Skinner recommended that the director of US-VISIT direct its CIO to develop and implement procedures to better protect user accounts and password management processes relating to the AIDMS database. Skinner also called for periodic reviews of security settings to ensure that all identified vulnerabilities are fixed.

In a written response, James Williams, director of US-VISIT, said steps have already been taken to strengthen account management in the AIDMS database.

However, Williams disagreed with a recommendation that RFID policies and procedures be set. He said existing policies cover the security of information, whether it is collected through RFID or any other technical means. In addition, Williams said US-VISIT believes that the DHS is the proper authority for developing RFID policies.

There are also problems with the management and oversight of the US-VISIT contracts, according to a separate report released this week by the Government Accountability Office (http://www.gao.gov/new.items/d06404.pdf). The US-VISIT program office didn't establish and implement effective financial controls for overseeing US-VISIT-related contract work performed on its behalf by other DHS agencies, including Customs and Border Protection and two other agencies not affiliated with DHS, the GAO said. That means that US-VISIT didn't really understand exactly how much was being spent on the contracts.

"Without these controls, some agencies were unable to reliably report US-Visit contracting expenditures," according to the report. "Further, the program office and these other agencies improperly paid and accounted for related invoices, including making duplicate payments and payments for non-US-VISIT services with funds designated for US-Visit."