15 July, 2008
An audit by the U.S. Department of Defense’s Inspector General’s office shows that the agency is not complying the HSPD-12 and FIPS 201. The White House Office of Management and Budget and the President’s Council on Integrity and Efficiency requested the audit.
The report shows that the DOD is lacking in six specific areas with its credentialing project. These include:
Failing to meet government-wide milestones for completing background checks.
Staff at stations that issue the Common Access Card cannot electronically verify whether card applicants have initiated or completed a National Agency Check with Written Inquiries.
DOD displays full Social Security number on the Geneva Conventions credential, increasing the risk of identity theft.
Purchasing equipment that is not compliant with HSPD-12.
Using bar code technology on the Defense Biometric Identification System credential that is not equivalent to mandatory HSPD-12 security features.
DOD’s current PIV credential does not meet interoperability requirements.
The Inspector General recommends that the DOD issue HSPD-12 implementation guidance within 90 days; revise and update DOD Directives and Instructions to incorporate FIPS requirements; and submit proposed end-state PIV credential to GSA for conformance testing.
The Inspector General is requesting comments on the final report by July 30, 2008.
The full 90-page report can be downloaded here.