Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/5/2010
03:44 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Veterans Affairs Years Behind Smart Card Mandate

Only 9% of VA employees and contractors had been issued smart ID cards by June, an audit finds, two years after the compliance deadline for complete distribution.

Two years after a government-imposed deadline for compliance with an IT security mandate for federal agencies to issue identity credentials to employees and contractors, the Department of Veterans Affairs has only issued about 9% of the necessary smart cards to its workforce, the agency's assistant inspector general found in a newly released audit.

The requirements, part of Homeland Security Presidential Directive 12, signed by President Bush in 2004, aimed to protect government facilities and information networks by having agencies issue smart cards to all federal employees and contractors by October 2008. While VA is not alone in failing to meet that deadline, it's one of the worst laggards of all the federal agencies, and the farthest behind among major agencies.

Overall, 59% of federal employees and contractors have obtained their smart cards, but VA has fallen far behind because, the audit says, the agency failed to make the effort a priority, and then later failed to provide a project management office tasked with issuing the cards with the necessary resources and management tools.

As a result, the report says, the agency not only risks not meeting a deadline imposed by VA's chief of staff of finishing credential issuance by October 2011, it risks not issuing all of an estimated 741,000 cards it will need to issue to fully comply with the directive until 2017. To meet the 2011 deadline, VA would have to increase its rate of issuance of the credentials six-fold, the report says.

Furthermore, the report says, the agency hasn't done a good enough job at testing the underlying systems in place to read and validate the cards. "If the PIV System is not load tested, certified and accredited, and other unaddressed system requirements are not defined and/or resolved, VA cannot ensure that system performance will be reliable and effective and meet the requirements of HSPD-12," the report says.

In fact, a number of system requirements have yet to be met. For example, the report says, the program lacks effective controls for safeguarding personally identifiable information, while the current system lacks the functional capability to interface with other systems to verify applicant information electronically, has yet to get required security certifications, and doesn’t create standard access reports that management could use to identify inappropriate access or attempts to access information or facilities. The report also notes that some smart card holders have been issued smart cards without undergoing the required routine background check.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8105
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8106
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8058
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation coul...