Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2017

Overall, the Department has made improvements and continues to implement changes to strengthen its enterprise-wide information security program including adhering to security training procedures and updating policies and procedures. Further, the Department continues to work towards implementing a Department-wide Continuous Diagnostics and Mitigation program, coordinating with the Department of Homeland Security.

While the Department continue to improve its information security program, opportunities to strengthen the overall information security program were identified, which should allow the Department to achieve a higher level of maturity for its information security program. We continued to identify weaknesses in the following areas: risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning.

The Department should further strengthen its information security program. We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them.