On September 16, 2013, Aaron Alexis, a Navy contractor employee with a Secret security clearance, shot and killed 12 U.S. Navy civilian and contractor the security at the Washington Navy Yard.
But how did he do it? Answer: He simply walked right in using his valid building pass and Top Secret security clearance to gain entry to Building 197 – no questions asked.
It also seems that security did not properly vet or search Alexis or his bag on his way into the facility.
That critical flaw allowed a mentally deranged man with a disassembled Remington high powered 12 gauge shotgun with ammo and a fully loaded Berretta handgun to enter a secure military facility and systematically murder 12 people and injure several more.
According to an internal review:
“Although DoD processes and procedures related to access to facilities by cleared personnel appear to be adequate, the review revealed that some DoD Components are not in compliance with DoD policy on visitor access control.
DoD Instruction 2000.16, “DoD Antiterrorism (AT) Standards,” requires DoD Components in Force Protection Condition Bravo to verify the identity of visitors seeking access to DoD installations and randomly inspect their suitcases, parcels, and other containers. Likewise, Directive-type Memorandum (DTM) 09-012, “Interim Policy Guidance for DoD Physical Access Control,” directs non-federal government and non-DoD-issued card holders who are provided unescorted access to DoD installations to be identity proofed and vetted to determine fitness and eligibility for access. DTM 09-012 also requires personnel to be vetted against government authoritative data sources, including the National Crime Information Center (NCIC) and Terrorist Screening Database (TSDB).
Not all visitors are being vetted before gaining unescorted access to DoD installations. In some cases, visitors can show a driver’s license to gain access to DoD installations without being vetted. In other cases, local vendors may be given a base pass without being vetted against the NCIC or TSDB. As resources allow, the Military Departments actively pursue compliance with installation access control, but fiscal pressures prevent installations from having NCIC capability at their visitor centers. Some DoD installations have purchased commercial access control vetting systems (such as MOBILISA) that do not check against U.S. Government authoritative data sources (NCIC and TSDB).
These systems do not meet the intent of DTM 09-012, as they use only a public records check and are not interoperable, nor do they support a DoD-wide access control capability. A recently issued DoD Inspector General report27 noted a key finding that numerous contractor employees were enrolled in a commercial access control system and received interim installation access and a local access credential without having their claimed identities vetted through mandatory databases such as NCIC and TSDB. This occurred in attempts to reduce access costs. OMB memorandum 05-24 directs that government employees and contractor personnel requiring routine physical access to an installation for more than 6 months must receive a personal identity verification credential, such as a DoD CAC, and successfully complete a National Agency Check with Written Inquiries (or higher) investigation.
Although it appears physical security policies at the Washington Navy Yard were aligned and nested with Department of the Navy and DoD policies, there were some shortcomings in the implementation and execution of these policies.
The review revealed that random antiterrorism measures (RAM) and vehicle inspections were not being conducted regularly as required under DoDI 2000.16, “DoD Antiterrorism (AT) Standards.” Installation antiterrorism plans and local vulnerability assessments were not completed in accordance with DoD antiterrorism policy. Further, visitors were not properly vetted in accordance with DoD physical security policy. We do not believe these concerns are isolated to the Navy Yard. Common observations from Joint Staff Integrated Vulnerability Assessments (JSIVAs) identified:
• Deficiencies in commercial delivery inspection processes, employment of RAM and final denial barriers; and
• Insufficient explosive detection equipment, working dogs, and communications equipment.
Implementation and enforcement of physical security and antiterrorism procedures and policies require senior leadership emphasis and oversight.”