Security Controls Over the Implementation of Personal Identity Verification Cards (PIV) at the Department of Health and Human Services (HHS) Were Inadequate Due to Lack of Some Essential Information Security Requirements
We evaluated the HHS implementation of the Homeland Security Presidential Directive 12 (HDSP-12) and the security controls over a sample of its critical HSPD-12 systems to determine whether the guidance had been followed. Specifically we assessed (1) whether the HHS PIV card application and issuance processes were effective and complied with HHS guidance and regulations and (2) whether information security controls over critical HHS PIV systems complied with Federal information security standards.
We found that HHS did not always comply with Federal guidance when implementing its HSPD-12 system.
We recommended that HHS implement necessary corrective actions to resolve the reportable findings that we identified in this audit.