NASA’s PIV project didn’t meet fed rules
03 June, 2009
category: Digital ID, Government
NASA’s Office of Inspector General released a report stating that the agency didn’t fully comply with federal regulations for the issuance of PIV credentials.
As of January, NASA had issued more than 70,000 credentials to staff and contractors, more than 98% of the PIV cards NASA planned to issue. The problem is the credential issuer had not been accredited because NASA did not fully comply with federal guidance.
If NASA’s PIV issuer reveals that the problems still exits the agency could be required to stop issuing credentials and reissue other cards at a minimum of a $1 million cost.
“NASA’s noncompliance with Federal guidance resulted from the lack of a project management plan for the Agency’s transition to HSPD-12 compliant cards. For example, NASA did not establish an implementation office to plan and coordinate project integration until July 2006–two years after HSPD-12 was signed and three months before the deadline for agencies to begin issuing HSPD-12 compliant identity cards,” the report states.
NASA also didn’t comply with its policy on incorporating new requirements into ongoing projects nor conduct a gap analysis to ensure that the ongoing common badging and access control projects incorporated HSPD-12 requirements. “In an effort to meet established deadlines, NASA implemented processes and systems that had not been adequately planned and, as a result, developed the system for producing PIV cards but did not complete the accreditation process for ensuring that the system subcomponents met Federal requirements for HSPD-12.”
There were also problems with the controls in the issuance process. NASA had one individual sponsoring and authorizing employees PIV cards, going against federal requirements, the report states. This issues has been resolved and two individuals are now performing this task.
There were also no audit trails put in place for the issuance process. “If the deficiencies identified are not corrected, the risk of NASA issuing PIV cards to individuals who have no legitimate need to access NASA’s facilities or systems could be increased.”
The full report can be downloaded here.
