“The eight agencies we reviewed—the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the Nuclear Regulatory Commission; and the National Aeronautics and Space Administration—had generally completed background checks on most of their employees and contractors and established basic infrastructure, such as purchasing card readers. However, none of the agencies met OMB’s goal of issuing PIV cards by October 27, 2007, to all employees and contractor personnel who had been with the agency for 15 years or less. In addition, for the limited number of cards that had been issued, agencies generally had not been using the electronic authentication capabilities on the cards and had not developed implementation plans for those authentication mechanisms.”

The GAO recommends:

• “OMB establish realistic milestones for full implementation of the infrastructure needed to best use the electronic authentication capabilities of PIV cards in agencies.
• “OMB require each agency to develop a risk-based, detailed plan for implementing electronic capabilities.
• “OMB require agencies to align the acquisition of PIV cards with plans for implementing the cards’ electronic authentication capabilities. In response, OMB stated that HSPD-12 aligns with other information security programs. While OMB’s statement is correct, it would be more economical for agencies to time the acquisition of PIV cards to coincide with the implementation of the technical infrastructure necessary for enabling electronic authentication techniques. This approach has not been encouraged by OMB, which instead measures agencies primarily on how many cards they issue.”

Keep checking back with SecureIDNews for more information on the hearing.