HHS identity card systems pose security risks
Nearly a decade after a presidential directive mandated that agencies adopt a common personal identification standard for federal employees and contractors, compliance with the directive at the Department of Health and Human Services remains inadequate, subjecting the department to several categories of risk, according to a report released by HHS’s Office of the Inspector General last week.
While auditing a sample of HHS’ critical systems for personal identity verification required by Homeland Security Presidential Directive 12, the IG found elements of HHS’ physical security and cybersecurity for the PIV program in disarray. On the physical side, not only did the department lack controls to ensure all credentialing requirements were met for PIV enrollees, but when the workers ended their employment, the smart cards were not deactivated immediately, the report said.
The IG’s report states “HHS did not always comply with Federal guidance when implementing its HSPD-12 system. Specifically, security controls over the implementation of the HSPD-12 at HHS were inadequate because essential information security requirements were not implemented.”
Auditors found the IT systems supporting HHS’ PIV program did not adhere to the department’s policy and guidelines for network firewall configuration. Likewise, the report said, “security management
controls, including patch management, antivirus management, and configuration management, were not implemented on HSPD-12 workstations at any of the division PIV Card Issuance Facilities (PCIF) that we audited. HHS allowed nongovernmental computers to connect to card management systems,” putting the department at high risk in accordance with the National Institute of Standards and Technology’s “Guide for Conducting Risk Assessments.”
The auditors found 18 areas total in which they recommended action for HHS. The department’s Office of Security and Strategic Information, the office in charge of implementing PIV cards, concurred with all but four of the recommendations. The report itself, though, focused on just six broader categories of vulnerabilities that posed risks because of the “sensitive nature of the specific findings identified during our testing,” the report stated.
As of June, HHS had issued nearly 118,000 PIV credentials — about 76,500 to full-time employees, and the rest to contractors and “other individuals,” according to a progress report — since HSPD-12 went into effect.
HHS isn’t the only department struggling to fully implement the PIV card system successfully. In September 2010, the Department of Veterans Affairs’ Office of the Inspector General released a report that said two years after the 2008 deadline for governmentwide full HSPD-12 compliance the VA had a miserable 9 percent adoption rate for employees. Another report from the Government Accountability Office found in 2011 that the Commerce, Interior and Agriculture departments were still far away from completing PIV enrollment in time for a 2011 revised deadline.
Overall, the issuance of PIV cards is getting better thanks to a cross-agency priority goal from the White House — 96 percent of executive branch department and agency employees received the smart cards by the end of fiscal year 2013. However, HHS’ audit shows that doesn’t mean much if the cards are not being implemented securely and properly.