A police officer stands guard at the front gate of the Washington Naval Yard September 17, 2013, the day after the fatal shooting rampage. (Mark Wilson / Getty Images)
After Aaron Alexis opened fire at the Washington Navy Yard, Chris Grijalva got a message: Speed it up.
Grijalva, division director for identity services at Defense Manpower Data Center (DMDC), spearheads a Defense Department effort to develop capabilities to continuously vet people with access to U.S. installations. The project has been underway for two years.
The technology enables DoD’s physical access control systems to communicate with each other and query data from the FBI about criminal activity or other issues that would deter the military from letting an individual onto its installations, he said.
After the shooting, which left 13 people dead, Defense Secretary Chuck Hagel launched an internal review of the incident and recommended Grijalva’s team accelerate development of the messaging system and its services.
But widespread roll out of the Identity Management Enterprise Services Architecture, IMESA for short, has been mired in legal paperwork for the past year so. DoD must ensure IMESA aligns with its policies and directives, including one that prohibits the department from collecting, reporting, processing, or storing information on individuals or organizations not affiliated with the DoD, except in limited circumstances such as protection of DoD functions and property from direct threats.
IMESA can query data only on people who have or are requesting access to its installations, said Grijalva, whose purview includes management of DoD’s ID card program.
The ongoing controversy over the National Security Agency’s surveillance and data collecting practices has made navigating the legal aspects more challenging.
DoD currently does not have a systemic capability for military installations to electronically share timely data on individuals. Each installation is tasked with accessing the proper law enforcement and threat information on their own to make that determination, and much of that is done manually, Grijalva said.
Technology isn’t the problem. Grijalva’s team has already proven IMESA works. The services have committed to using IMESA and provided development funding for the system, he said. The Air Force is currently using IMESA under a pilot program, and the Army, Defense Logistics Agency and Pentagon Force Protection Agency, are expected to be hooked up to IMESA any day.
The services had planned an operational demonstration last fall to test IMESA’s ability, using actual FBI data feeds and walking through the process of identifying individuals who could pose a risk.
The Washington Navy Yard was selected as one of four test sites, but the testing was delayed for additional legal reviews. It was during that time 34-year-old Alexis, a contractor with a security clearance, opened fire at the installation.
DoD officials have acknowledged IMESA could have helped in a case like the Navy Yard incident, if information about Alexis’ criminal history and encounters with law enforcement came up in response to a query.
Grijalva’s team is working with the under secretary of defense for intelligence on a related solution to continuously evaluate individuals who hold security clearances. The capability will enable DoD to monitor data sources to check a person’s compliance with federal standards for maintaining eligibility for a security clearance. That includes checking law enforcement data, derogatory credit history and foreign travel.
Data queried by IMESA can be manually fed into DoD’s security clearance database, mainly if there are significant findings that warrant action.
IMESA alone won’t solve all the military’s security problems.
There are other human factors that play a role in IMESA’s effectiveness, such as the need to electronically scan a person’s badge and check against national and local databases for red flags, as opposed to eyeballing badges and allowing cardholders through the gate. The military is also dependent on local law enforcement to feed useful data into the system, but there is no standard for doing so.
But already the system is addressing security gaps within the Air Force.
Today, IMESA is in use at more than 100 U.S. Air Force installations, including Andrews Air Force Base. The pilot program enhances the service’s physical access control system by consolidating information, and it enables installations to send electronic alerts about an individual or an incident. This capability is critical because different versions of the service’s current physical access control system cannot communicate with each other, said Scott Ulrich, chief of access control for the Air Force’s Security Forces Directorate.
“That is the innovative part,” Ulrich said. IMESA is also one of 30 finalists for the 2014 Igniting Innovation Awards to be presented by the organization ACT-IAC on Thursday.
Today IMESA provides a Web interface between the Air Force’s version of the Defense Biometric Identification System and the FBI’s database of individuals with felony charges, arrest warrants or wanted individuals. There are plans to include other FBI databases, including the National Sex Offender Registry and the Terrorist Screening Database, as well as data from local law enforcement agencies.
Grijalva said those additional capabilities can be turned on today, but his team does not have the legal authority to do so yet. The vision is for IMESA to provide access to any record that would indicate someone is a threat to DoD facilities and assets.
Over the past three months, the IMESA pilot program identified 335 individuals as positive matches on the FBI’s felony, wants and warrants list, Ulrich said. Some offenses involved past due child support, drug charges and weapons violations. Of those 335 people, 111 have requested or sought access to an Air Force base.
Airmen, contractors, family members and other individuals with access to Air Force installations that show up in the FBI’s database are flagged for further review and must undergo a secondary screening to verify their identity and determine if the alert is in fact valid. The installation commander makes the final call on whether that person should be granted access to the base, denied access or other actions should be taken, Ulrich said.
“The installations are definitely getting the information to make them safer,” Ulrich said. “That level of information did not exist up until we did thisin November. As a law enforcement person I can say it’s significant if we catch one out of 5 million cause that one may have been the Washington Navy Yard guy.”
The Air Force is working through the gray areas of IMESA. For instance, commanders’ decisions could vary among bases, depending on the offense, how great of a threat the individual poses to the Air Force and the individual’s job duties.
However, not all installations electronically scan badges for every person, although they are supposed to. People who come to a base often, or whose badges appear to be in order and not expired, might be waved in without a scan.
“We are very happy with the fact we have this tool in our tool kit,” Ulrich said. “It doesn’t eliminate [risk] 100 percent, but it definitely makes it less risk for someone to filer in.”