Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2019

Issued on  | Posted on  | Report number: A-18-19-11200

Report Materials

Why We Did This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency's information security programs and practices to determine the effectiveness of those programs and practices. HHS OIG engaged Ernst & Young LLP (EY) to conduct this audit.

EY conducted a performance audit of HHS' compliance with FISMA as of September 30, 2019 based upon the FISMA reporting metrics defined by the Inspectors General.

Our objective was to determine whether HHS' overall information technology security program and practices were effective as they relate to Federal information security requirements.

How We Did This Audit

EY reviewed applicable Federal laws, regulations and guidance; gained an understanding of the current security program at HHS and selected 4 out of the 12 operating divisions (OPDIVs); assessed the status of HHS' security program against HHS and selected OPDIVs' information security program policies, other standards and guidance issued by HHS management, and prescribed performance measures; inquired of personnel to gain an understanding of the FISMA reporting metric areas; and inspected selected artifacts.

What We Found

Overall, HHS continues to implement changes to strengthen the maturity of its enterprise-wide cybersecurity program. Progress has been made to mature cybersecurity in the Configuration Management and Information Security Continuous Monitoring FISMA domains. Both domains were assessed at Consistently Implemented maturity in FY 2019, an improvement from Defined in FY 2018. Also notable was increased maturation of Incident Response. EY identified opportunities where HHS can strengthen its overall information security program. Weaknesses continue to persist in Contingency Planning, which was the only domain assessed as Defined. Additionally, EY identified weaknesses in each of the IG FISMA domains: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response and contingency planning.

What We Recommend and HHS Comments

EY recommends that HHS further strengthen its cybersecurity program and enhance information security controls at HHS. Specific recommendations were also provided to the HHS OPDIVs reviewed.

HHS should commit to creating and implementing a Cybersecurity Maturity Migration Strategy to advance the cybersecurity program from its current maturity state to Managed and Measurable across HHS. A progression road map and plan should be developed that includes specific, measurable, attainable, relevant and time-bound (SMART) milestones.

HHS's program should address current gaps between the current maturity levels to the level of Managed and Measurable. Roles and shared responsibilities should be articulated and implemented to meet the requirements for effective maturity, including whether requirements are to be implemented using centralized, federated, or hybrid controls.

HHS concurred with all of our recommendations.

20-A-18-084.01 to OCR - Closed Unimplemented
Closed on 07/20/2021
HHS should commit to creating and implementing a Cybersecurity Maturity Migration Strategy to advance the cybersecurity program from its current maturity state to an effective state across HHS. This strategy should include the following. Perform a risk assessment and identify the optimal maturity level that achieves cost-effective security based on your missions and risks faced, risk appetite, and risk tolerance level. Identify gaps between the current state at each OPDIV and the criteria required to reach the optimal level across HHS' enterprise-wide cybersecurity program and develop security controls to implement effective security. Ensure the requirements for all metrics is Consistently Implemented or higher are achieved. Articulate roles and shared responsibilities needed to meet the requirements for effective maturity, including whether requirements are to be implemented through centralized, federated, or hybrid controls.

20-A-18-084.02 to OCR - Closed Unimplemented
Closed on 07/20/2021
HHS should continue to provide department-wide guidance and DHS-supplied Continuous Diagnostics and Mitigation (CDM) tools to each OPDIV for the implementation of their ISCM programs.

20-A-18-084.03 to OCR - Closed Unimplemented
Closed on 07/20/2021
The Information Security and Privacy Policy (IS2P) is HHS' primary policy document governing cybersecurity which is pending a rewrite to address the upcoming requirements in NIST 800-53 revision 5. When this update occurs to the IS2P, HHS should specify required cybersecurity control maturity levels in addition to identifying the selection of NIST controls; describe HHS' Cybersecurity Shared Responsibility Model, including the key roles under centralized, federated and hybrid strategies for control implementation; include responsibilities of the OCIO, the OPDIVs, and third-party stakeholders (including contractors); and communicate that a Managed and Measurable or the optimal maturity level, based on HHS's risk assessment, be required to be deemed “Effective".

20-A-18-084.04 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to review the monthly reconciliation report, currently provided by the HHS OCIO, to ensure that discrepancies on the POA&M exception report are corrected to enable accurate OPDIV and Department-level reporting.

20-A-18-084.05 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that the OPDIVs cybersecurity management create and implement a patch management strategy to ensure that patches are installed timely as required by HHS and Federal requirements.

20-A-18-084.06 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to develop and document an enterprise-wide configuration management plan that allows for OPDIV-level and system-level configuration management plans to be created and implemented in alignment with the higher-level enterprise plans, to ensure that changes implemented at the system level are consistent with and made only after approval by the OPDIV, and that an HHS level plan defines the role of the OPDIVs for the creation, implementation and execution of OPDIV-specific configuration management plans.

20-A-18-084.07 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to identify roles of stakeholders to ensure proper identification of responsibilities in a shared responsibility environment.

20-A-18-084.08 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to communicate the enterprise-wide configuration management plan to all HHS system owners and stakeholders.

20-A-18-084.09 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to implement the enterprise-wide configuration management plan, working with system owners to align system configuration management plans with the enterprise plan.

20-A-18-084.10 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs conduct background checks on all personnel with information system access before they are granted access. The OPDIV should also conduct reinvestigations on these individuals in accordance with current personnel security policy.

20-A-18-084.11 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs create and implement a process to require privileged users to sign a privileged user rules of behavior agreement for all systems prior to provisioning privileged access to those systems.

20-A-18-084.12 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs establish a repository to retain signed copies of privileged user rules of behavior agreements for holders of privileged access for all systems.

20-A-18-084.13 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs ensure implementation of strong authentication mechanisms for privileged and non-privileged users to all OPDIV systems using multifactor PIV credentials, NIST 800-63 Identity Assurance Level 3/Authenticator Assurance Level 3/Federated Assurance Level 3 credential or other strong authentication for non-privileged and privileged users.

20-A-18-084.14 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO periodically sample systems to ensure that PIAs are created and maintained for all systems that require one.

20-A-18-084.15 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that all PIAs are reviewed, approved and signed by the appropriate HHS personnel at a minimum within three (3) years of the last PIA approval date.

20-A-18-084.16 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the ODPIVs ensure that OPDIVs' security management improve their processes to consistently and accurately track training to ensure that everyone has taken the training prior to granting them system access. Obtain and retain training certificates as evidence of completed training.

20-A-18-084.17 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the ODPIVs ensure that role-based training is obtained for all users with significant security responsibilities before granting access to the system and annually thereafter.

20-A-18-084.18 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the ODPIVs ensure that a process be designed and implemented that ensures the collection and maintenance of artifacts evidencing the successful completion of annual RBT for all users with significant security responsibilities.

20-A-18-084.19 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that ATOs are kept up to date without a lapse of authorization.

20-A-18-084.20 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that they obtain waiver or acceptances of risk approved by senior OPDIV management for those systems continuing to operate in the production environment without authorization.

20-A-18-084.21 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that SCAs are kept up to date as needed to support the ATO process.

20-A-18-084.22 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIV to define a threat profiling framework that structures and standardizes threat profiling at the OPDIV.

20-A-18-084.23 to OCR - Closed Implemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIV to implement threat profiling techniques within the defined framework that helps management understand where the OPDIV's high-value assets are located, who could be interested in taking control of them, and what attack vectors and under which scenarios they would likely be used to exploit vulnerabilities to succeed in their pursuits.

20-A-18-084.24 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO require each OPDIV to develop a POA&M to implement activities required to achieve an effective maturity level for contingency planning, pending HHS risk assessment.

20-A-18-084.25 to OCR - Closed Unimplemented
Closed on 07/20/2021
We recommend that the HHS OCIO work with the OPDIVs to monitor and validate each OPDIV's implementation progress, which should include periodically sampling HHS systems to ensure the effectiveness of contingency plans, including adequate testing based on system categorization.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Office of the Secretary
Issue Areas
Departmental Operational Issues Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.