Credentials used to access Veterans Affairs Department facilities and information systems were improperly issued due to missing procedures and significant control lapses in enrollment center operations, according to a VA Inspector General report (.pdf) published Sept. 30.

The department may have issued at least 147,000 personal identity verification credentials without cross-checking applicant information with terrorist databases or identity source documents, finds the OIG. What's more, VA issued at least 5,100 PIVs without background verifications and 5,600 credentials were issued by staff circumventing separation of duty control requirements, according to the report.

These deficiencies went unnoticed because VA "has not evaluated and certified that its PIV credentialing operations meet government-wide requirements," writes report author Belinda Finn, assistant inspector general for audits and evaluations.

Until corrective action is taken, Finn recommends VA halt credentialing operations. She estimates, as of June 2011, that VA will spend approximately $6.7 million to fix the problem and standardize VA PIV issuance procedures. The department concurred with Finn's seven recommendations for corrective action.

According to comments submitted by the VA assistant secretary for operations, security and preparedness, each recommendation will require a policy revision in order to address the problem. Updated policies are scheduled for release Oct. 15, according to OSP's written response. Many are currently pending review by the assistant secretary for OSP and general counsel, the document says.

For more:
- see the VA OIG report (.pdf) 

Related Articles:
Obstacles forestall HSPD-12 cards in logical access 
IG: SEC has 'deficiencies in nearly every aspect' of HSPD-12 implementation 
Audio: VA CIO Roger Baker's September IT report