67.4 F
Washington D.C.
Tuesday, October 3, 2023

OIG Finds Access Security Weaknesses at the Department of Transportation

An Office of Inspector General (OIG) audit found that the Transportation Department’s management of secure access to facilities and systems has been exposed to vulnerabilities. 

The Department of Transportation (DOT) uses the Personal Identity Verification (PIV) card to securely identify every individual seeking access to DOT’s secure facilities and information systems. Each year, DOT awards billions in contracts and orders for services that support achievement of its mission. When necessary to execute a particular service, DOT officials must issue PIV cards to contractor employees, granting them access to secure, and sometimes sensitive, DOT facilities and information technology systems. Once contractor employees no longer need that access, DOT officials must promptly collect and deactivate their PIV cards.

Counter to federal and departmental procurement regulations and policies, OIG found that DOT contracting officials do not always include required PIV card-related security clauses in contracts that grant contractor employees routine physical access to a federally controlled facility or information system. In total, 27 of the 64 sample DOT contracts that OIG assessed did not include all the required clauses. Without these clauses, DOT neglected to establish an important and legally enforceable accountability mechanism to help protect its secure facilities and systems. 

In addition, OIG found that DOT does not always promptly collect and deactivate contractor employee PIV cards as required, because it has not established clear accountability over this process. As a result, the watchdog is concerned that DOT is exposed to heightened security risks, potentially compromising the safety of its staff and achievement of its mission.

Specifically, DOT did not collect and/or deactivate 294 (25 percent) of the 1,184 contractor employee PIV cards analyzed. Further, DOT officials did not collect 77 (7 percent) of the remaining contractor employee PIV cards in a timely manner. These 77 cards were collected anywhere from 1 to 646 days after the cards were no longer needed, and 56 of the cards were not deactivated until a time ranging from 1 to 598 days after the cards were no longer needed

In fiscal years 2020 and 2021, just over 1,000 DOT service contracts — which may have granted contractor staff access to secure DOT facilities and information systems — came to an end. Given that most of these contracts ended during the COVID-19 pandemic when DOT employees were in a state of maximum telework, there is an elevated risk that prompt and appropriate PIV card collection and deactivation may not have occurred. 

In its report, OIG cites the 2014 example of a former DOT contractor employee who retained his PIV card during the 12 days between his transfer from a DOT facility in Illinois to one in Hawaii. Then he entered the Illinois facility and deliberately started a fire. In the process, he destroyed critical infrastructure equipment, disrupted the national transportation system for weeks, and cost the public over $350 million.

OIG said several factors have contributed to DOT’s contractor employee PIV card collection and deactivation issues. Primarily, DOT has not established clear accountability over its contractor employee PIV card collection and deactivation process. The Department’s PIV Card Program Order assigns the Office of Security overarching accountability for managing PIV card issuance policy, procedure, and standards. However, the Order does not establish overarching accountability for collection and deactivation. As such, OIG said DOT’s contractor employee PIV card collection and deactivation process is “fragmented and lacks clear accountability.”

Some DOT components are taking steps to address the shortcomings. Measures include documenting when a contractor employee is issued a PIV card and when that card expires; requiring a contractor employee to sign to certify that the PIV card was returned; developing a database to track when PIV cards are assigned to a contract employee, turned in, and deactivated; and introducing mandatory training.

To further reduce the chances of a repeat of the 2014 incident, OIG is making six recommendations:

  • Verify that each DOT component or operating administration (OA) has a documented process in place to confirm that required PIV card-related security clauses are included in all applicable DOT contracts prior to award.
  • Establish, document, and implement a process for the department to track contractor employees’ PIV cards and record the dates the cards are collected and deactivated. 
  • Designate in writing points of accountability for overseeing the entirety of contractor employee PIV card collection and deactivation processes. 
  • Update or supplement the DOT PIV Card Program Order to define “promptly” in all uses throughout the order.
  • Develop and implement required annual training for all staff involved in contractor employee PIV card processes and a procedure to verify the training has occurred. The training attendees should include all staff listed in the DOT PIV Card Program Order who could potentially be involved and anyone else an individual OA assigns to this task. 
  • Update or supplement the DOT PIV Card Program Order to address the deactivation process in all instances where PIV cards are no longer needed. This should include establishing the accountable officials as well as concrete metrics when deactivation should occur from when the card is no longer needed.

DOT has concurred with the recommendations.

Read the full report at OIG DOT

Kylie Bielby
Kylie Bielby has more than 20 years' experience in reporting and editing a wide range of security topics, covering geopolitical and policy analysis to international and country-specific trends and events. Before joining GTSC's Homeland Security Today staff, she was an editor and contributor for Jane's, and a columnist and managing editor for security and counter-terror publications.

Related Articles

- Advertisement -

Latest Articles