Nov. 9, 2015 —
We determined whether the identified Navy installations implemented the agreed upon corrective actions for Recommendations A.1 and A.3 of DoDIG Report No. DODIG 2013-134, “Navy Commercial Access Control System Did Not Effectively Mitigate Access Control Risks.” Specifically, we determined whether selected Navy installations obtained access to the National Crime Information Center (NCIC) and Terrorist Screening databases, conducted checks of contractor personnel enrolled in the Navy Commercial Access Control System before issuing installation passes, and whether these actions corrected the identified problems.
The Commander, Navy Installations Command (CNIC) provided vetting capability to access NCIC as agreed to in Recommendation A.3. However, Navy officials did not properly access NCIC when vetting Navy Commercial Access Control System (NCACS) applicants as agreed to in Recommendation A.1. Specifically, our July 2014 statistical sample results from 945 applicants showed:
- 85 were properly vetted (verified) through NCIC;
- 837 were vetted through Interstate Identification Index (Triple-I); and
- 52 were not vetted through NCIC or Triple-I.
This occurred because CNIC did not provide specific instructions on the appropriate type of queries necessary to access NCIC. Additionally, the reasons for the applicants who were not vetted included inadequate use of biographical information when performing background vetting and individuals having manual records.
During our audit, CNIC implemented the OpenFox system, which was to be completed by October 2014. Before implementation, Navy installation officials generally used a query that only accessed Triple-I but not NCIC. In November 2014, we nonstatistically selected a sample of 39 of 250 applicants to review. The results showed that 34 applicants at the six installations that had the OpenFox system implemented were properly vetted through NCIC. All five applicants from one installation, which did not have the OpenFox system implemented, were not properly vetted through NCIC. This installation was under a different network and was waiting for access approval. As of July 2015, the Navy still has 51 of 120 (42.5 percent) of its sites waiting to implement the OpenFox system.
As a result, CNIC was at risk of allowing individuals that may be on NCIC person files to enter Navy installations. This could potentially place military personnel, dependents, civilians, and installations at an increased security risk.
The Commander, Navy Installations Command should:
- accelerate the implementation of the OpenFox system;
- issue guidance to all installations specifying the queries necessary to access the NCIC person files;
- implement a system control in NCACS to prevent officials from processing NCACS registrations for applicants that have not been vetted through NCIC; and
- require all installations to update their vetting procedures.
Management Comments and Our Response
Comments from CNIC addressed all specifics of the recommendations, and no further comments are required.
This report is a result of Project No. D2014-D000XD-0194.000.