DHS needs to make improvements to its HSPD-12 program, the government-wide system that gives employees and contractors access to facilities and systems, according to an OIG report.
The Homeland Security Program Directive 12 was introduced in 2004 to ensure that a secure and reliable form of identification was used to gain access to federally controlled facilities and information systems. It also called for mechanisms for authenticating employee identity and permissions at graduated levels of security, depending on the agency environment and the sensitivity of facilities and data accessed.
The OIG has audited DHS’s progress in implementing HSPD-12 in 2007 and 2010, and this latest report was to evaluate how much progress had been made since then. OIG found that many of the issues that were raised in these previous audits still present challenges today. It says that the agency is still facing challenges in implementing processes such as ensuring termination of cards for contractors who no longer require access, and assigning risk levels or identifying existing mechanisms for securing owned or leased facilities. The report found that these issues were arising because of insufficient guidance, funding, staffing and oversight compliance. OIG also found that although DHS components were reporting 99 percent compliance in implementing logical access controls on their unclassified information systems, this had not been independently verified.
The OIG concluded that DHS cannot ensure that only authorized personnel have access to its facilities and systems, which could result in loss, theft or misuse of sensitive information.
It recommends that the DHS Chief Security Officer implements a plan to terminate the PIV cards of contractors who no longer need access to DHS facilities and ensure that all access is removed after credentials are revoked. It also recommends that the DHS CSO implements a plan for all components to inventory their facilities, identify security levels and conduct valid and current risk assessments for information systems. Finally, the OIG recommends implementing a process for reporting on activities to meet HSPD-12 requirements.