Security Controls Over the Implementation of Personal Identity Verification Cards at the Department of Health and Human Services Were Inadequate Due to Lack of Some Essential Information Security Requirements [open pdf - 157KB]
"This report provides an overview of the results of our audit of the Department of Health and Human Services (HHS) implementation of Homeland Security Presidential Directive 12 (HSPD-12). Due to the sensitive nature of the specific findings identified during our audit, only a summary of the findings are included in this report. We have provided more detailed information and recommendations to HHS so that it can address the issues we identified. […] The HSPD-12, 'Policy for a Common Identification Standard for Federal Employees and Contractors,' August 27, 2004, mandated the promulgation by 2006 of a Federal standard for secure and reliable forms of identification for Federal employees and contractors and mandates the use of government-wide identification credentials for employees and contractors. The HSPD-12 and other Federal guidance require executive departments and agencies to (1) implement the standard for identification issued to Federal employees and contractors in gaining physical access to controlled facilities and logical access (the authorized and authenticated access to computer applications and data files) to controlled information systems and (2) implement and maintain adequate security for all their support systems and applications. We evaluated HHS' progress in implementing a reliable and effective system of personal identity verification (PIV) in compliance with the HSPD-12. Our objective was to determine whether HHS complied with Federal guidance when implementing its HSPD-12 system."
Department of Health and Human Services, Office of Inspector General, Report No. A-18-12-30410
U.S. Department of Health and Human Services, Office of the Inspector General: http://oig.hhs.gov/