The Office of Inspector General (OIG) says the Department of Homeland Security (DHS) cannot ensure only authorized employees and contractors have access to its controlled systems and facilities.
OIG found that DHS did not always terminate personal identity verification (PIV) card access or withdraw security clearances for separated employees and contractors in accordance with Federal regulations and Department policies.
DHS uses PIV cards and security clearances to control access to its systems and facilities. The Department considers PIV cards, which can remain active for up to six years, to be sensitive and high-value items with grave potential for misuse if lost, stolen, or compromised.
OIG previously identified weaknesses in DHS’ controls over PIV card collection, revocation, destruction, and management oversight in 2018. Many of the issues the watchdog reported then remain, and further work is required to improve and enhance processes. Specifically, DHS has not prioritized ensuring that PIV cards are terminated when individuals no longer require access. OIG determined that, in thousands of cases, DHS did not promptly revoke PIV card access privileges or destroy PIV cards of individuals who separated from the Department. In addition, DHS did not always promptly withdraw security clearances of individuals who separated from DHS.
OIG said it was unable to determine the exact magnitude of the problem because records in DHS’ information systems were incomplete. The watchdog attributed the issues to weaknesses in the management and monitoring of DHS’s electronic systems of record and failing to ensure that DHS officials followed offboarding processes.
DHS officials acknowledged that thousands of PIV cards that should have been revoked were not, and also that thousands of cards were not destroyed in a timely manner, but disagreed with OIG over the exact numbers.
The watchdog has made six recommendations to DHS following its investigation:
- Clarify policies and procedures to require managers to notify security officials to revoke personal identity verification cards and withdraw security clearances within a specific timeframe after individuals separate from DHS.
- Strengthen internal processes to ensure accountability and oversight for all personal identity verification cards that are collected and destroyed when individuals separate from DHS. Implement additional controls to ensure personal identity verification card revocation and card destruction are completed and recorded when individuals separate from DHS.
- Implement controls to ensure DHS officials record security clearance withdrawal dates in the Integrated Security Management System when individuals separate from DHS.
- Develop and implement a solution to verify and validate the personal identity verification card access termination process across the Department and a mechanism to monitor its effectiveness.
- Develop and implement a solution to verify and validate the security clearance withdrawal process across DHS and a mechanism to monitor its effectiveness.
DHS concurred with each recommendation and expects to complete work to meet these by February 2024, and will issue updated policies by December 2024. For example, DHS is currently pursuing technological improvements to verify and validate the PIV card access termination process across the Department, as well as a mechanism to monitor effectiveness. In the interim, DHS is implementing the DHS PACS Connector, which will automate the process of revoking facility access privileges across the Department when a PIV card is deactivated in the Identity Management System (IDMS). The Federal Emergency Management Agency, U.S. Immigration and Customs Enforcement, the Transportation Security Administration’s HQ, and the DHS HQ’s St. Elizabeth’s campus are tentatively scheduled to transition to the PACS Connector during FY 2023. All other DHS components and facilities will begin the transition in FY 2024.
