GSA put data at risk mishandling 15,000 contract employee access cards

The agency couldn't account for about 15,000 cards, according to auditors.
Close-up Of Hand Businessman Using Keycard To Open Door.

The General Services Administration put its data at risk by mishandling contract employee access cards, according to an audit released Wednesday by its Office of Inspector General.

The OIG’s report says the agency was unable to account for about 15,000 personal identity verification (PIV) cards issued to contract employees and failed to recover 445 such cards from those who failed their background checks. The audit was performed because OIG had lingering concerns from a 2016 evaluation about how GSA collects and destroys PIV cards. About 14,500 are issued annually to workers supporting federal programs and operations.

“GSA’s poor management and oversight of these cards raises significant security concerns because the cards can be used to gain unauthorized access to GSA buildings and information systems, placing GSA personnel, federal property, and data at risk,” reads the report.

GSA uses unreliable data to track PIV cards and lacks recovery procedures for contract employees, as well as proper oversight, according to OIG.


Auditors recommended outstanding PIV cards be recovered by updating GSA Credential and Identity Management System records, terminating and collecting cards no longer needed by former contract employees, and reporting cardholders who can’t be contacted to the Department of Homeland Security for unauthorized possession.

OIG further recommended a new policy for PIV card accounting be implemented beginning with establishing procedures for lost, stolen and non-returned cards like withholding final payment. GSA’s Credential and Identity Management System should report results to officials, PIV card managers should be trained and DHS partnered with on emergency procedures. The Office of Mission Assurance should help oversee these efforts.

GSA Deputy Administrator Allison Brigati responded to OIG’s November 2019 alert about the audit stating OMA was contacting requesting officials to ensure they recover PIV cards from contract employees no longer working on active contracts.

“While these are positive steps, GSA needs to address the issues identified in our report that
have allowed for so many unaccounted-for PIV cards and unrecovered cards from ineligible
cardholders,” reads the report.

Latest Podcasts