GSA failed to monitor PIV access card data effectively says watchdog
The General Services Administration could do a better job of monitoring data from personal identity verification access card reader systems at the facilities it manages on behalf of the federal government, the agency’s inspector general found in an audit.
Over the course of a two-year period that ended in February 2022, there were 32,179 failed attempts to access GSA-managed facilities through physical access control systems, the IG found in its audit, the results of which were published Tuesday. But based on its investigation, the inspector general found GSA was lax about using that data to inform how it identified, assessed and managed physical risks to those buildings, as recommended by federal guidance.
It’s not uncommon for PIV cardholders to be denied entry to a physical building, particularly if their card is expired or disabled. Cardholders are often also denied entry after attempting to access an area they don’t have permission to visit or when trying to visit outside of permitted hours.
But upon extrapolating the data, some startling trends appeared: One building had 4,164 failed access attempts over the two years whereas the average during that time was 244; and one cardholder had 1,963 failed access attempts compared to an average of two for nearly all others.
“These failed access attempts may have potential security implications,” the IG wrote in its report. Eight of the top 10 buildings with the most failed access attempts contain child-care facilities or security-sensitive agencies, such as the Federal Bureau of Investigation, U.S. Social Security Administration, and U.S. Department of Homeland Security. The safety and security of the tenants and children in these buildings are a major concern.”
Based on that, the IG reached out to GSA leadership — which admitted to not reviewing the data — and a sample of federal facilities managers to investigate how often they received data or trends about those failed access attempts. According to the watchdog, of the 15 managers contacted, eight did not receive data regularly, and the rest were only sent data about the previous day.
“The building managers do not receive any kind of trend analysis of the access card data, which could be used to identify suspicious access attempts,” the report explains. “Access card data can be filtered to show records by building, door, region, date, individual, or event type. With this capability, it is possible to highlight higher-risk scenarios and show trends, such as an unauthorized cardholder repeatedly attempting to gain access to secured areas or an unauthorized cardholder who is repeatedly attempting to gain access to a facility outside of regular operating hours.”
GSA agreed to all of the IG’s recommendations to take action to improve its use of physical access control system data. It did, however, note that the rejection rate was expected to be higher during this period because of the COVID-19 pandemic when many PIV cards expired and credentialing stations were closed. But, in the case of individuals or buildings with a high number of failed attempts, GSA said it agreed with the IG to better monitor access card data to identify trends that may need follow-up.
Tuesday’s report comes after the GSA IG in November 2020 issued similarly critical results of an audit that found the agency was unable to account for about 15,000 PIV cards issued to contract employees and failed to recover 445 such cards from those who failed background checks.