VA watchdog warns of security risks from undocumented PIV cards

A new report warns contracting officers at the Veterans Health Administration are failing to comply with agency and federal guidelines ensuring contractor personnel return personal identity verification (PIV) cards after employment.

PIV cards

The Veterans Health Administration (VHA) is at increased risk of security breaches because it's not following requirements about documenting personal identity verification cards returned by contract personnel, according to a new inspector general report.

According to the report, a review of 46 professional service and health care resource contracts by the Veterans Affairs Office of Inspector General found that not one had the proper documentation to prove the contractors' personnel had returned their access cards. The IG report published on Tuesday warned that "even if subsequently detected, it could be too late to stop harm in the facility or the misuse or distribution of veterans’ personal information."

Federal Acquisition Regulation guidelines require contracting officers to maintain documentation indicating former contract personnel return PIV cards allowing them access to VA facilities and information systems following their tenure with the agency. The VHA has its own policy also calling for PIV cards to be tracked.

The IG asked VHA to ensure contracting officers record documentation ensuring PIV cards have been returned. Other recommendations called on the agency to establish periodic reviews and new "specific supervisory responsibilities" for contracting officer oversight around the PIV process.

VHA's acting chief Richard Stone agreed with the overall findings but contended in his response to the IG report that it was not the responsible party to oversee PIV processes. According to VHA, revising the process of tracking PIV card issuance and return could involve many offices and agencies including VA's Office of Information and Technology and the Office of Acquisition, Logistics and Construction. VHA said the VA's Identity, Credential and Access Management Executive Steering Committee "can more thoroughly assess the need and develop an agency-wide approach."

Security concerns around agency failures to document PIV returns have been previously reported throughout government, including at the General Services Administration, which failed to account for 15,000 access cards, according to a 2020 IG report.