DHS Lags on Deactivating Access for Former Employees, Contractors
Former employees and contractors at the Department of Homeland Security (DHS) are sometimes keeping access to their personal identity verification (PIV) card and/or security clearances, renewing concerns about the department’s security protocols. This is according to a new report from the DHS Office of Inspector General (OIG). The report states that “without effective PIV card and security clearance management and monitoring, DHS cannot ensure only authorized individuals have access to its controlled systems and facilities.”
The allegations are not new. Previous audits in 2007, 2010, and 2018 also found weaknesses in DHS PIV card collection, revocation, destruction, and management oversight.
The new report finds that “many of the issues we previously reported remain” and that the exact magnitude of the problem is unclear because of incomplete information in DHS systems.
There are concerns over the PIV cards, which include a photo of the cardholder, the sponsoring agency and an embedded chip that allows cardholders to “access secured areas and information systems.” The cards can remain active for up to six years.
The report found that “DHS has not prioritized ensuring that PIV cards are terminated when individuals no longer require access.”
DHS requires separated employees and separated contractors to have access privileges terminated immediately. The DHS PCI Operations Plan calls for it to be done within 18 hours.
The audit looked at 137,375 cardholders who separated from DHS from FY 2018 to FY 2021. It found that just 51 percent of cards were revoked within the recommended 18 hours. Twenty-two percent were revoked late, and 27 percent may not have been revoked at all.
The OIG report says, “DHS did not have an adequate mechanism to ensure managers promptly notified security officials when cardholders separated from the Department.”
In addition, the report cited concerns about DHS managers properly recording the separations in personnel management systems.
While DHS disagreed with OIG over the exact numbers, it did admit that thousands of PIV cards that should have been revoked were not.
According to DHS policy, PIV cards are supposed to be destroyed with 90 days of personnel separation. OIG found that those numbers lagged as well. Out of the 137,375 analyzed 44 percent may not have been destroyed within the 90-day timeframe. The report cites incomplete data for not knowing the status and the authors write they “could not determine the severity of the security risks raised by the PIV cards that remain unaccounted for.”
DHS admits some of the cards were not destroyed but continued to dispute the exact numbers.
As for security clearances, the report found that 54 percent of individuals may not have had their security clearances revoked at all. Over 53,000 security clearances of former employees and contractors were classified as unknown due to missing data.
OIG issued six recommendations to improve the process of deboarding employees and minimizing security risks.
DHS concurred with the recommendations and expects to meet them by February 2024.