For years, hundreds of thousands of contractors seeking regular access to key Navy installations have merely paid a fee and typed identifying information into ATM-like machines installed on those bases. They were then able to gain temporary access without first going through a background check, even though Navy and White House regulations require such checks be completed beforehand.
Known as Rapidgate, the access control system is now in operation for contractors, vendors, service workers, and suppliers who regularly pass through not just Navy checkpoints — but also those at more than 150 military and government installations around the country, including the Washington Navy Yard, the site of the Sept. 16 shooting rampage.
Last week, an internal Pentagon report called into question how the Rapidgate system became so widely used by the Navy and urged its immediate cancellation at those sites, saying it provides a false sense of security that puts government personnel at risk. The Navy, it said, had contracted for the system through irregular acquisition practices.
Included among its current users are the Virginia Beach base where Navy Seal forces train, the Naval Observatory in Washington that includes the residence of the Vice President, the Maryland site of the Army’s top security chemical and biological laboratories, 15 major U.S. Army bases, the Coast Guard’s academy in Connecticut and its headquarters in Washington, and the Navy’s Trident ballistic missile submarine bases in Connecticut and Georgia, according to the website of Rapidgate’s operator, Eid Passport, Inc., based in Oregon.
At Navy bases alone, more than 290,000 contract employees have obtained passes through the system that has Rapidgate at its heart. Most of its expenses are directly paid by applicants for the passes, not from the military services and other government agencies responsible for enforcing post-9/11 security rules meant to protect personnel and families at government facilities from terrorism and other threats.
Some of the results, according to a new audit by the Pentagon’s Office of Inspector General, have not been pretty. At the ten Navy installations where investigators probed the Rapidgate system’s operation, at least 52 felons, some convicted of serious drug or sexual offenses, were given unsupervised access for periods ranging from two months to three years, the inspector general’s office said in a report dated Sept. 16 that was initially labeled “For Official Use Only,” blocking its public release.
“This placed military personnel, dependents, civilians, and installations at an increased security risk,” the report said.
Although the Inspector General’s office planned to release a redacted version of the report, House Armed Services Committee chairman Buck McKeon, R-Ca., helped force its immediate disclosure a day after a contractor with a security clearance and a history of bizarre personal behavior killed 12 people at the Navy Yard with a pistol and shotgun. The contractor, Aaron Alexis, was then fatally shot by police. He held a higher-level naval facilities access card, not one granted through the Rapidgate program.
But the shooting — and the Inspector General’s report — have nonetheless brought sudden attention to Rapidgate, a system that has quietly helped its owner Eid Passport’s revenues increase six-fold from 2008 to 2011. The firm, whose board of directors is packed with former senior military and civilian officials including ex-Homeland Security Secretary Tom Ridge, was the 15th fastest growing security company in 2013, according to the Inc. 5000.
The Navy work alone is pulling in annual revenue of $53 million, according to a Navy estimate cited in the inspector general report, which faulted the Navy for circumventing normal competition requirements in striking the deal.
The Oregonian newspaper quoted Eid Passport’s chief executive officer, Steve Larson, as saying last August that board members such as Ridge, the retired combatant commander of the U.S. Northern Command and the former commandant of the Coast Guard “have been just overwhelmingly phenomenal at getting us in, opening doors and that sort of thing.”
The company will need those contacts more than ever in the weeks ahead. The Inspector General’s report recommended that the Navy scrap Rapidgate immediately, noting that nine of the 10 naval installations where investigators examined its use, the company gave out temporary passes before completing background checks.
When they occurred, it said, the checks mostly involved databases drawn from public records where the applicant reported residing, which were often outdated and incomplete. Derogatory information was missed, the report said. These records, according to Eid Passport, typically were those from court systems, corrections departments, law enforcement, sex offender registries and other related state, county and municipal sources
The inspector general’s office faulted the company — and the Navy — for not routinely checking the applicants against more accurate government criminal and terrorist databases. It also faulted Navy officers for knowingly accepting the associated security risks, which it said had given the commanders of those bases “a false sense of security” that their personnel were protected from hostile actions.
“We recommend [that the Navy] … immediately discontinue use of Rapidgate and any other system that exclusively uses publicly available databases to vet and adjudicate contractor employees accessing Navy installations, and replace it with a system or process that meets Federal and DOD requirements for background vetting,” said the report, signed by Alice F. Carey, an assistant inspector general for readiness, operations and support.
Sen. Claire McCaskill, who chairs the Homeland Security’s financial and contracting oversight subcommittee and who requested the report in response to the complaint of a whistleblower about Eid Passport’s contract with the Navy in June 2012, said in a statement that the report’s findings were “deeply concerning,” and endorsed the program’s immediate cancellation.
“This program wasted money, allowed dozens of felons access to installations they should never have had, and utterly lacked competent oversight,” McCaskill said in a written statement. “It’s clear that its existence constitutes an unnecessary danger to the Navy and its personnel.”
Navy spokeswoman Courtney Hillson said that vetting through the access control system had barred access to 27,261 vendors and suppliers. Other Navy officials added that in the wake of the Navy Yard shooting, the Defense Department was reviewing physical security and access controls at all of its installations, worldwide. Secretary of Defense Chuck Hagel also planned to have the issue reviewed by an independent panel, they said.
Eid Passport’s chairman and CEO, responded that the company “welcomes audits as they continue to drive the industry to improve identity management systems and processes.” He said the firm “is working with the Navy and looks forward to working with the DOD to further refine and advance the world’s best high-assurance identity management solution.”
It’s unclear whether military services besides the Navy and other government installations that use Rapidgate are checking applicant names themselves against two special federal databases considered vital resources by the inspector general — the National Crime Information Center (NCIC) and the Terrorist Screening Database.
Bridget Serchak, a spokesperson for the IG, said she was not aware of any plan to conduct a wider probe of Rapidgate’s use outside the Navy. But the report said that in 7 of the 10 installations it examined, the Navy was not conducting these checks itself for all applicants.
The Navy disputed that claim, but if accurate, it explains in part why the door was left ajar for convicted felons to gain repeat access to its bases. And if it is replicated elsewhere, it creates risks that go well beyond those documented in the report, CPI’s investigation has found.
The reason is that Eid Passport never conducts NCIC checks at any of the installations where Rapidgate is in operation. “Rapidgate relies exclusively on unreliable public databases,” the inspector general’s report complained.
As John Nee, the vice president of marketing for Eid Passport, explained in an e-mail and telephone interview, Eid Passport does not have the “authorizations and approvals necessary” to search the NCIC, which is not open to the public. Nee said using that database has been “part of the plan for some time,” and the company is looking into how to add it to their screening process.
He declined to address whether the firm has access to the Terrorist Screening database. But the report said it did not at Navy installations, and a Navy official said in the report that the Defense Department is still “working” to give all of its facilities direct access to that data.
Defense Department spokesmen did not respond to questions about whether NCIC checks had been omitted at other installations where Rapidgate is being used, a circumstance that could open the door to other felons gaining repeat access.
But the report has added fuel to a growing political uproar over the military’s troubled efforts to protect its own personnel and to safeguard sensitive security information accessed by contractors such as Edward Snowden.
White House press secretary Jay Carney said at a press briefing Sept. 17 that President Barack Obama has directed the Office of Management and Budget to examine security clearance standards for contractors and employees, while Merton Miller, Associate Director of Federal Investigative Services of the Office of Personnel Management, the agency that organized the screening of Alexis by a different federal contractor — USIS — in 2007, also said in a statement that OPM is reviewing security clearance standards with OMB and the Director of National Intelligence.
Already, the White House — through OMB — requires a background check be done for before providing access to government facilities and installations for more than six months. The rules specifically require vetting against federal databases, according to the inspector general’s report. It complained that many of those who used Rapidgate were given access for a year without such checks.
But the requirements were muddied by the fact that Defense Department’s own rules allow some leeway, requiring checks against the terrorist database and national criminal database “as resources, law, and capabilities permit,” according to the report. Also, the Navy claimed the requirement did not apply to the contractors at issue who visited its bases – a claim that the inspector general disputed.
The Navy launched what it calls its Commercial Access Control System, which relies on Rapidgate, in July 2010 to replace access controls created by individual bases for those who need frequent access but don’t qualify for the credentials typically given to military service members and Defense Department employees.
One card-holder, who had been convicted of “conspiracy to distribute” cocaine in 2000, gained unescorted access before a renewal check turned up a record of his conviction, according to the IG report. Another gained access for 91 days until a second records check in January 2012 found the employee had been convicted of a sexual offense fifteen years earlier. The IG report also noted that Navy installations often house child development centers, schools, and family housing.
Periodic re-checks also revealed others had felony records for drug possession, assault, theft and throwing an object at an occupied vehicle. Naval criminal investigations staff told investigators that they now planned to run 3,000 more cardholders through criminal databases to see if any other felons went unnoticed, according to the IG report.
Although the Navy’s antiterrorism office claimed at the outset that Rapidgate would cost the service little — mostly for the phone lines, power, and space needed by the ATM-like kiosks — the inspectors discovered that contractors were covering the fees by jacking up their overhead costs and other Navy-paid expenses. It found $1.2 million in such expenses was reimbursed to companies such as Goodwill Industries, DynCorp International, BAE Systems, and Huntington Ingalls. A cost analysis belatedly performed by the antiterrorism office, which projected hundreds of millions of dollars in “cost avoidance” was flawed, the inspector’s report said.
“The costs associated [with the program] … are unknown but could be exorbitant,” it said.
The report also noted that when the antiterrorism office made its first purchase of Rapidgate kiosks, it bought seven subscriptions and spent $2,499 for each one. That amount happened to be a dollar less than the amount detailed in Navy rules that required “open market” competition.
After some Navy officials complained, the antiterrorism office ordered the subscriptions renewed and expanded, at a cost of millions of dollars, under unusual subcontracts, which the inspectors found also circumvented federal rules.
“The Navy has not had valid contractual coverage” for the work since 2011, they said, and may have paid $1.1 million for “unallowable costs” related to it.