The U.S. Department of Health and Human Services has not always complied with federal guidance when deploying credentialing systems for HSPD-12, according to an Inspector General’s report.
Security controls over the implementation of the smart card credentialing program at HHS have been inadequate because “essential information security requirements were not implemented,” the report states.
The inspector general found six categories of vulnerabilities:
- Enrollment and issuance process—The implementation of the HSPD-12 lacked controls to ensure that all credentialing requirements were met and that training was provided to employees who performed HSPD-12 roles. Also, HHS had not established adequate separation of duties among employees to verify the integrity of the PIV.
- Deactivation of PIV cards—PIV cards were not deactivated in a timely manner.
- Security over system access—The implementation of the HSPD-12 lacked controls over access to the PIV system.
- Security management—The data center facility’s network firewall configuration policies did not comply with HHS policy or guidelines. Also, security management controls, including patch management, antivirus management, and configuration management, were not implemented on HSPD-12 workstations at any of the PIV Card Issuance Facilities that we audited. HHS allowed non-governmental computers to connect to card management systems.
- Physical security—Physical security controls, which help ensure that physical access to key areas within the PIV Card Issuance Facilities is restricted to authorized personnel, were not adequate.
- Web vulnerabilities—Vulnerabilities were identified in 17 categories on the HHS PIV system Web portal test sites that were scanned.
The inspector general recommends that HHS implement essential security requirements in the areas of enrollment and issuance, deactivation of PIV cards, system access, security management, physical security, and PIV Web portals.