Skip to main content

GSA Is Not Monitoring Data from Access Card Readers to Identify Risks to GSA Personnel and Federal Property

Why We Performed This Audit

GSA access cards are used to access GSA-managed facilities and information technology systems. On November 4, 2020, our office issued an audit report on GSA’s management of contract employee access cards that detailed findings related to the recovery and tracking of access cards. During the course of that audit, our office was informed that GSA personnel inappropriately shared their access cards with individuals who did not possess a valid credential of their own to give those individuals access to secured space. We included this audit in our Fiscal Year 2021 Audit Plan to determine if GSA is monitoring access card use for physical access to GSA-managed facilities in accordance with federal regulations, policies, and guidance.

What We Found

GSA is not monitoring access card data from GSA card readers to identify risks to GSA personnel and federal property. For the 2-year audit period ended February 28, 2022, data collected from access card readers in GSA-managed facilities showed 32,179 failed access attempts. Failed access attempts could be an indication of attempted unauthorized access to federal facilities and secured areas. Federal guidance on access cards and electronic physical access control systems recommends monitoring access card activity to assess the risk and determine if additional oversight is needed. However, we found that GSA is not actively using data collected from access card readers to identify and assess the risks to its personnel and federal property.

What We Recommend

We recommend that the GSA Administrator:

  1. Develop and implement procedures for monitoring access card data to identify repeated, failed access attempts that require follow up.
  2. Use the access card data that is being collected to produce trend data to inform building security stakeholders of individuals with a significant number of failed attempts over a specified period of time.
  3. Create and disseminate guidance addressing how building security stakeholders should handle repeated, failed access attempts.

The GSA Administrator agreed with our recommendations and provided general comments on the timing of our audit. These comments did not affect our finding and conclusions. GSA’s written comments are included in their entirety in Appendix B.

Business Line
Public Buildings Service
Issue Date