Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2018

Issued on  | Posted on  | Report number: A-18-18-11200

Report Materials

What We Found

Overall, the Department continues to implement changes to strengthen its enterprise-wide information security program. We identified opportunities where the Department can strengthen their overall information security program. The Department continues to work toward implementing a Department-wide Continuous Diagnostics and Mitigation program with the Department of Homeland Security. This should help the Department achieve a higher level of maturity for its information security program in subsequent years. Additionally, we identified weaknesses in the following areas: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning.

The Department needs to ensure that all operating divisions consistently review and remediate or address the risk presented by vulnerabilities discovered, consistently implement account management procedures, and accurately track systems to ensure they are operating with a current and valid Authority to Operate. Additionally, the Department should focus on configuring recently deployed continuous diagnostic monitoring tools to automate the integration of cyber risks into newly developed enterprise risk management programs. These steps will strengthen the information security program and further enhance its mission.

What We Recommend and HHS Comments

We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them.

19-A-18-075.01 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective risk management domain, we recommend that the HHS OCIO continue to work with OPDIVs to enhance its enterprise risk management strategy and program to integrate governance functions for information security, strategic planning and strategic reviews, internal control activities, and applicable mission/business areas. These enhancements should include the integration of threat modeling for dynamic risk assessments and appropriate reporting tools to timely respond to new threats as they arise.

19-A-18-075.02 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective risk management domain, we recommend that the HHS OCIO continue to develop an approach for the Department to ensure that CDM tools, Security Governance, Risk management, and Compliance (sGRC) tools, and associated processes are implemented at all OPDIVs for the integration of risk management programs at the enterprise, business process, and information system levels to ensure consistency with OMB, NIST, and Department guidelines and requirements.

19-A-18-075.03 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective configuration management domain, we recommend that the HHS OCIO continue to work with OPDIVs to leverage qualitative and quantitative performance measures to determine the effectiveness of OPDIVs' configuration management plans. These measures should be based on results from automated toolsets to determine security misconfigurations, unsupported information system components, and effectiveness of flaw remediation processes. Define the timeframe for OPDIV communication of the performance measures to the OCIO.

19-A-18-075.04 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective configuration management domain, we recommend that the HHS OCIO continue to Implement the approach for the Department to fully implement CDM tools, sGRC tools, and process tools to consistently record, implement, and maintain configuration controls, baseline configurations of its information systems, and an inventory of related components.

19-A-18-075.05 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective identity and access management domain, we recommend that the HHS OCIO continue to work with OPDIVs to determine the effectiveness of identity and access management processes. These measures should monitor OPDIVs' implementation of strong authentication techniques for all privileged and non-privileged users.

19-A-18-075.06 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective identity and access management domain, we recommend that the HHS OCIO continue to Assist OPDIV implementation of "to-be" Identity, Credential, and Access Management (ICAM) architecture and integration of their ICAM strategy and activities within its enterprise and Federal ICAM segment architecture.

19-A-18-075.07 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective data protection and privacy domain, we recommend that the HHS OCIO continue to HHS OCIO update relevant Department policies, procedures, and guidance.

19-A-18-075.08 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective data protection and privacy domain, we recommend that the HHS OCIO continue to Work with the OPDIVs to measure the effectiveness of privacy specific controls and trainings through tracked breaches and maintain current privacy related documentation.

19-A-18-075.09 to OCR - Closed Unimplemented
Closed on 04/01/2020
We recommend that HHS OCIO continue to work with the OPDIV to assign the necessary personnel to monitor compliance with the security awareness and training program.

19-A-18-075.10 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective ISCM domain, we recommend that the HHS OCIO continue to provide department-wide guidance and DHS-supplied CDM tools to each OPDIV for the implementation of their ISCM programs. This should include periodic reporting requirements and metrics to monitor real time threats identified by the Computer Security Incident Response Center (CSIRC) across the HHS enterprise.

19-A-18-075.11 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective ISCM domain, we recommend that the HHS OCIO continue to enhance OPDIVs security continuous monitoring efforts to maintain visibility into IT assets, be aware of all vulnerabilities, be informed about security threats, and verify that all software assets are scanned on the network on a regular basis, as required.

19-A-18-075.12 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective ISCM domain, we recommend that the HHS OCIO continue to assist OPDIVS in maintaining and managing system ATOs and security control assessments per the HHS policy and guidelines.

19-A-18-075.13 to OCR - Closed Unimplemented
Closed on 04/01/2020
We recommend that the HHS OCIO work with the OPDIV to improve enforcement and communication of the incident response program organization wide. Improvements should focus on measuring consistent profiling techniques and improve communication between the CSIRC, OPDIVs, and components.

19-A-18-075.14 to OCR - Closed Unimplemented
Closed on 04/01/2020
In order to move HHS toward an effective contingency planning domain, we recommend that the HHS OCIO continue to Assist OPDIVs in the implementation of a monitoring program that identifies metrics based on defined mission and business risk. The program should validate OPDIVs implementation of contingency planning policies, procedures, and strategies in the following areas: conducting business impact analysis, conducting contingency plan testing, implementing information system backup and storage requirements, incorporating supply chain risks and the selection of alternative processing sites.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Office of the Secretary
Issue Areas
Departmental Operational Issues Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.