This story has been updated throughout with detail.
The Navy Installations Command reached outside normal competitive channels to procure a flawed and risky commercial access control system that has allowed 65,000 contractors to routinely access its bases. The procurement process involved purchases on government credit cards 51 cents below the $2,500 maximum allowed, the Defense Department Inspector General said in a report released this week.
The Installations Command used a contract for a Navywide perimeter monitoring system run by the Naval Surface Warfare Center in Panama City, Fla., as the umbrella contract for the Navy commercial access control system, or NCACS, in 49 states and the Mariana Islands. The command also tapped a contract for sensor systems run by the Naval Surface Warfare Center in Port Hueneme, Calif., to buy $9.9 million worth of handheld barcode scanners to check IDs at bases as part of the NCACS project, the IG reported.
The report also made it clear that the Installations Command outsourced base credentialing and background checks to a private contractor in order to save money.
In July 2010, the Installation Command selected the Rapidgate system developed by Eid Passport of Hillsboro, Ore., to vet contractor employees who needed routine base access for up to a year in place of the more secure Defense Department common access card issued to Aaron Alexis, an employee of a Hewlett-Packard Corp. subcontractor who killed 12 people at the Washington Navy Yard Monday.
The Rapidgate system consists of a registration station that takes a photo of the contractor and scans fingerprints, and a Web interface for submission of personnel information.
Eid Passport then uses a third party vendor to conduct a public records check, and when that is completed, issues a permanent ID badge, which a gate guard verifies with a handheld barcode scanner. The IG said that until that process is completed, contractor employees can receive temporary pass for 28 days.
The IG reported that flaws in the Rapidgate vetting process allowed 52 convicted felons to receive access to Navy installations ranging from 62 to 1,035 days, a lapse that “placed military personnel, dependents, civilians and installations at an unacceptable level of safety and security risks.”
Eid Passport sells its system on a subscription basis — $159 for one employee to access a single base and $199 for multiple bases — and the Installations Command, which does not have contracting authority, took advantage of this to procure seven subscriptions in April 2010 on a government purchase card through the General Services Administration.
The total price for those seven subscriptions came to $3,059; the IG said the Installations Command requested a price change authorization that resulted in a cost of $2,449.49, 51 cents below the Navy’s micro-purchase threshold.
To acquire NCACS for installations in the continental United States, Hawaii and the Marianas, in October 2011 the Installation Command directed 3e Technologies International of Rockville, Md., part of Ultra Electronics, to purchase eight Rapidgate subscriptions from Eid Passport under a contract run by the Naval Surface Warfare Center for a servicewide perimeter monitoring system, which would not include Rapidgate. Panama City contracting personnel were unaware of the Rapidgate subcontract, the IG said.
On Sept. 27, 2012, 3eTI subcontracted with Eid Passport for proprietary Rapidgate handheld scanners at the direction of the Naval District Washington Chief Information Officer through a contract with the Naval Surface Warfare Center in Port Hueneme for design, development, integration and testing of the critical infrastructure network.
The Port Hueneme contract did not cover the purchase of handheld scanners and the Port Hueneme contracting officer was unaware of the subcontract that the IG said was an “unauthorized commitment for out-of-scope work that would require use of competitive contracting procedures or a justification and approval for sole source.”
The Installations Command circumvented competitive contracting requirements in its acquisition of NCACS, the IG concluded. In May 2012, the command issued a “sources sought” notice for vendors interested in a new phase of NCACS, but the notice stated no contract would be issued.
Eid Passport and Intellicheck/Mobilisa, a Port Townsend, Wash., company that supplies an access control system to the Army responded to the notice. Despite the fact that previous statements of work said Eid Passport vetted contractors against unreliable databases, the Installations Command determined only Eid Passport met its requirements and selected the company to continue work on NCACS.
The Installations Command pitched Rapidgate as a low-cost way to vet and provide IDs for contractors who do not require a CAC cards – such as delivery personnel – and estimated it would save $295 million over five years, as contractors would absorb the costs of the system, including subscription fees, with vetting and infrastructure outsourced to Eid Passport.
Contractors, meanwhile, planned to pass the costs of Rapidgate back to the Navy, with one Joint Strike Fighter contractor planning to add $1 million a year to its bill every year for five years to cover the costs of NCACS.
The IG said 9,657 companies with a total of 64,924 employees were enrolled in NCACS as of November 2011 and estimated Eid Passport took in $53 million a year that could be charged back to the Navy by contractors. An analysis done by the Naval Supply Systems Command determined NCACS could potentially cost ten times more over ten years, the IG said.
The IG report concluded that “Rapidgate, did not effectively mitigate access control risks, and did so at a potentially exorbitant price to the Navy.” The IG also concluded that the command “took extraordinary measures to ensure the program continued to operate without contracting authority.” The IG recommended that the command replace Rapidgate with a system that uses databases, such as the FBI’s National Crime Information Center, to vet contractor personnel.
The Installation Command in its Aug. 1 reply to the IG — written six weeks before the Navy Yard attack — said NCACS security checks “meet or exceed federal and DoD requirements for background vetting.” The command added, “Discontinuing a successful system that has facilitated over 14,000,000 safe and secure visits will ensure there are unnecessarily long waiting lines at gates and access points . . . including some of our largest bases.”
Lt. Caroline Hutcheson, a Navy spokeswoman, said the service is in the process of reviewing the final report and its recommendations.
Sen. Claire McCaskill, D-Mo., said that based on her review of the IG report, NCACS “wasted money, allowed dozens of felons access to installations they should never have had, and utterly lacked competent oversight.” She added, “It’s clear that its existence constitutes an unnecessary danger to the Navy and its personnel, and it should be discontinued immediately.”
In a letter sent Tuesday to Navy Secretary Ray Mabus, McCaskill called out the service for allowing Eid Passport to conduct checks, despite its history of referring to unreliable databases and failing to include certain government databases.
She said the Navy Yard shooting “highlights the importance of complete, thorough background investigations of the contractors and subcontractors granted access to Navy installations” and asked for a briefing on contractor access to Navy installations on or before Friday, Sept. 27.