It’s been years since PIV credentials were mandated but yet some government agencies still don’t have full issuance to employees. The U.S. Treasury Department released an audit stating that 15% of employees haven’t been issued credentials and the agency otherwise doesn’t have the system in place for employees to use the credentials.
The agency had set a goal for its bureaus to achieve 100% compliance by Fiscal Year 2015 but it’s likely not to happen until FY 2018 and that’s only if funding is made available. “The IRS has spent more than $110 million to implement HSPD-12 and has budgeted an additional $19 million for FY 2014. Even so, HSPD-12 project management officials cite the lack of sufficient funding and staffing as a main obstacle to completing full implementation of HSPD-12,” the report states.
On the physical access control side the IRS has implemented PIV system at 130 locations, 21% of facilities. The agency plans to upgrade systems at another 361 facilities at a cost of approximately $123 million and an additional six full-time employees. Some 134 locations will not be upgraded because they have a lower security level, may be consolidated or closed at some future date.
On the logical access side, only 5% of the workforce uses PIV for access. The agency notes several reason why more progress hasn’t been made on this front, from a contract with the union, the government shutdown in 2013, lack of solutions and systems that are incompatible with the PIV.
The agency is trying to remedy this however, and in April began a project embarked that would implement mandatory use of PIV card for access to the IRS network for more than 30,000 additional IRS network users. This effort will bring the total number of network users required to logon with their PIV cards to approximately 35,700 — 38% — by the end of FY 2014. As technological solutions are developed for incompatible technologies, mandatory PIV card logon will be enabled for additional network users.
Recommendations from the audit include:
- The Treasury’s chief technology officer should continue to provide oversight and drive implementation of HSPD-12 requirements while balancing resource demands to meet IRS objectives. To ensure full implementation of PIV card access to the IRS network and information systems, specific requirements, staffing, and scheduling should be identified and adequate funding requested to cover those needs
- Issue an IRS-wide memorandum reiterating the requirements for full adoption of PIV credentials for logical access to the IRS network and information systems
- Ensure that HSPD-12 compliant requirements are integrated in the IRS’s lifecycle management process to ensure that new and existing systems implement this requirement
The IRS agreed with the audit recommendations and has planned appropriate actions to address them. The IRS plans to continue to implement HSPD-12 compliant access control systems at facilities, identify and oversee funding needed to support full implementation, issue an memorandum reiterating the requirements for full adoption of PIV for access to IRS network and information systems, and ensure that HSPD-12 requirements are integrated into the IRS’s enterprise lifecycle development processes.