Review of Alleged Mismanagement of VA’s Personal Identity Verification Processes

The Office of Inspector General (OIG) conducted this review to determine the merits of allegations involving the mismanagement of the Personal Identity Verification (PIV) Program and related systems. In June 2015, we received a Hotline complaint alleging that VA’s Security and Investigations Center (SIC) was inappropriately permitting the issuance of PIV cards and VA network system access to individuals who did not have completed background investigations or adjudicated fingerprinting. SIC personnel process and adjudicate the background investigations for all moderate and high risk public trust and national security positions for Federal employees within VA. They also process all levels of investigation for contractors performing jobs and functions for VA. We determined that SIC personnel appropriately authorized the issuance of PIV cards in accordance with VA policies and procedures. More specifically, we did not find any instances where VA’s SIC was inappropriately authorizing the issuance of PIV cards and allowing VA network system access to individuals who did not have completed a Special Agreement Check (SAC) and a scheduled background investigation as required by VA policy. We reviewed VA local policies and procedures as they related to PIV card authorizations. To evaluate business processes and compliance with VA policies, we judgmentally selected 32 cases to sample from VA’s Security Manager system of record. The 32 cases included 25 individuals chosen randomly, six personnel who were SIC management, and one individual who was named in the complaint as having received a PIV card without meeting VA policy requirements. We observed SIC personnel accessing each of these cases in the system of record and reviewing the electronic records, SAC, background investigation dates, and any relevant comments associated with each case. We found that each case we reviewed met VA policy requirements for PIV card authorization. As a result, we concluded that SIC personnel appropriately authorized the issuance of PIV cards in accordance with VA policy. We did not substantiate the allegations of SIC’s mismanagement of the PIV Program and related systems. Additionally, we did not find any instances of improper processing of selected cases. Accordingly, we have no recommendations for improvement. Management concurred with our report and did not provide any comments.