Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
IG cites major flaws with Navy's vetting of contractors
Tuesday - 9/17/2013, 6:31pm EDT
The Navy Commercial Access Control System (NCACS) used a system known as Rapidgate — developed by a company called Eid Passport — to conduct background checks and manufacture security credentials for certain contractor personnel requiring access to Navy installations. However, the Defense Department Inspector General found the system failed to comply with federal standards and the background checks were conducted using only publicly accessible databases.
The security of Navy installations was thrown into the spotlight Monday after 34- year-old contractor Aaron Alexis entered the Washington Navy Yard Monday morning where he shot and killed 12 people before he died in an exchange of gunfire with police. An Associated Press report, however, indicates that Alexis, a Navy veteran, had a higher-level "secret" clearance, and the system criticized by the DoD IG's office was not used to evaluate him.
Still, the internal report found issues with the system — including ineffective background checks — put Navy personnel, civilians and other contractors "at an increased security risk."
Under federal guidelines, government employees and contractors who require routine physical access to military installations for more than six months are required to undergo a comprehensive background investigation and be issued what's known as a Personal Identity Verification (PIV) credential.
However, Navy officials decided to issue PIV credentials only to those contractors requiring both physical access to Navy bases as well as access to Navy IT networks. Other contractors were eligible for the Rapidgate system.
The IG recommended the commander of Navy Installations Command discontinue the use of the Rapidgate system because of its reliance on public records to vet contractors.
"The results of the checks were subject to the reliability of the public records searched, which were not always up-to-date," the IG's report stated.
That allowed 52 convicted felons access to Navy installations for between 62 and more than 1,000 days. For example, one contractor employee, who was issued a Rapidgate credential in June 2009, had "unescorted access" to a base for 1,035 days before a renewal check in April 2012 turned up a felony conviction for conspiracy to distribute cocaine" dating to 2000.
The Navy, however, disagreed with the IG's recommendation, stating that the Navy's current system meets federal standards. Discontinuing the current system would also mean "long lines at Navy access points, resulting in productivity loss for contractors doing business on Navy installations, and would require hiring additional civil servants to work in base pass offices," according to Navy comments included in the IG report.
The watchdog report also raises several questions about the contracting practices surrounding the Rapidgate system. Navy officials, including the Commander of the Navy Installations Command's chief information officer and the director of the command's anti-terrorism office, failed to properly account for the system's costs and sidestepped competitive contracting requirements. The report revealed that the company behind the Rapidgate system, Eid Passport, has been providing services to the Navy since November 2012 without a contract.