GSA is “mismanaging” the personal identity verification cards it issues to contractor employees, an IG audit has said, which “places GSA personnel, federal property, and data at risk.”
“GSA’s poor management and oversight of these cards raises significant security concerns because the cards can be used to gain unauthorized access to GSA buildings and information systems,” a report said.
It said that GSA annually issues some 14,500 such cards annually but “was unable to account” for some 15,000 total—of which nearly 11,000 still would allow access to buildings and IT systems—and did not collect more than half of the 445 cards issued to contractor employees who later failed their background checks.
Reasons included that GSA uses unreliable data to track and monitor PIV cards; that it does not have formal procedures for recovering cards from contract employees, “forcing GSA personnel to use a patchwork of inconsistent and largely ineffective methods for recovering the cards”; and that it “has not implemented the oversight needed” to ensure all PIV cards are recovered from contract employees.
It said management agreed with its recommendations to address those issues, adding that those steps still are needed even though there has been some improvement since the IG first issued a management alert on the subject in November of last year.