Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020

Issued on  | Posted on  | Report number: A-18-20-11200

Report Materials

Why We Did This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency's information security programs and practices to determine the effectiveness of those programs and practices. HHS OIG engaged Ernst & Young LLP (EY) to conduct this audit.

EY conducted a performance audit of HHS' compliance with FISMA as of September 30, 2020 based upon the FISMA reporting metrics defined by the Inspectors General.

Our objective was to determine whether HHS' overall information technology security program and practices were effective as they relate to Federal information security requirements.

How We Did This Audit

EY reviewed applicable Federal laws, regulations and guidance; gained an understanding of the current security program at HHS and 5 out of the 12 operating divisions (OpDivs); assessed the status of HHS' security program against HHS and selected OpDivs' information security program policies, other standards and guidance issued by HHS management, and prescribed performance measures; inquired of personnel to gain an understanding of the FISMA reporting metric areas; and inspected selected artifacts.

What We Found

Overall, through the evaluation of FISMA metrics, it was determined that the HHS' information security program was 'Not Effective'. This determination was made based on (1) the evaluation of HHS not meeting a 'Managed and Measurable' maturity level for Identify, Protect, Detect, Respond, and Recover function areas, (2) the deficiencies within the Identify, Protect and Respond function areas and (3) the evaluation of a maturity level below Consistently Implemented for some FISMA metric questions both at HHS overall and at selected operating divisions (OpDivs). However, HHS continues to implement changes to strengthen the maturity of its enterprise-wide cybersecurity program. Progress continues to be made to sustain cybersecurity maturity across all FISMA domains. Also notable were increased maturation of data protection and privacy and information systems continuous monitoring. Weaknesses continue to persist in Contingency Planning, which was the only domain assessed with a maturity level of "Defined" in FY 19 and again in FY 20. We identified opportunities where HHS can strengthen its overall information security program.

What We Recommend and HHS Comments

We recommend that HHS further strengthen its cybersecurity program and enhance information security controls at HHS. Recommendations specific to a reviewed HHS OpDiv were provided to them separately.

HHS should commit to implementing the results of the pilot HHS-wide risk assessment into a formal Cybersecurity Maturity Migration Strategy that allows HHS to continue to advance its cybersecurity program from its current maturity state to Managed and Measurable or to the maturity level that HHS deems as effective for their environment. HHS' program should address gaps between the current maturity levels to the HHS-defined effective maturity level for each cybersecurity framework function areas. Roles and shared responsibilities should be articulated and implemented to meet the requirements for effective maturity, including whether requirements are to be implemented using centralized, federated, or hybrid controls.

In written comments to our draft report, HHS concurred with 11recommendations and did not concur with two recommendations. HHS also provided technical comments, which we addressed as appropriate. We maintain that our findings and recommendations are accurate and valid.

21-A-18-076.01 to OS - Closed Implemented
Closed on 06/21/2022
We recommend that HHS: Communicate to all stakeholders the roles and shared responsibilities that must be implemented to meet the requirements for an "effective" level of security in the context of the maturity model, including whether such requirements are to be implemented through centralized, federated, or hybrid controls. This should also include the responsibilities of the OCIO, the OpDivs, and third-party stakeholders (including contractors).

21-A-18-076.02 to OS - Closed Implemented
Closed on 06/21/2022
Continue implementation of an automated CDM solution that provides a centralized, enterprise-wide view of risks across the organization.

21-A-18-076.03 to OS - Closed Implemented
Closed on 06/21/2022
Develop oversight process and procedures to ensure comprehensive policies and procedures for managing the configurations of information systems are developed and tailored to the OpDivs environment.

21-A-18-076.04 to OS - Closed Implemented
Closed on 06/21/2022
Formalize policies, procedures, and processes for ensuring that all personnel are assigned risk designations and appropriately screened prior to being granted access to OpDiv systems.

21-A-18-076.05 to OS - Closed Implemented
Closed on 06/21/2022
Update the ISCM strategy to include a roadmap for complete deployment across all HHS OpDivs, and key performance indicators and benchmarks to facilitate the implementation of CDM toolsets across all OpDivs.

21-A-18-076.06 to OS - Closed Implemented
Closed on 06/21/2022
Increase focus on monitoring the status of ATO expirations across all OpDivs and ensuring that ATOs are reauthorized prior to their expiration dates.

21-A-18-076.07 to OS - Closed Implemented
Closed on 06/21/2022
Conduct an assessment of privileged IT staff to identify users with significant cybersecurity responsibilities and ensure they complete specialized role-based training.

21-A-18-076.08 to OS - Closed Implemented
Closed on 06/21/2022
Develop a process to ensure information system contingency plans are developed, maintained, and integrated with other continuity requirements by information systems.

21-A-18-076.09 to OS - Closed Implemented
Closed on 06/21/2022
We recommend that the HHS OCIO work with the OpDivs to develop a formal risk management strategy to establish, communicate, and implement its risk management controls, including for supply chain risk management. Additionally, within the Risk Management Strategy, the OpDiv should document procedures to ensure that all system owners have implemented processes and methodologies for categorizing risk, developing a risk profile, assessing risk, risk acceptance/tolerance levels, responding to risk, and monitoring risk.

21-A-18-076.10 to OS - Closed Implemented
Closed on 06/21/2022
Update their configuration change control policy to (1) more accurately define the types of changes that require a SIA to be performed, and (2) for all unplanned and major changes as defined, perform the SIA and retain the resulting documentation in accordance with the OpDiv document retention requirements.

21-A-18-076.11 to OS - Closed Implemented
Closed on 06/21/2022
We recommend that the HHS OCIO work with the OpDivs to establish oversight procedures for contractor owned systems to ensure change control activities and record retention procedures are being implemented appropriately across all systems.

21-A-18-076.12 to OS - Closed Implemented
Closed on 06/21/2022
Ensure that appropriate segregation of duties requirements is enforced for change control activities across all systems.

21-A-18-076.13 to OS - Closed Implemented
Closed on 11/23/2022
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs conduct periodic review and adjustment of privileged user accounts and permissions as required by OpDiv policy is being implemented consistently across all systems within the established time period. Additionally, the OpDiv should ensure that privileged user account activities are logged and periodically reviewed.

21-A-18-076.14 to OS - Closed Implemented
Closed on 06/21/2022
Perform appropriate system user onboarding procedures and that appropriate records retention policies and procedures are in place and operating effectively. Although contractor management is responsible for performing the control, OpDiv management should have an oversight procedure in place to ensure that all contract requirements are being performed.

21-A-18-076.15 to OS - Closed Implemented
Closed on 06/21/2022
Implement oversight of contractor system procedures to ensure that periodic user access reviews are performed and that privileged user account activities are logged and periodically reviewed. In addition, management should implement a review process for the monitoring activities by the Computer Security Incident Response Center (CSIRC) and DCIO Ops over government-owned systems with the OpDiv portfolio.

21-A-18-076.16 to OS - Closed Implemented
Closed on 11/23/2022
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete an update of the Security Training Policy to incorporate current federal standards including an assessment of the skills, knowledge, and abilities of its workforce to provide tailored awareness and specialized security training within the function areas of Identify, Protect, Detect, Respond, and Recover.

21-A-18-076.17 to OS - Closed Unimplemented
Closed on 06/21/2022
We recommend that the HHS OCIO work with its OpDivs to improve the incident evaluation process for determining whether an incident is major in accordance with the full OMB definition contained in the OMB FISMA guidance. This process should include a documented adjudication process that assesses the perceived or actual impact of the American people's public confidence in US Government systems, their civil liberties, or their public health and safety from the knowledge of the incident as noted in the OMB guidance.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Office of the Secretary
Issue Areas
Departmental Operational Issues Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.