NASA may have to reissue more than 70,000 smart cards that have been provided to NASA employees over the past three years due to security concerns.
Prior to the Homeland Security Presidential Directive 12 (HSPD-12) mandate for a Personal Identity Verification (PIV) card, NASA was in the process of deploying their own common badging and access control system (CBACS) - as were a number of other agencies. However, according to a report filed by NASA’s Inspector General, they did not follow federal guidelines for insuring the proper transition and oversight from their own card implementation to the new PIV standards.
Although the Inspector General’s office did not find that any cards had been distributed to individuals with inappropriate access, it leaves the door open for that possibility.
At the heart of the issue is this:
“While NASA properly assessed the PIV card issuer for satisfaction of Federal requirements at both organization and facility levels, found deficiencies, and developed a corrective action plan in accordance with Federal guidance, the Agency did not monitor corrective actions to ensure that identified deficiencies were corrected nor initiate timely reassessment. If the reassessment of the PIV card issuer reveals that significant deficiencies continue to exist and those deficiencies affect the integrity of the PIV cards, NASA could be required to discontinue PIV card issuer operations and reissue its PIV cards, which we estimate could cost a minimum of $1 million.”
Ouch. And the audit did not even include Jet Propulsion Laboratories due to their own PIV issues.
Ultimately, if the Inspector General’s office is able to confirm that the credential provider’s failings persisted after NASA’s knowledge of them AND if it resulted in any inappropriate issuance – 98% of NASA’s employees will have to undergo the badging process again.
For the Inspector General’s full report, click here