A report from the General Services Administration’s Office of Inspector General released last week revealed several physical information security concerns related to the agency’s open office space and management of devices and documents. GSA, however, said the vulnerabilities aren’t putting critical data and other sensitive information at as high a risk as the report might suggest.
One night in late July, GSA’s OIG Office of Forensic Auditing, Evaluation and Analysis performed a random inspection of the agency’s open-office headquarters in Washington, D.C. During the inspection, essentially playing the role of an intruder, the officers found physical weaknesses in GSA’s securing of sensitive information controlled under the Privacy and Trade Secret acts. Additionally, the inspectors easily accessed what the report called “highly pilferable government-furnished personal property.”
“The inspection found an unsecured HSPD-12 PIV card, sensitive contract files, architectural drawings marked ‘SENSITIVE BUT UNCLASSIFIED,’ unlocked file cabinets containing sensitive information, a combination code for a bay of personal lockers that was left directly on top of those lockers, and a door cipher lock combination taped to the back of the door,” the report states. “The inspection also found valuable property that was unsecured, including laptops and other electronics.”
GSA recently renovated its central offices and changed to an open office design with hoteled workspace, leaving many workers sharing desks rather than using a permanent space. Because of this, the agency instituted a locker system for employees to secure valuable items and documents when they leave the office to prevent thefts. According to the report, GSA has also held several workshops on crime prevention and security in the new environment.
Despite the prevention methods put in place, when the auditors entered the office, they easily found several items of interest. In cases where the items were not securable, they took them, leaving a note that said, “We identified unsecured sensitive information. Due to the sensitive nature of this information, we have taken possession of it to secure its privacy,” with contact information to retrieve them.
Items like an active HSPD-12 PIV card or a laptop could act as gateways to further information theft. The active PIV card “permits unrestricted physical access to the GSA Central Office building, and potentially any federal building,” the report says. And for the laptops, if the security is breached, the user could possibly access the computer’s direct contents or GSA networks.
GSA spokeswoman Jackeline Stewart said while there have been actual issues of possible theft within the agency — five laptops have gone missing so far in 2014 — the agency is confident in its efforts to digitally secure the devices.
“While any loss or theft is unacceptable, this suggests that the problem is a manageable one,” Stewart said in a statement, referring to the five computers. “Additionally, the agency’s tech is equipped with security measures that minimize data security risk associated with leaving laptops unsecured. Laptops require two-layer authentication and hard-drives have 128-bit encryption. If lost or stolen, the network and hard-drive cannot be accessed. Mobile devices are loaded with software that enables GSA IT to wipe the devices within seconds of being reported lost or stolen. In essence, any information on stolen or lost laptops is virtually inaccessible.”
Stewart also said the likelihood of any non-GSA person accessing the open office space is highly unlikely, because “[c]redentialed employees are the only individuals authorized to enter the building independently. All visitors will be required to be escorted by a GSA employee and will be given a temporary ID that will expire within one day of issuance.”
Nevertheless, GSA said it isn’t taking the inspection lightly. The agency will work with the IG to address the issues in the report, Stewart said, and has already began developing a personal property course to reinforce the security protocol.