January 19, 2021
Personnel Security Clearances and Badge Access Controls for Separated Employees
The Department of Energy uses security clearances and badges to control access to its sites and facilities. In 2004, the Homeland Security Presidential Directive-12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, directed Federal agencies to adopt a common identification standard for all employees and contractors. In an effort to comply with the mandate in HSPD‑12, the Department provides its Federal and contractor employees with Personal Identity Verification (PIV) cards, which serve as access authorization badges. PIV cards indicate the level of access to classified matter or Special Nuclear Material for which the holder may be eligible, hereafter referred to as a “security clearance.” PIV cards also allow employees to enter, occupy, or leave Departmental sites and facilities. Between October 2015 and May 2018, more than 10,000 Federal and contractor employees separated their employment association with the Department through retirement, resignation, removal, or death. This included over 2,000 individuals with security clearances.
The Office of Inspector General has issued several reports that identified weaknesses in the Department’s controls over security clearance terminations and badge retrievals for separated employees. These reports found that unauthorized individuals could gain access to Department facilities due to problems with the Department’s clearance and badging controls, such as not retrieving security badges from separated employees or removing security clearances of separated employees in a timely manner. Because establishing and maintaining adequate access controls is important, we initiated this audit to determine whether the Department terminated security clearance and PIV card access for separated employees in accordance with Federal regulations and Department policies.
We found that the Department had not always terminated security clearance and PIV card access for separated Federal and contractor employees, as required. Federal regulations, Departmental orders, and other guidance documents establish several required control procedures that are designed to prevent access to Department sites and facilities when Federal and contractor employees separate their association with the Department. These controls include updating the Department’s PIV card database in USAccess to reflect employee separations; recovering and destroying access PIV cards; and, where applicable, terminating separated employees’ security clearances.
The problems identified with updating USAccess, destroying badges, and terminating security clearances for separated employees can be attributed to the fact that current requirements do not clearly delineate responsibility and accountability for access authorization termination actions. In addition, current directives do not require a formal security out-processing procedure or outline enforcement measures. According to a Headquarters security official, the current structure of the overall process is not producing the results needed to ensure that necessary safeguards are in place for the notification, retrieval, and destruction of PIV cards for separated employees. For example, the program offices are not meeting a requirement to terminate the Department’s interest in an employee’s security clearance and to complete the security termination form within 4 working days of separation. While some of the data issues identified can be attributed to the deficiency in assignment of responsibility and authority, program officials also indicated that the information contained in identity management systems lacks standardization, which negatively affects access eliminations and other Department operations involving personnel information.
If clearances and PIV cards are not properly terminated, recovered, and destroyed, former employees may gain unauthorized access to Department buildings or information. Given the important role the Department plays in the Nation’s security posture, we made recommendations designed to improve the Department’s controls for terminating a security clearance and PIV card access for separated employees.
Management generally concurred with our recommendations and identified actions it would take to address them.
Topic: Management & Administration