Audit Finds Serious Flaws in Navy Security Screening

In a sad coincidence, the day a contractor employee named Aaron Alexis killed 12 people at the Washington Navy Yard was the day the Department of Defense Inspector General (DoD IG) released an audit report slamming security screening at U.S. Navy installations.

News accounts of the Navy Yard tragedy have focused on just one finding in the DoD IG report: that in recent years a total of 52 convicted felons were given access to Navy installations. While we understand the mainstream media’s fondness for quick and simple numbers, the public should also be made aware of the report’s other astonishing findings.

DoD IG reviewed the Navy Commercial Access Control System (NCACS), a process used to screen and register contractors and suppliers seeking unescorted access to Navy installations and facilities. NCACS is administered by a company called Eid Passport, Inc., which performs background checks on and issues credentials to contractors seeking access to Navy installations. The process uses Eid Passport’s proprietary Rapidgate system. Contractors pay Eid Passport an annual fee of up to $249 to obtain Rapidgate credentials. (By the way, there are some pretty big names on Eid Passport’s board of directors, including former Coast Guard Commandant Admiral Thomas H. Collins, retired Air Force General Ralph E. “Ed” Eberhart, and former Secretary of Homeland Security Tom Ridge.)

DoD IG found that NCACS did not effectively mitigate access control risks, allowing 52 contractor employees with felony convictions to gain access to Navy installations. In order to cut costs, the Navy violated federal credentialing standards and contractor vetting requirements. The Navy delegated the vetting function entirely to Eid Passport, which relied on public record databases that were not always up to date, complete, or accurate. Hence, Eid Passport’s record checks failed to turn up convictions for drug possession, assault, theft, and even “indecent liberties with a child.” In light of this week’s tragedy, it is notable that among six Navy Installations Command regions (Mid-Atlantic, South East, Midwest, North West, South West, and Navy District Washington), the Washington region was responsible for only 1 of the 52 people whose felony convictions were not caught before they were issued credentials.

The report’s second key finding is that Navy officials misrepresented the cost of NCACS. The Navy claimed fees paid by participating contractors would serve as the primary source of revenue for Eid Passport and thus keep costs down for the government. But, according to the report, the costs absorbed by the contractors to obtain Rapidgate credentials have actually been transferred back to the Navy—and to other DoD components—in the form of higher contract overhead costs and other contract fees. DoD IG identified 17 contractors that charged the Navy $1.28 million for costs incurred to purchase Rapidgate credentials. Eid Passport, by contrast, is sitting pretty: As of March 2013, the NCACS program had 30,702 companies and 298,204 contractor employees enrolled, earning Eid Passport at least $53 million in annual fees.

The third key finding is that Navy officials used inappropriate contracting methods to implement NCACS. The officials restricted full and open competition, directed contractors to perform unauthorized work, and have allowed Eid Passport to continue providing services in the absence of a valid contract for almost two years. DoD IG found that the Navy spent nearly $1.2 million in disallowable costs and, what’s worse, lacks oversight of, and legal recourse against, Eid Passport.

DoD IG recommended the Navy immediately discontinue the NCACS program until it replaces the Rapidgate system with a system or process that meets federal and Department of Defense requirements for background vetting. The Navy disagrees and is sticking with Rapidgate.

Two days after the Navy Yard shooting, Eid Passport issued a press release offering its thoughts and prayers to those affected by the tragedy, and trying to put a positive spin on the DoD IG report. “Eid Passport welcomes audits as they continue to drive the industry to improve identity management systems and processes,” the release states. The company says it “looks forward to working with the DoD to further refine and advance the world’s best high-assurance identity management solution.”

The pass that allowed Aaron Alexis to work at the Washington Navy Yard was not issued through NCACS, but there is still plenty of reason to be concerned about the Navy’s continued use of this particular security screening system. NCACS is a deeply flawed system that, in the words of DoD IG, “[places] military personnel, dependents, civilians, and installations at an increased security risk.” We should also consider the audit another clear warning about the dangerous extent to which the government depends on, and fails to adequately oversee, its contractor workforce.