The Personal Identity Verification (PIV) card is the Department’s foundation for securely identifying every individual seeking access to the Department of Transportation’s (DOT) secure facilities and information systems. Once contractor employees no longer need that access, DOT officials must promptly collect and deactivate their PIV cards. In fiscal years 2020 and 2021, just over 1,000 DOT service contracts—which may have granted contractor staff access to secure DOT facilities and information systems—came to an end. Given that most of these contracts ended during the COVID-19 pandemic when DOT employees were in a state of maximum telework, there is an elevated risk that prompt and appropriate PIV card collection and deactivation may not have occurred. Accordingly, DOT-OIG initiated this audit to assess DOT’s oversight of contractor employee PIV cards issued in connection with performance of agency contracts.
What We Found
DOT’s timely collection and deactivation of contractor employee PIV cards is compromised by fragmented processes and a lack of clear accountability. Counter to Federal and departmental procurement regulations and policies, DOT contracting officials do not always include required PIV card-related security clauses in contracts that grant contractor employees routine physical access to a federally controlled facility or information system. Without these required clauses in its contracts, DOT neglected to establish an important and legally enforceable accountability mechanism to help protect its secure facilities and systems. Further, DOT does not always promptly collect and deactivate contractor employee PIV cards as required, because it has not established clear accountability over this process. As a result, DOT is exposed to heightened security risks, potentially compromising the safety of its staff and achievement of its mission.
We made six recommendations to improve DOT’s collection and deactivation of contractor employee PIV cards. DOT concurred with all six recommendations and provided appropriate actions and completion dates. We consider all recommendations resolved but open pending completion of the planned actions.
No. 1 to OST
Verify that each OA has a documented process in place to confirm that required PIV card-related security clauses are included in all applicable DOT contracts prior to award.
No. 2 to OST
Establish, document, and implement a process for the Department to track contractor employees’ PIV cards and record the dates the cards are collected and deactivated.
No. 3 to OST
Designate in writing points of accountability for overseeing the entirety of contractor employee PIV card collection and deactivation processes.
No. 4 to OST
Update or supplement the DOT PIV Card Program Order to define “promptly” in all uses throughout the Order.
No. 5 to OST
Develop and implement required annual training for all staff involved in contractor employee PIV card processes and a procedure to verify the training has occurred. The training attendees should include all staff listed in the DOT PIV Card Program Order who could potentially be involved and anyone else an individual OA assigns to this task.
No. 6 to OST
Update or supplement the DOT PIV Card Program Order to address the deactivation process in all instances where PIV cards are no longer needed. This should include establishing the accountable officials as well as concrete metrics when deactivation should occur from when the card is no longer needed.