Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2016

Overall, in comparison to the prior year's FISMA review, the Department has made improvements. Specifically, the number of findings have decreased from year to year. In addition, the Department and its operating divisions have implemented continuous monitoring tools that have allowed them to gain more insight to the security compliance of their assets. However, despite the progress made to improve its information security program, opportunities to strengthen the overall information security program exist. We continued to identify weaknesses in the following areas: continuous monitoring, configuration management, identity and access management, risk management, incident response, security training, contingency planning, and contractor systems.

The Department should further strengthen its information security program. We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them.