Weak Badge Security Puts Federal Facilities at Risk
A recent Washington Post article reviewed an Office Inspector General (OIG) report from the General Services Administration (GSA). It exposed serious vulnerabilities at federal facilities related to weak badge security protocols.
Stronger security protocols have been in place since 2004. Ever since the U.S. government issued Homeland Security Presidential Directive 12 (HSPD-12). This directive mandates a federal standard for secure and reliable forms of identification. However, at some GSA facilities, employees and contractors have two options: either use a PIV card or a building badge to access the facility. PIV cards employ strict controls established by the National Institute of Standards and Technology (NIST). Building badges, on the other hand, are more susceptible to identity fraud, tampering, counterfeiting, and exploitation.
Washington Post columnist Joe Davidson reported that after conducting on-site inspections at 14 GSA-managed facilities, the OIG “found serious security risks” because “building badges are unsecured, unregulated and in frequent use.”
Top security risks in the report related to weak badges include:
- “Contractor employees found to be ‘unfit’ as the result of unfavorable background investigations … had active building badges.”
- “Inactive contractor employees who had active building badges”
- “Building badges without expiration dates”
- “Staff who were inadequately trained on the issuance of building badges”
- “Building badge IT systems that were unsecure”
Security recommendations outlined in the report include:
- At facilities where GSA is the sole or primary tenant, GSA should develop a policy to discontinue the issuance of local building badges to employees and contractor employees who are required to receive PIV cards.
- GSA policy developed in response to recommendation #1 should include an implementation and transition plan to retrieve and destroy GSA-issued local building badges.
- GSA should develop a secure solution for allowing physical access to GSA-managed facilities to those who are not required to receive PIV cards.
- If the Facility Security Committees of facilities where GSA is not the sole or primary tenant decide to allow the use of building badges, GSA should not issue local building badges on behalf of tenant agencies.