The Social Security Administration's Badge-Based Personnel Access Systems for Headquarters Buildings (Limited Distribution) (A-14-04-24011)

The objective of our audit was to determine whether the Social Security Administration's (SSA) use of a badge-based personnel access system effectively prevents unauthorized entry to key Headquarters buildings. Adequate controls over access to key SSA buildings decrease the risk that unauthorized individuals will enter those facilities and cause harm, obtain sensitive information, or use Government equipment.

Although Office of Facilities Management (OFM) is taking steps to establish an integrated database and wants to implement data matches with other SSA databases, our review found that SSA needs to strengthen controls over its badge-based personnel access systems to effectively prevent unauthorized access to key Headquarters buildings. Insufficient controls increase the risk of unauthorized access.

We recommended that SSA: (1) determine whether the risk of unauthorized access to non-National Computer Center buildings warrants the cost of electronic access. If so, consider electronic screening as a way to more effectively authorize entry to those buildings and to deactivate badges that are lost or cannot be retrieved from departing employees; (2) establish procedures to ensure that the badge database is updated timely with notice of personnel changes; (3) establish policy and procedures to ensure that OFM matches badge records to other SSA databases on a regular basis to guarantee the accuracy of access suitability, employment status and current employment location; (4) validate the employee or contractor's Social Security number when establishing a new record in the badge database, which will make matches with other databases more effective; (5) establish additional procedures to ensure that the badge access system is updated timely and badges are returned when an individual no longer requires access to an SSA facility; and (6) consider establishing badge expiration dates that are visible on the badge and procedures to have OFM periodically update the badge image along with other database information.

SSA agreed with our six recommendations and detailed specific steps to respond to them. The Agency has already initiated actions, or stated its intention to do so, to address each of our concerns. We appreciate the prompt actions taken and are confident that, when completed, they will improve SSA's security stature in regard to personnel access at the Headquarters complex.

This report contains information that is sensitive and confidential. For security reasons, distribution of this report was limited to those with a need to know.