An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Report | Sept. 16, 2013

Navy Commercial Access Control System Did Not Effectively Mitigate Access Control Risks (Redacted)

DODIG-2013-134

Objective

We determined whether the Navy Commercial Access Control System (NCACS) was mitigating access control risks for Navy installations.

Findings

NCACS did not effectively mitigate access control risks associated with contractor installation access. This occurred because Commander, Navy Installations Command (CNIC) officials attempted to reduce access control costs. As a result, 52 convicted felons received routine, unauthorized installation access, placing military personnel, dependents, civilians, and installations at an increased security risk. Additionally, the CNIC N3 Antiterrorism office (N3AT) misrepresented NCACS costs. This occurred because CNIC N3AT did not perform a comprehensive business case analysis and issued policy that prevented transparent cost accounting of NCACS. As a result, the Navy cannot account for actual NCACS costs, and DoD Components located on Navy installations may be inadvertently absorbing NCACS costs. Furthermore, CNIC N3AT officials and the Naval District Washington Chief Information Officer circumvented competitive contracting requirements to implement NCACS. This occurred because CNIC N3AT did not have contracting authority. As a result, CNIC N3AT spent over $1.1 million in disallowable costs and lacked oversight of, and diminished legal recourse against, the NCACS service provider.

Recommendations

We recommend CNIC replace Rapidgate with a system that uses the mandatory databases and revise CNIC policy and guidance to align with Federal and DoD credentialing requirements. Furthermore, we recommend CNIC establish a process to identify and provide commanders with resources and capabilities to access required authoritative databases.

Additionally, we recommend the Director, Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness and Logistics), obtain an independent, comprehensive business case analysis of NCACS and determine future actions for contractor installation access. We also recommend the Director perform a review of CNIC N3AT officials and consider administrative actions, if appropriate. We also recommend the Assistant Secretary of the Navy (Research, Development, and Acquisition), review the inappropriate contracting practices and establish a corrective action plan.

Comments

Comments submitted for CNIC were nonresponsive regarding the recommendations to replace Rapidgate with a system that uses the mandatory databases, revise CNIC policy, and provide installations with resources to access the mandatory databases. The Director, Shore Readiness, Deputy Chief of Naval Operations (Fleet Readiness and Logistics), comments were generally responsive. However, the Director’s comments were partially responsive regarding the review of CNIC N3AT officials. Comments submitted for the Assistant Secretary of the Navy (Research, Development, and Acquisition) were responsive. We request management provide additional comments by October 18, 2013. See the Recommendations Table on the back of this page.

 

This report is a result of Project No. D2013-D000LC-0008.000.


Related Documents

Navy Commercial Access Control System Did Not Effectively Mitigate Access Control Risks (Redacted)