I
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
08-P-0267
September 16, 2008
Catalyst for Improving the Environment
Why We Did This Review
The Office of Inspector General
performed this review in response
to an inquiry related to controls
over identification documents
used for issuing the new
U.S. Environmental Protection
Agency (EPA) Smartcard badges.
We performed this review as a
result of a specific incident.
We conducted a limited review of
EPA's policies and procedures
for processing identification
information collected, responding
to Smartcard badge incidents, and
handling of defective Smartcards.
Background
Homeland Security Presidential
Directive 12 established the
requirements for a common
standard for identifying
credentials issued by federal
departments and agencies to
federal employees and
contractors. EPA instituted the
EPA Personnel Access and
Security System (EPASS)
program to satisfy this Directive.
The program is part of EPA's
larger effort to create an
integrated system to safeguard
and manage workforce identity,
facility access, and computer
system access throughout EPA.
For further information,
contact our Office of
Congressional and Public Liaison
at (202) 566-2391.
To view the full report, click on the
following link:
www.epa.qov/oiq/reports/2008/
20080916-08-P-0267.pdf
Identification Proofing, Incident Handling, and Badge
Disposal Procedures Needed for EPA's Smartcard Program
What We Found
Although EPA developed detailed procedures to guide the EPASS staffs issuance
of new Smartcard identification (ID) badges, an employee error in using the new ID
card system resulted in an EPA employee having ID documents and other
identifying information incorrectly associated with another EPA employee. An
EPASS employee incorrectly accessed the wrong employee's computer record,
scanned the ID documents for the employee requesting the Smartcard, then
associated the scanned documents with the incorrectly accessed computer record.
Also, EPA's procedures for issuing ID cards lacked a vital step required by federal
guidance. In particular, EPA procedures did not require EPASS staff to visually
inspect ID documents and compare them against the individual requesting the
Smartcard and the name on the accessed computer record.
Although we did not discover more than one incident, we found that EPA lacks
procedures to ensure employees take steps to correct similar incidents when they
occur. Further, EPA lacks procedures for handling and disposing of defective
Smartcard badges that contain personally identifiable information. According to
Security Management Division managers, documenting procedures has been
delayed because management attention has been focused on meeting the Office of
Management and Budget deadline to roll out the EPASS program.
Authenticating an individual's identity is a critical factor for controlling physical
and logical access to EPA resources. Without taking immediate steps to correct the
weaknesses noted, doubts will exist over whether EPA has the ability to become a
trusted agent for verifying ID credentials as federal agencies integrate their
Smartcard programs.
What We Recommend
We recommend that the Director, Security Management Division, Office of
Administration and Resources Management:
• Update existing identification card issuing procedures to ensure the
procedures include all mandatory steps.
• Create incident-handling procedures to be used by EPASS program staff
when errors in the ID card issuing process occur.
• Create and implement procedures for proper handling and disposal of
defective ID badges.
The Agency agreed to implement our recommendations, and we consider the
actions planned to be satisfactory.
-------� |