IG: HHS Must Improve Access ControlsAudit Uncovers 5 High-Risk Vulnerabilities
The Department of Health and Human Services inspector general has criticized HHS for failing to implement security controls on the system that provides computerized access to physical facilities and computer networks.
"Security controls over the implementation of the HSPD-12 at HHS were inadequate because essential information security requirements were not implemented," Thomas Salmon, HHS assistant inspector general, writes in a summary of an audit on the department's personal identity verification cards program.
Homeland Security Presidential Directive-12 created a policy to identify and authenticate government employees and contractors who access government buildings and computer systems.
Salmon says the IG review determined HHS wasn't consistent in complying with federal guidance when implementing its HSPD-12 system. The IG identified six categories of vulnerabilities, all but one deemed as high risk. They include:
- The implementation of the HSPD-12 lacked controls to ensure that HHS met all credentialing requirements and provided training to employees who performed HSPD-12 roles. HHS failed to establish a standard in which key roles had to be held by different employees to ensure adequate separation of duties and verify integrity of PIV credentials.
- HHS failed to deactivate PIV cards in a timely manner.
- The department's implementation of the HSPD-12 lacked controls to ensure that management had implemented policies and procedures associated with access to the PIV system and protection of sensitive system information.
- The data center facility's network firewall configuration policies did not comply with HHS policy or guidelines. Security management controls - including patch management, anti-virus management and configuration management - were not implemented on HSPD-12 workstations at any of the division PIV card issuance facilities that the IG audited. HHS allowed nongovernmental computers to connect to card management systems.
- Physical security controls, which help ensure that physical access to key areas within the PIV card issuance facilities is restricted to authorized personnel, were not adequate for the PIV system.
- Vulnerabilities were identified in 17 categories on the HHS PIV system Web portal test sites that were scanned. This was the only vulnerability that the IG did not deem high risk; it characterizes the Web vulnerability as a moderate risk.
Salmon says the IG issued only a summary of the audit because of the sensitive nature of specific findings. He did not make public the details of its recommendation, but he says HHS's Office of Security and Strategic Information had concurred with 14 of the 18 recommendations.
HHS did not respond to a request for a comment on the IG findings.