Navy Commercial Access Control System Did Not Effectively Mitigate Access Control Risks (Repot1 No. DODIG-2013-134), September 16, 2013
“FINDING A: NCACS Did Not Effectively Mitigate Access Control Risks for Contractors Entering Navy Installations – The Navy Commercial Access Control System, Rapidgate, did not effectively mitigate the access control risks of contractors accessing Navy installations. Specifically, numerous contractor employees enrolled in Rapidgate received interim installation access and Rapidgate credentials without having their identities vetted through mandatory authoritative databases, such as the National Crime Information Center (NCIC) database and the Terrorist Screening Database. Furthermore, as an alternative to NCACS, contractor employees could obtain a local daily pass without having their identities vetted through NCIC and the Terrorist Screening IDatabase. This occurred because-in an attempt to reduce access control costs-CNIC did not: • follow Federal credentialing standards and DoD contractor vetting requirements and • provide 7 of the 10 installations visited with the appropriate resources and capabilities to conduct required contractor background checks. As a result, 52 convicted felons received routine, unauthorized access to Navy installations for 62 to 1,035 days since Eid Passport’s initial public record checks did not identify the felony convictions. This placed military personnel, dependents, civilians, and installations at an increased security risk.”