GSA Could Be Vulnerable to Security Threats From ‘Trusted Insiders’

The General Services Administration needs to bolster its efforts to protect against insider threats from current and recently separated employees, a watchdog reported on Wednesday. 

The GSA inspector general reviewed the agency’s processes to thwart harmful actions from “trusted insiders” to its personnel, facilities, operations and resources. GSA has about 12,000 employees throughout its central office, Federal Acquisition Service, Public Buildings Service, Office of Governmentwide Policy, 11 national staff offices, 11 regional offices and two independent offices. An October 2011 executive order and subsequent policy from November 2012 laid out requirements for agencies’ insider threat programs. In 2014, GSA established its own program (a two-person team that reports to the senior designated official who is the associate administrator of GSA’s Office of Mission Assurance) and in 2017 the National Insider Threat Task Force certified it met the minimum standards. However, the inspector general found some areas of concern since then. 

“We found that GSA’s [insider threat program] does not consistently collaborate with other GSA staff offices to gather key threat information proactively and does not communicate insider threat risks and program challenges to the GSA administrator as required,” said the report. “Instead, the [program] senior designated official has taken a reactive approach that leaves GSA susceptible to insider threats.” 

Another issue was that after the National Insider Threat Task Force deemed GSA’s insider threat program was at full operational capacity in November 2017, GSA’s insider threat working group disbanded because staff thought it was no longer needed. The group had members from the Office of Human Resources Management, Office of GSA IT, Office of the Chief Financial Officer and Office of Mission Assurance. 

The disbandment “violated GSA policy” and “eliminated the [program’s] only established means of formal collaboration with GSA’s staff offices,” said the report. 

“For example, the [program] was unaware of termination proposals for employees whose misconduct posed significant insider threat risks,” said the IG. “These employees faced termination for: sexually harassing employees; threatening to kill their supervisor and harm co-workers; making false claims about their past criminal record to gain employment; and altering official purchase documents.”

In addition the National Insider Threat Task Force said monitoring and preventing insider threats in relation to separated or terminated employees was a best practice, yet GSA’s program was “ineffective and is compounded by GSA’s failure to consistently deactivate IT accounts for these employees and to recover and destroy their [personal identity verification] cards,” said the IG. 

As a result of its review, the watchdog recommended that agency leadership take action to bolster cross-agency communication and collaboration with the insider threat program as well as increase its oversight of the separation and termination process for employees to ensure the program is aware of any potential risks. 

Katy Kale, acting GSA administrator, said the agency agrees with the recommendations. She also noted that although the working group was disbanded, “collaboration has taken place on a routine, but informal basis” and stressed the importance of this issue at the agency. The investigation spanned October 2018 to August 2020, which was during the Trump administration. 

Also during the Trump era, GSA came under fire for hampering the watchdog’s efforts to oversee COVID-19-related activities. GSA “established a centralized review and approval process of all [Office of Inspector General] audit inquiries that has compromised the integrity of information provided by GSA personnel,” said an IG report issued last month. “This process has caused frequent and unnecessary delay, and likely has had a chilling effect on [Public Building Service] employee responses.”