May 24, 2023
Fragmented Processes Weaken DOT’s Accountability for Contractor Employee PIV Cards
What We Looked At
The Personal Identity Verification (PIV) card is the Department’s foundation for securely identifying every individual seeking access to the Department of Transportation’s (DOT) secure facilities and information systems. Once contractor employees no longer need that access, DOT officials must promptly collect and deactivate their PIV cards. In fiscal years 2020 and 2021, just over 1,000 DOT service contracts—which may have granted contractor staff access to secure DOT facilities and information systems—came to an end. Given that most of these contracts ended during the COVID-19 pandemic when DOT employees were in a state of maximum telework, there is an elevated risk that prompt and appropriate PIV card collection and deactivation may not have occurred. Accordingly, DOT-OIG initiated this audit to assess DOT’s oversight of contractor employee PIV cards issued in connection with performance of agency contracts.
What We Found
DOT’s timely collection and deactivation of contractor employee PIV cards is compromised by fragmented processes and a lack of clear accountability. Counter to Federal and departmental procurement regulations and policies, DOT contracting officials do not always include required PIV card-related security clauses in contracts that grant contractor employees routine physical access to a federally controlled facility or information system. Without these required clauses in its contracts, DOT neglected to establish an important and legally enforceable accountability mechanism to help protect its secure facilities and systems. Further, DOT does not always promptly collect and deactivate contractor employee PIV cards as required, because it has not established clear accountability over this process. As a result, DOT is exposed to heightened security risks, potentially compromising the safety of its staff and achievement of its mission.
We made six recommendations to improve DOT’s collection and deactivation of contractor employee PIV cards. DOT concurred with all six recommendations and provided appropriate actions and completion dates. We consider all recommendations resolved but open pending completion of the planned actions.