Two years after a government-imposed deadline for compliance with an IT security mandate for federal agencies to issue identity credentials to employees and contractors, the Department of Veterans Affairs has only issued about 9% of the necessary smart cards to its workforce, the agency's assistant inspector general found in a newly released audit.

The requirements, part of Homeland Security Presidential Directive 12, signed by President Bush in 2004, aimed to protect government facilities and information networks by having agencies issue smart cards to all federal employees and contractors by October 2008. While VA is not alone in failing to meet that deadline, it's one of the worst laggards of all the federal agencies, and the farthest behind among major agencies.

Overall, 59% of federal employees and contractors have obtained their smart cards, but VA has fallen far behind because, the audit says, the agency failed to make the effort a priority, and then later failed to provide a project management office tasked with issuing the cards with the necessary resources and management tools.

As a result, the report says, the agency not only risks not meeting a deadline imposed by VA's chief of staff of finishing credential issuance by October 2011, it risks not issuing all of an estimated 741,000 cards it will need to issue to fully comply with the directive until 2017. To meet the 2011 deadline, VA would have to increase its rate of issuance of the credentials six-fold, the report says.

Furthermore, the report says, the agency hasn't done a good enough job at testing the underlying systems in place to read and validate the cards. "If the PIV System is not load tested, certified and accredited, and other unaddressed system requirements are not defined and/or resolved, VA cannot ensure that system performance will be reliable and effective and meet the requirements of HSPD-12," the report says.

In fact, a number of system requirements have yet to be met. For example, the report says, the program lacks effective controls for safeguarding personally identifiable information, while the current system lacks the functional capability to interface with other systems to verify applicant information electronically, has yet to get required security certifications, and doesn’t create standard access reports that management could use to identify inappropriate access or attempts to access information or facilities. The report also notes that some smart card holders have been issued smart cards without undergoing the required routine background check.