GSA using facility-specific ID badges
Report find badges that are ‘unsecure, unregulated’
09 August, 2016
category: Government, Smart Cards
The General Services Administration Office of Inspector General found that many GSA-operated facilities were issuing site-specific badges that were not secure and not compliant with HSPD-12 or FIPS 201.
During inspection visits to 14 GSA-managed facilities across four regions, investigators found 17 distinctly different building badges in use. The number of building badges in use at the 8,603 federal facilities managed by GSA was unknown they did not track such data.
“This evaluation found that building badges are unsecure, unregulated, and in frequent use at GSA-managed facilities. The lack of internal controls over the issuance of building badges and the management of building badge systems significantly increases the security risk of unauthorized access. Unauthorized access to a federal facility increases the risk of a security event, such as an active shooter, terrorist attack, and theft of government property, as well as exposure of sensitive and proprietary information.”
Unlike PIV cards, which employ controls established by NIST, building badges are more susceptible to identity fraud, tampering, counterfeiting, exploitation, and they cannot be rapidly authenticated electronically. Many bar code, magnetic stripe, and proximity cards can be copied and the technology used in their creation offers little or no authentication assurance. This is a serious security risk because some building badges provide unescorted and unscreened access to federal facilities, the report stated.
The GSA issues PIV cards to most employees and long-term contractors, but staff at some GSA-managed facilities also issue facility-specific building badges that are not FIPS 201 compliant. These same badges may enable the same unrestricted access to the facility.
For example, the report found that three of GSA’s 11 regions permit exceptions to the PIV policy and do not issue PIV cards to certain types of contractors, such as those who do not require access to GSA IT systems. In such cases, GSA circumvents the policy that requires issuance of PIV cards to all long-term contractor employees by issuing non-PIV building badges.
The GSA Inspector General made recommendations based on its findings:
- For facilities where GSA is the sole or primary tenant, the agency should develop a policy to discontinue the issuance of local building badges to employees and contractors who are required to receive PIV cards.
- That policy should include an implementation and transition plan to retrieve and destroy GSA-issued local building badges.
- GSA should develop a secure solution for enabling physical access to GSA-managed facilities to those who are not required to receive PIV cards.
- If the Facility Security Committees of a building where GSA is not the sole or primary tenant decide to allow the use of building badges, GSA should not issue local building badges on behalf of tenant agencies.
The GSA responded to the recommendations saying that work was underway to get rid of the site-specific badges.