US-VISIT is a program established in 2004 by the DHS to control and monitor the entry, visa status and exit of foreign visitors to the U.S.
Currently, US-VISIT is testing the use of RFID technology on Form I-94 visa documents to determine whether the technology meets the requirements of the program at five points of entry: Alexandria Bay, N.Y.; Nogales East and West, Ariz.; and the Peace Arch and Pacific Highway sites in Blaine, Wash. The test began in August 2005, and if it is successful, RFID tags will be deployed to the 50 busiest land ports by Dec. 31, 2007.
Although data on the RFID-enabled Form I-94s is not encrypted and could be intercepted, it does not contain any personal information and can be used only to obtain such information when combined with data stored in the AIDMS database, according to the report. But if US-Visit decides to store personal information on the tags, additional controls should be implemented, the inspector general said.
"During our vulnerability assessment on selected DML [Device Management Layer] servers, we discovered no high or medium security vulnerabilities," Skinner said. "However, our assessment results on the AIDMS database revealed some security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data. Specifically, we identified deficiencies in user account and password management [and] user access permissions.
"Periodic reviews of security settings would identify security weaknesses in user and password management," Skinner said. Otherwise, US-VISIT officials might not detect unauthorized activity or determine who is responsible for such activity, he said.
Skinner recommended that the director of US-VISIT direct its CIO to develop and implement procedures to better protect user accounts and password management processes relating to the AIDMS database. Skinner also called for periodic reviews of security settings to ensure that all identified vulnerabilities are fixed.
In a written response, James Williams, director of US-VISIT, said steps have already been taken to strengthen account management in the AIDMS database.
However, Williams disagreed with a recommendation that RFID policies and procedures be set. He said existing policies cover the security of information, whether it is collected through RFID or any other technical means. In addition, Williams said US-VISIT believes that the DHS is the proper authority for developing RFID policies.
There are also problems with the management and oversight of the US-VISIT contracts, according to a separate report released this week by the Government Accountability Office (http://www.gao.gov/new.items/d06404.pdf). The US-VISIT program office didn't establish and implement effective financial controls for overseeing US-VISIT-related contract work performed on its behalf by other DHS agencies, including Customs and Border Protection and two other agencies not affiliated with DHS, the GAO said. That means that US-VISIT didn't really understand exactly how much was being spent on the contracts.
"Without these controls, some agencies were unable to reliably report US-Visit contracting expenditures," according to the report. "Further, the program office and these other agencies improperly paid and accounted for related invoices, including making duplicate payments and payments for non-US-VISIT services with funds designated for US-Visit."
Without effective contract management and oversight, US-VISIT does not know whether the necessary work is being done on time and within budget, or whether proper payments are made, the GAO said.
The GAO recommended that the secretary of DHS implement contract management and financial controls for all contracts awarded by the US-Visit program office.
In written comments, DHS officials said while they dispute some of the GAO's findings, they agree with the need for improvement. For example, DHS disagreed with the GAO finding that a duplicate payment for US$3 million had been made to one contractor. The DHS said the contractor that had sent the duplicate invoice ultimately refunded the second payment.