Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Security Controls Over the Implementation of Personal Identity Verification Cards (PIV) at the Department of Health and Human Services (HHS) Were Inadequate Due to Lack of Some Essential Information Security Requirements

We evaluated the HHS implementation of the Homeland Security Presidential Directive 12 (HDSP-12) and the security controls over a sample of its critical HSPD-12 systems to determine whether the guidance had been followed. Specifically we assessed (1) whether the HHS PIV card application and issuance processes were effective and complied with HHS guidance and regulations and (2) whether information security controls over critical HHS PIV systems complied with Federal information security standards.

We found that HHS did not always comply with Federal guidance when implementing its HSPD-12 system.

We recommended that HHS implement necessary corrective actions to resolve the reportable findings that we identified in this audit.

General Departmental