Personal ID Verification:

Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

GAO-11-751: Published: Sep 20, 2011. Publicly Released: Sep 20, 2011.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

To increase the security of federal facilities and information systems, the President issued Homeland Security Presidential Directive 12 (HSPD-12) in 2004. This directive ordered the establishment of a governmentwide standard for secure and reliable forms of ID for employees and contractors who access government-controlled facilities and information systems. The National Institute of Standards and Technology (NIST) defined requirements for such personal identity verification (PIV) credentials based on "smart cards"--plastic cards with integrated circuit chips to store and process data. The Office of Management and Budget (OMB) directed federal agencies to issue and use PIV credentials to control access to federal facilities and systems. GAO was asked to determine the progress that selected agencies have made in implementing the requirements of HSPD-12 and identify obstacles agencies face in implementing those requirements. To perform the work, GAO reviewed plans and other documentation and interviewed officials at the General Services Administration, OMB, and eight other agencies.

Overall, OMB and federal agencies have made progress but have not fully implemented HSPD-12 requirements aimed at establishing a common identification standard for federal employees and contractors. OMB, the federal Chief Information Officers Council, and NIST have all taken steps to promote full implementation of HSPD-12. For example, in February 2011, OMB issued guidance emphasizing the importance of agencies using the electronic capabilities of PIV cards they issue to their employees, contractor personnel, and others who require access to federal facilities and information systems. The agencies in GAO's review--the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the National Aeronautics and Space Administration; and the Nuclear Regulatory Commission--have made mixed progress in implementing HSPD-12 requirements. Specifically, they have made substantial progress in conducting background investigations on employees and others and in issuing PIV cards, fair progress in using the electronic capabilities of the cards for access to federal facilities, and limited progress in using the electronic capabilities of the cards for access to federal information systems. In addition, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies. The mixed progress can be attributed to a number of obstacles agencies have faced in fully implementing HSPD-12 requirements. Specifically, several agencies reported logistical problems in issuing credentials to employees in remote locations, which can require costly and time-consuming travel. In addition, agencies have not always established effective mechanisms for tracking the issuance of credentials to federal contractor personnel--or for revoking those credentials and the access they provide when a contract ends. The mixed progress in using the electronic capabilities of PIV credentials for physical access to major facilities is a result, in part, of agencies not making it a priority to implement PIV-enabled physical access control systems at all of their major facilities. Similarly, a lack of prioritization has kept agencies from being able to require the use of PIV credentials to obtain access to federal computer systems (known as logical access), as has the lack of procedures for accommodating personnel who lack PIV credentials. According to agency officials, a lack of funding has also slowed the use of PIV credentials for both physical and logical access. Finally, the minimal progress in achieving interoperability among agencies is due in part to insufficient assurance that agencies can trust the credentials issued by other agencies. Without greater agency management commitment to achieving the objectives of HSPD-12, agencies are likely to continue to make mixed progress in using the full capabilities of the credentials. GAO is making recommendations to nine agencies, including OMB, to achieve greater implementation of PIV card capabilities. Seven of the nine agencies agreed with GAO's recommendations or discussed actions they were taking to address them; two agencies did not comment.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To ensure that PIV credentials are issued only to employees and contractor staff requiring them, the Secretary of Agriculture should take steps to identify which staff in the "other" category should receive PIV cards and establish procedures for handling such cases.

    Agency Affected: Department of Agriculture

    Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency Affected: Department of Agriculture

    Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards.

    Agency Affected: Department of Agriculture

    Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Agriculture should develop and implement procedures to allow employees who need to access multiple computers simultaneously to use the PIV card to access each computer.

    Agency Affected: Department of Agriculture

    Status: Open

    Comments: GAO is currently working with USDA to address this recommendation.

    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Commerce should establish controls, in addition to time frames for implementing a new tracking system, to ensure that PIV cards are revoked in a timely fashion.

    Agency Affected: Department of Commerce

    Status: Open

    Comments: The Department of Commerce has submitted documentation of its out-processing procedures, which include PIV-card revocation procedures; however, GAO has yet to receive timeframes for implementing a new PIV-card tracking system.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Commerce should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including time frames for deployment.

    Agency Affected: Department of Commerce

    Status: Open

    Comments: GAO is currently working with Commerce to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Commerce should ensure that plans for PIV-enabled logical access to the department's systems and networks are implemented in a timely manner.

    Agency Affected: Department of Commerce

    Status: Open

    Comments: GAO is currently working with Commerce to address this recommendation.

    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Homeland Security should establish specific time frames for implementing planned revisions to the department's tracking procedures, to ensure that PIV cards are revoked in a timely fashion.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: GAO is currently working with DHS to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Homeland Security should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and timeframes for deployment.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: GAO is currently working with DHS to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Homeland Security should ensure that plans for PIV-enabled logical access to the department's systems and networks are implemented in a timely manner.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: GAO is currently working with DHS to address this recommendation.

    Recommendation: To ensure that PIV cards do not remain in the possession of staff whose employment or contract with the federal government is over, the Secretary of Housing and Urban Development should develop and implement control procedures to ensure that PIV cards are revoked in a timely fashion.

    Agency Affected: Department of Housing and Urban Development

    Status: Open

    Comments: GAO is currently working with HUD to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Housing and Urban Development should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency Affected: Department of Housing and Urban Development

    Status: Open

    Comments: GAO is currently working with HUD to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Housing and Urban Development should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards.

    Agency Affected: Department of Housing and Urban Development

    Status: Open

    Comments: GAO is currently working with HUD to address this recommendation.

    Recommendation: To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of the Interior should make greater use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations.

    Agency Affected: Department of the Interior

    Status: Open

    Comments: GAO is currently working with Interior to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should develop specific implementation plans for enabling PIV-based access to the department's major facilities, including identifying necessary infrastructure upgrades and time frames for deployment.

    Agency Affected: Department of the Interior

    Status: Open

    Comments: GAO is currently working with Interior to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of the Interior should ensure that plans for PIV-enabled logical access to Interior's systems and networks are implemented in a timely manner.

    Agency Affected: Department of the Interior

    Status: Open

    Comments: GAO is currently working with Interior to address this recommendation.

    Recommendation: To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of Labor should make greater use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations.

    Agency Affected: Department of Labor

    Status: Open

    Comments: GAO is currently working with Labor to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that the department's plans for PIV-enabled physical access at major facilities are implemented in a timely manner.

    Agency Affected: Department of Labor

    Status: Open

    Comments: GAO is currently working with Labor to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal facilities, networks, and systems, the Secretary of Labor should ensure that plans for PIV-enabled logical access to Labor's systems and networks are implemented in a timely manner.

    Agency Affected: Department of Labor

    Status: Open

    Comments: GAO is currently working with Labor to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should require staff with PIV cards to use them to access systems and networks and develop and implement procedures for providing temporary access to staff who do not have PIV cards.

    Agency Affected: National Aeronautics and Space Administration

    Status: Open

    Comments: GAO is currently working with NASA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Administrator of NASA should develop and implement procedures for PIV-based logical access when using Apple Mac and mobile devices that do not rely on direct interfaces with PIV cards, which may be impractical.

    Agency Affected: National Aeronautics and Space Administration

    Status: Open

    Comments: GAO is currently working with NASA to address this recommendation.

    Recommendation: To meet the HSPD-12 program's objectives of using the electronic capabilities of PIV cards for access to federal networks and systems, the Chairman of the NRC should develop and implement procedures to allow staff who need to access multiple computers simultaneously to use the PIV card to access each computer.

    Agency Affected: Nuclear Regulatory Commission

    Status: Open

    Comments: GAO is currently working with NRC to address this recommendation.

    Recommendation: To address the challenge of promoting the interoperability of PIV cards across agencies by ensuring that agency HSPD-12 systems are trustworthy, the Director of OMB should require the establishment of a certification process, such as through audits by third parties, for validating agency implementations of PIV credentialing systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Open

    Comments: GAO is currently working with OMB to address this recommendation.

    Recommendation: To ensure that PIV credentials are issued to all employees and contractor staff requiring them, the Secretary of Homeland Security should make use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In September 2011, we reported that only 80 percent of DHS's workforce had been issued PIV cards as of March 2011. As a result, DHS had not fully implemented OMB's HSPD-12 requirements, which direct agencies to issue PIV cards to all personnel. To ensure that PIV credentials are issued to all employees and contractor staff requiring them, we recommended that the Secretary of Homeland Security make use of portable credentialing systems, such as mobile activation stations, to economically issue PIV credentials to staff in remote locations. In fiscal year 2012, DHS, in response to our recommendation, provided evidence that they leased portable credentialing systems that enable the remote issuance of new PIV cards. Specifically, in September 2011, DHS entered into a two year contract that gave DHS access to 50 portable PIV credentialing systems that will, according to the statement of work, enable DHS to issue PIV cards to approximately 250,000 additional employees and contractor staff. As of September 2012, DHS reported that all required PIV cards had been issued.

    Jul 22, 2014

    Jun 17, 2014

    Jun 11, 2014

    Jun 10, 2014

    May 28, 2014

    May 21, 2014

    May 12, 2014

    May 7, 2014

    Apr 30, 2014

    Looking for more? Browse all our products here