Stephen D. Dingbaum
Assistant Inspector General for Audits
An Office of the Inspector General audit of the NRC’s Personal Identity Verification card access system is now available. The audit set out to determine whether the NRC’s PIV card access system met its operational requirements, and to assess the effectiveness of coordination among offices with a role in securing NRC’s physical access.
The PIV card is an ID card issued by a federal agency. It contains information unique to each employee and contractor. The card’s main function is to protect and to strengthen the security of personnel information and physical access to secured areas. The NRC uses the card to control access at its headquarters and regional offices.
The OIG found that the agency’s PIV card access system met its requirements, and there is some coordination among offices with a role in securing NRC’s physical access. However, opportunities exist to strengthen processes to ensure more PIV cards are retrieved when employees leave service. Opportunities also exist to establish a uniform and effective way for security officials to be notified of changes to contractor and employee access for restricted areas.
The audit found that PIV cards for terminated contractors and employees are not always retrieved, and that retrieval procedures have not been established. The OIG identified that of 1,452 terminated PIV cards over a 22-month period (January 2014 through November 2015), about one third were not collected from the personnel. As a result, there is a risk of unauthorized physical access to NRC and other federal facilities.
In addition, the OIG found, the NRC is not always notified of changes in staff/contractor access rights for restricted areas. Consequently, the potential exists for unauthorized access into a restricted area by personnel who should no longer have access.
The report makes seven recommendations to improve the system, reduce physical security risk across the agency, and ensure continued compliance with federal regulations and guidance.
NRC management stated their general agreement with the audit findings and recommendations.