US military bases lack digital security oversight, audit finds
GAO report says most service branches not monitoring digital access to facilities
Most military service branches are not monitoring whether or how more than 100 of their installations are using digital security systems to control access to facilities, according to an audit made public Thursday.
The Government Accountability Office’s finding comes nearly 18 years after the Sept. 11 attacks, almost a decade after an armed assailant killed or wounded 45 people at Fort Hood in Texas and nearly six years after a gunman killed or wounded 16 people at the Washington Navy Yard.
[Racial terms have marred military forms]
The Pentagon requires that installations have so-called physical access controls. These digital security systems, known as PACS, scan credentials and match them with a personnel database. Such systems are a modern way for military commanders to know who is entitled to access their facilities without an escort — and who is not.
The fiscal 2018 defense authorization law required the GAO to examine the military’s use of the systems.
[DOD workers bought thousands of Chinese electronics vulnerable to hacks, spying]
The GAO filed an audit in May that examined the extent to which such controls are in use across the military and the current risks. What the auditors found is not known, because the Pentagon succeeded in keeping that report’s findings from public view on security grounds.
Thursday’s GAO report focused not on the extent to which scans are in use but on how the services are doing at monitoring their use, among other questions.
The Defense Department’s Office of the Under Secretary of Defense for Intelligence, or OUSD(I), is responsible for overseeing departmentwide facilities security. Joseph Kernan currently holds the job.
Kernan’s office has not required the services and defense agencies to monitor use of digital control systems — or lack thereof — at their installations, according to the audit.
The Air Force and the Defense Logistics Agency are doing so anyway, the report said. But the Army, Navy and Marine Corps — the services hardest hit by recent shootings — are not keeping track of what dozens of military installations are doing on this score.
“Because the Army, the Navy, and the Marine Corps do not monitor the use of PACS and because OUSD(I) does not require that they do so, those military services do not know the extent to which PACS are being used at more than 100 installations,” the GAO report said. “Consequently, the military services do not have the data they need to evaluate the effectiveness of PACS and inform risk-based decisions to safeguard personnel and mission-critical, high-value installation assets.”
In a letter included in the audit, Garry Reid, the Pentagon’s director for defense intelligence in the OUSD(I), wrote that Pentagon leaders concurred with the recommendations, including the requirement to monitor installations’ compliance with digital security mandates.
[jwp-video n=”1″]