The Department of Energy (DOE) Office of Inspectors General (OIG) dropped a scathing report in late-January 2021 following a comprehensive review of “Personnel Security Clearances and Badge Access Controls for Separated Employees.” The review was undertaken because the OIG “issued several reports that identified weaknesses in the Department’s [DoE] controls over security clearance terminations and badge retrievals for separated employees.” The OIG continued how these reports found that “unauthorized individuals could gain access to DOE facilities.”
The OIG highlighted how from October 2015 – May 2018, more than 10,000 contractors and federal employees separated from the DOE, of which 2,000 included individuals with security clearances. Not all of them were off-boarded appropriately.
DoE OIG findings are ugly
The DOE issues Personal Identity Verification (PIV) cards which serve as “access authorization badges.” The PIV also, according to the OIG, indicate the level of access to classified matter which may include Special Nuclear Material. The OIG also found during off-boarding, DOE did not “always terminate security clearance and PIV card access for separated federal and contractor employees, as required.”
It was not that process and procedures didn’t exist. They do. The processes were not followed due to the inconvenience factor.
The OIG checked the records from USAccess (GSA administered identity management system) and then the “2,703 separated federal and contractor employees at Headquarters and Albuquerque, New Mexico.”
What the OIG found, would make any Facility Security Officer shudder.
- 39% of separated employees’ PIV cards or employment statuses had not been updated in USAccess to reflect that the employee had separated and no longer required access to Department facilities and systems;
- 66% of separated employees’ PIV cards not marked as “destroyed” in USAccess were not retrieved and manually destroyed per destruction records reviewed; and
- 30% of separated federal and contractor employees’ security clearances were not terminated in accordance with agency requirements.
- Further, there were 4,326 additional separated federal and contractor employees that we did not evaluate because their names did not match records in USAccess.
One of the main impediments to processing terminated employees security clearances, according to the OIG, is largely due to there being “no Department directive requires a formal security out-processing procedure nor identifies what office or person should be held accountable if the clearance termination action is not timely. “
In layman’s terms, the cracks in the off-boarding were sufficiently large enough to allow a person to fall between them as evidenced by example provided in the OIG report.
At DOE headquarters, local security officers have no knowledge that an individual’s security clearance was terminated without a written notification. Furthermore, to save time and effort, security officers would batch process security clearance terminations. The batch processing sometimes took as much as 14 days post-departure.
While in the field, policy documents existed which integrated the off-boarding process and by and large, security clearances were terminated with 90 days.
OIG identifies the risk
The OIG pointedly detailed the risk which lack of timely processing of clearances and PIV presented to the national security of the United States.
- Former employees may gain unauthorized access physical access. For example, during the OIG audit, a former employee of the DOE not only successfully entered the headquarters building, but the employee also entered the restricted work space to which he had previously been assigned.
- Former employees may gain unauthorized online access. The OIG provides the example of a discharged employee using unrevoked credentials to access and disable DOE applications.
The DOE provides the complete report.