Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2018

What We Found

Overall, the Department continues to implement changes to strengthen its enterprise-wide information security program. We identified opportunities where the Department can strengthen their overall information security program. The Department continues to work toward implementing a Department-wide Continuous Diagnostics and Mitigation program with the Department of Homeland Security. This should help the Department achieve a higher level of maturity for its information security program in subsequent years. Additionally, we identified weaknesses in the following areas: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning.

The Department needs to ensure that all operating divisions consistently review and remediate or address the risk presented by vulnerabilities discovered, consistently implement account management procedures, and accurately track systems to ensure they are operating with a current and valid Authority to Operate. Additionally, the Department should focus on configuring recently deployed continuous diagnostic monitoring tools to automate the integration of cyber risks into newly developed enterprise risk management programs. These steps will strengthen the information security program and further enhance its mission.

What We Recommend and HHS Comments

We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them.