Data collected from access card readers in 132 GSA-managed facilities showed more than 32,000 failed access attempts over two years, with potential security implications. Image: Teerasan Phutthigorn/Shutterstock.com
By: FEDweek StaffFailed attempts to use access cards in buildings under GSA control “could be an indication of attempted unauthorized access to federal facilities and secured areas” yet the GSA is not actively using data from card readers to identify and assess risks to federal employees and property, an inspector general report has said.
It said that over the two years ending last February, data collected from access card readers in 132 GSA-managed facilities with such readers showed more than 32,000 failed access attempts. That included six buildings with more than 1,000, one of which had more than 4,100.
“These failed access attempts may have potential security implications. Eight of the top 10 buildings with the most failed access attempts contain child-care facilities or security-sensitive agencies, such as the Federal Bureau of Investigation, U.S. Social Security Administration, and U.S. Department of Homeland Security. The safety and security of the tenants and children in these buildings are a major concern,” it said.
“Unauthorized access to federal facilities increases the risk of a security event such as an active shooter, terrorist attack, theft of government property, or exposure of sensitive information,” it said.
While in some cases a failed attempt might involve a mere mistake, it said, 200 users had at least 25 failed attempts in that period including one who had nearly 2,000.
It added that guidance on access cards and electronic physical access control systems recommends monitoring access card activity to assess the risk and determine if additional oversight is needed. However, it found that the GSA is not conducting its own reviews, it does not consistently provide the most useful data to local building security officials, and it has not issued written guidance to building managers on how to use card reader data to identify high-risk activity or individuals.
The IG said it conducted the report in light of prior reports finding that the GSA does not consistently collect and destroy inactive cards for contractor employees nor keep complete records on them.
It said that GSA management agreed with recommendations to establish procedures to monitor access card data to identify repeated failed attempts; use data to inform building security officials of individuals with a significant number of failed attempts over a defined time; and instruct those officials on responding to repeated failed attempts.
