Department of Insecurity: Feds failed to collect thousands of security cards from ex-employees
Failure leaves key systems and buildings vulnerable after DHS did not heed warnings for years, watchdog says.
While it was dabbling with disinformation offices and censorship projects, the Homeland Security Department failed to follow its most basic safety procedures and terminate the security credentials for thousands of its ex-employees, its internal watchdog disclosed in a stinging report Thursday that rebuked years of inaction.
The revelation from the DHS inspector general means that the federal agency charged with protecting America from cyber and terrorist attacks left its own system vulnerable to security breaches by failing to terminate personal identity verification (PIV) card access or withdraw security clearances.
"There is a risk that individuals who no longer require access to systems and facilities could circumvent controls and enter DHS buildings and controlled areas," the watchdog warned.
You can read the full report here:
The glaring failures violated federal regulations and department policies and did not markedly improve even after the agency was warned in 2018 about the problems, the inspector general reported.
"DHS has not prioritized ensuring that PIV cards are terminated when individuals no longer require access," the report said.
"We determined that, in thousands of cases, DHS did not promptly revoke PIV card access privileges or destroy PIV cards of individuals who separated from the Department.
"In addition, DHS did not always promptly withdraw security clearances of individuals who separated from DHS. Unfortunately, we could not determine the exact magnitude of the problem because records in DHS' information systems were incomplete."
The failure to follow procedures means that the department "cannot ensure only authorized employees and contractors have access to its controlled systems and facilities," the watchdog concluded.
The report estimated that between 22,878 and 36,774 PIVs had not been terminated when workers left.
The report made a half dozen recommendations for DHS to improve the situation before a security breach occurs.
The department said Thursday it agrees with all of the inspector general recommendations and is working to implement them.
The watchdog, however, raised concerns that the agency did not heed warnings four years ago that this problem existed.
"In 2018, the DHS Office of Inspector General identified weaknesses in DHS' controls over PIV card collection, revocation, destruction, and management oversight," the report noted. "In that audit, we determined that unauthorized individuals could gain access to Department facilities because DHS did not promptly collect, and revoke separated individuals'PIV cards."