enterprise Security Services Division, which has included them as appendices to the Physical Access Control Systems Implementation Plan. As a result, DHS is closer to meeting the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities.
|
| Department of Homeland Security | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Homeland Security should ensure that plans for PIV-enabled logical access to the department's systems and networks are implemented in a timely manner. |
Closed – Implemented
In October 2014, DHS, in response to our recommendation, outlined requirements for system and network logical access, cross agency priority goals, and DHS's approach and progress towards meeting the mandated goals. The department had set a fiscal year 2014 department-wide compliance goal of 75 percent for HSPD-12 logical access. DHS reported that it had achieved an overall compliance rate of 81 percent by the end of September 2014. As a result DHS has made significant progress in achieving the HSPD-12 program's objective of using the electronic capabilities of PIV cards for access to federal networks and systems.
|
| Department of Housing and Urban Development | To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Housing and Urban Development should develop and implement control procedures to ensure that PIV cards are revoked in a timely fashion. |
Closed – Implemented
In September 2015, HUD's Director of the Office of Human Capital Services issued guidance entitled Personal Identity Verification Card Procedures for Departing U.S. Department of Housing and Urban Development Employees. The guidance outlined roles and responsibilities of the employee, various HUD offices, and the contractors involved in revoking the PIV cards of employees departing HUD in a timely fashion. As a result, HUD has increased assurance that unauthorized individuals cannot access their facilities and information systems.
|
| Department of Housing and Urban Development | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Housing and Urban Development should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner. |
Closed – Implemented
In August 2015, HUD officials provided a list, in response to our recommendation, that showed that 65 out of 66 field offices had implemented HSPD-12 compliant physical access systems. Officials reported that the remaining field office would be converted in March 2016. As a result, HUD is closer to meeting the HSPD-12 program's objectives using the PIV credential to enhance control over access to federal facilities.
|
| Department of Housing and Urban Development | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Housing and Urban Development should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards. |
Closed – Implemented
In September 2015, HUD reported to the Executive Office of the President that it had achieved 100% PIV logical access for privileged users and 79% for unprivileged users. While HUD did not meet the 85% goal for unprivileged users set by the President?s Management Council for the Cybersecurity Sprint, it has achieved substantial progress by increasing from the previously reported level of 0%. As a result, HUD is closer to meeting the HSPD-12 program's objectives using the PIV credential to enhance control over access to federal networks and information systems.
|
| Department of the Interior | To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of the Interior should make greater use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations. |
Closed – Implemented
In fiscal year 2012, we verified that Interior, in response to our recommendation, had developed plans that outline the implementation of HSPD-12 compliant physical access control systems. Specifically, these plans state that, by the end of fiscal year 2015, agency personnel should be able to use their PIV cards to physically access any of Interior's operating units housed within its headquarters facility. As a result of implementing our recommendation, Interior developed plans that helped it comply with HSPD-12 guidance that requires agencies to use PIV credentials as the common means of authentication for access to agency facilities.
|
| Department of the Interior | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment. |
Closed – Not Implemented
Interior did not develop implementation plans for enabling PIV access to all of the department's major facilities. Moreover, the agency has not demonstrated an intent to implement the recommendation.
|
| Department of the Interior | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should ensure that plans for PIV-enabled logical access to Interior's systems and networks are implemented in a timely manner. |
Closed – Implemented
In July 2015, the Federal Chief Information Officer and the Special Assistant to the President and Cybersecurity Coordinator published the results of the Cybersecurity Sprint that showed that 89 percent of Interior's users were using strong authentication to access their network accounts. As a result, Interior is closer to meeting the HSPD-12 program's objective of using the PIV credential to enhance control over access to federal networks and information systems.
|
| Department of Labor | To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of Labor should make greater use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations. |
Closed – Implemented
In fiscal year 2012, officials from Labor provided evidence that showed the department had increased its use of mobile PIV credentialing stations to issue PIV cards to field staff. According to documentation, from September 2011 to June 2012, Labor used these stations to issue an additional 1,415 PIV cards. By continuing to use the mobile credentialing systems, Labor has made greater use of portable credentialing systems by issuing PIV cards to a greater percentage of its workforce.
|
| Department of Labor | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner. |
Closed – Not Implemented
As of January 2018, Labor had not fully implemented plans for PIV-enabled physical access at major facilities. Moreover, the agency has not demonstrated its intent to fully implement the recommendation.
|
| Department of Labor | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that plans for PIV-enabled logical access to Labor's systems and networks are implemented in a timely manner. |
Closed – Implemented
In July 2015, the Federal Chief Information Officer and the Special Assistant to the President and Cybersecurity Coordinator published the results of the Cybersecurity Sprint that showed that 65% of all Labor's users are using strong authentication for their network accounts. While Labor did not meet the 75% goal for unprivileged users set by the President?s Management Council for the Cybersecurity Sprint, it has achieved substantial progress by increasing from the previously reported level of 0%. As a result, Labor is closer to meeting the HSPD-12 program's objectives using the PIV credential to enhance control over access to federal networks and information systems.
|
| National Aeronautics and Space Administration | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards. |
Closed – Not Implemented
As of June 2015, NASA stated it performed a pilot of off-the-shelf software for its Apple computers in May of 2015 and determined that the solution did not currently meet the necessary requirements. NASA believes there is not a product in the federal government that supports the Mac operating system it uses. Accordingly, NASA did not provide an estimated date for implementation of this recommendation.
|
| National Aeronautics and Space Administration | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical. |
Closed – Not Implemented
As of January 2018, NASA had not implemented procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards. Moreover, the agency has not demonstrated an intention to address the recommendation.
|
| Nuclear Regulatory Commission | To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Chairman of the NRC should develop and implement procedures to allow staff who need to access multiple computers simultaneously to use the PIV card to access each computer. |
Closed – Implemented
In fiscal year 2012, we verified that NRC, in response to our recommendation, developed and implemented procedures, which, according to NRC officials, allow staff members to access multiple computers simultaneously with their PIV cards. As a result, we find that this technical barrier to implementing HSPD-12 requirements has been removed.
|
| Office of Management and Budget | To address the challenge of promoting the interoperability of PIV cards across agencies by ensuring that agency HSPD-12 systems are trustworthy, the Director of OMB should require the establishment of a certification process, such as through audits by third parties, for validating agency implementations of PIV credentialing systems. |
Closed – Implemented
In August 2013, the National Institute of Standards and Technology, under oversight from OMB, responded to our recommendation by issuing Federal Information Processing Standards (FIPS) Publication 201-2: Personal Identity Verification (PIV) of Federal Employees and Contractors. This publication outlined compliance requirements for third-party PIV validation, certification, and accreditation. For example, the publication states that the accreditation of the PIV Card issuer shall be reviewed through a third-party assessment to enhance the trustworthiness of the credential. Further, it states that products procured to support the PIV processes, such card readers and biometric fingerprint template generators, must be on the FIPS 201 Approved Products List to enable procurement of conformant products by implementing agencies.
|
| Department of Homeland Security | To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of Homeland Security should make use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations. |
Closed – Implemented
In fiscal year 2012, DHS, in response to our recommendation, provided evidence that they leased portable credentialing systems that enable the remote issuance of new PIV cards. Specifically, DHS entered into a contract that gave DHS access to 50 portable PIV credentialing systems that would, according to the statement of work, enable DHS to issue PIV cards to approximately 250,000 additional employees and contractor staff. As of September 2012, DHS reported that all required PIV cards had been issued.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Access controlAuthenticationBackground investigationsComputer securityContractor personnelE-governmentFacility securityFederal agenciesFederal employeesGovernment employeesGovernment facilitiesIdentification cardsIdentity verificationInformation systemsSecurity regulationsSmart cardsSecurity standards