DOD intends to connect biometric ID system to IMESA by year’s end
The US Department of Defense (DOD) told the Government Accountability Office (GAO) it intends to have its Identity Matching Engine for Security and Analysis (IMESA) system connected to its Automated Biometric Identification System (ABIS) by the end of the year for vetting individuals for access to all domestic DOD installations and facilities.
IMESA is maintained by the Under Secretary of Defense for Personnel and Readiness to help security forces make “current fitness-for-access determinations” for domestic military installations that have physical access control systems (PACS) used to scan credentials in order to authenticate an individual’s identity and authorize access to a DOD facility. There are three types of PACS facilities: PACS are connected to IMESA; PACS not connected to IMESA; and installations without PACS.
IMESA electronically links PACS to federal government (including DOD’s) and local population databases to verify information contained in individuals’ credentials and to search for derogatory information.
DOD’s ABIS is used to match, store, and share biometric data in support of military operations with other government agencies, and with partner nations. It’s used by DOD to identify and verify non-US citizens to help determine if an individual poses “an immediate or potential threat to national security.”
DOD’s Defense Manpower Data Center (DMDC) manages the PACS called the Defense Biometric Identification System (DBIDS) that’s fielded at Air Force, Navy, Marine Corps, and Defense Logistics Agency (DLA) installations, while the Army manages the PACS called the Automatic Installation Entry (AIE) at Army installations.
While the Pentagon intends to field PACS that connect to IMESA at all domestic locations, currently only the Air Force and Defense Logistics Agency (DLA) installations have monitored PACS. The Army, Navy, and Marine Corps at more than 100 installations have not monitored the use of PACs because there is not a requirement to do so. Consequently, GAO determined that “these components do not have the data necessary to evaluate PACS effectiveness and inform risk-based decisions regarding PACS use to safeguard personnel and mission-critical, high-value installation assets.”
Furthermore, GAO said, “DOD component and installation officials told us about their dissatisfaction with the time it takes to resolve DBIDS’ technical issues. Although the Army has developed performance measures and associated goals for its helpdesk that have improved the ability to resolve technical issues and overall operational availability” of the PACS called the Automatic Installation Entry (AIE) at Army installations, DMDC has not. And “without such performance measures and associated goals, DMDC is unable to systematically evaluate how well DBIDS is performing and address underlying issues negatively affecting DBIDS’ operational availability.”
One legacy system, RAPIDGate is currently still used at four domestic Army installations and does not have the capability to connect to government databases. The Army said it intends to replace RAPIDGate with AIE at the four installations by 2021. Both the Navy and Marine Corps had transitioned from RAPIDGate to DBIDS by 2018.
While the Air Force and DLA monitor their installations’ use of PACS, the Army, Navy, and Marine Corps do not, GAO found during an audit of PACS between February 2018 and August.
Unescorted installation access requires, with limited exceptions, that individuals seeking access establish their identity, be determined fit for access, and establish an acceptable purpose for their presence on an installation. Determining whether an individual is “fit” for access has two components: Historic fitness and current fitness.
“Historic fitness” is a determination that an individual’s criminal history reflects a level of character and personal conduct that does not pose a risk to the safety, security, and efficiency of an installation or its occupants. “Current fitness” is a determination that an individual has no pending criminal cases or actions, and is not on any federal government terrorism lists that would indicate the individual may pose a risk to the safety, security, and efficiency of the installation or its occupants.
DOD issues a unique identification credential, called a common access card, to all military personnel, civilian employees, and eligible contractors. Other DOD common access cards include military-dependent credentials and DOD retiree IDs.
GAO said, “Air Force and DLA officials stated they routinely collect data on PACS use and the number of credentials scanned at their installations and provide those data to their leadership,” and that the Air Force “is using these data to brief installation commanders on the risks associated with not using DBIDS at their installations,” but that the “Army, Navy and Marine Corps … do not monitor PACS use at their installations because there is not a requirement to do so.” GAO said there is “no such [DOD] requirement.”
Individuals with credentials eligible for enrollment in IMESA are registered in the system when their credentials are scanned by a PACS for the first time. Once enrolled, GAO explained in its audit report, Monitoring Use of Physical Access Control Systems Could Reduce Risks to Personnel and Assets, IMESA continuously vets each individual for a fitness-for-access determination against IMESA-connected government databases every 24 hours – an event that takes about 2 seconds per ID inquiry — and that if any “derogatory information” is discovered about an individual, IMESA automatically flags the information and sends an alert to the PACS so the appropriate security personnel can take prescribed action if and when that individual next seek access to installations.
“Local population databases” are databases that “contain information on individuals with a valid reason to access [an] installation who are not already recorded in the Defense Enrollment Eligibility Reporting System (DEERS), and whose “credential is authorized to facilitate access to a DOD installation.”
DOD bases and other facilities develop and maintain local population databases in order to track “individuals who have had their credential processed through a visitor control center or PACS at least once.”
According to DOD Manual 5200.08 Volume 3, “derogatory information is information that reflects negatively on the integrity or character of an individual.” Derogatory information can include, but is not limited to, an individual’s criminal history, for example.
“Vetting” is an evaluation of an individual’s character and conduct for approval, acceptance, or denial for the issuance of a physical access control credential. While DOD can use the term “continuous vetting” to refer to different processes in different contexts, GAO uses the term continuous vetting to refer to the “recurring review of an applicant’s character and conduct against authoritative government databases to determine fitness for access to DOD installations. Authoritative government databases include official personnel and industrial security and law enforcement data sources.”
GAO uses “acceptable credential” to refer to a credential that can be automatically enrolled in IMESA and an installation’s PACS, such as certain DOD-issued credentials (e.g., the common access card), or another credential, such as a state-issued driver’s license, that has previously been enrolled through an installation’s visitor control center process including enrollment in IMESA, if available, and an installation’s PACS and whose enrollment is unexpired.”
Individuals without a common access card or another acceptable credential who seek access to DOD installations with PACS are verified through an installation’s visitor control process where security forces are required to authenticate an individual’s identity, establish an acceptable purpose for their presence on the installations, and to make fitness-for-access determinations using any derogatory information from authoritative government databases, which could include those accessible through IMESA where available and as applicable.
From January 2018 through July 2018, there were 4,115 DBIS technical issues which took between 3 hours and 14 days to resolve depending on the “complexity” of the problem, GAO found. “The root causes of the most prevalent technical issues were site server and handheld device failures,” GAO determined. To address the problem the Army performed an AIE software update and began fielding a more reliable brand of handheld device to installation security forces.
DMDC plans to enhance IMESA’s capabilities to allow for increased information sharing and vetting, and to expand the type of credentials DBIDS can scan. In the Aug. 27, 2018, Plan for the Deployment of Identity Matching Engine for Security and Analysis and Vetting of Individuals memorandum, the Under Secretary of Defense for Intelligence (OUSDI) identified additional authoritative government databases that IMESA will connect with to access derogatory information.
The OUSDI develops overall security policy, including requirements for DOD’s Physical Security Program while the individual secretaries and heads of DOD components establish policies and procedures to implement the OUSDI’s policies.
The OUSDI directed the secretaries of each of the military departments to develop a plan to vet individuals seeking unescorted access to domestic installations for disqualifying derogatory information in additional files within the National Crime Information Center’s (NCIC) database – which comprises various law enforcement files — and the Interstate Identification Index ¬¬– a federal and state system used to exchange criminal history records — by September 30, 2019.
Currently, IMESA connects to only the Wanted Persons file, which contains records on individuals for whom a federal warrant or a felony or misdemeanor warrant is outstanding. By 2020, IMESA is also supposed to be able to access the National Sexual Offender Registry File and Violent Persons File, in addition to DOD’s ABIS database.
DMDC also plans to expand the types of credentials DBIDS can scan to include all credentials listed in DOD’s 2019 physical security manual. According to an OUSDI, official, “a small number of installations that, with approval from DOD component leadership, accept credentials not listed in DOD guidance.”
GAO informed Congress that, “according to DMDC officials, scheduled enhancements to DBIDS will enable security forces to scan cards and driver’s licenses compliant with the REAL ID Act of 2005 by the end of” this fiscal year, and that this “enhancement will eliminate the time and expense to annually issue and print hundreds of thousands of temporary DBIDS credentials.
DMDC also has plans to enable DBIDS handheld devices to read military veterans’ health identification cards, but no time frame for implementation has been established.
Army Office of the Provost Marshal General officials told GAO that AIE “can already scan identification cards and driver’s licenses compliant with the REAL ID Act,” and that this “capability allows individuals with these credentials to be vetted and enrolled in IMESA in the access control lane without having to go the visitor control center.”
This initial “in-lane” vetting, as it’s called, and consequent IMESA enrollment, takes approximately 30 seconds by checking the NCIC and Interstate Identification Index databases for criminal history and active warrants. The Army has said it has also identified future enhancements to AIE, including a planned transition to a cloud-based version which “will allow for quicker and more cost-effective fielding because of fewer installation prerequisites and reduced computer hardware requirements.” Senior Army leadership are also considering enhancements like self-service kiosks and web-based registration options in order to streamline and expedite initial visit registrations.