Report Materials
Why OIG Did This Audit
Effective April 29, 2019, the Department of Homeland Security's Binding Operational Directive 19-02 (BOD 19-02) requires Federal agencies to remediate known "critical" vulnerabilities within 15 days of discovery and "high" vulnerabilities within 30 days of discovery. We have identified through previous oversight work that the Department of Health and Human Services has not always complied with BOD 19-02.
The cybersecurity community has adopted use of the Common Vulnerabilities and Exposure (CVE) list, which provides public information about vulnerabilities and the ways that they can be exploited. Malicious actors can research the CVE list and tailor attacks to systems that may be vulnerable if a security patch or update has not been implemented.
Our objective was to determine whether CMS had controls in place to remediate known cybersecurity vulnerabilities in accordance with Federal regulations.
How OIG Did This Audit
We reviewed CMS's policies and procedures for flaw remediation, interviewed CMS officials, and reviewed system security plans to determine whether CMS's flaw remediation controls were adequate.
What OIG Found
CMS had controls in place to remediate known vulnerabilities in accordance with Federal regulations and standards; however, it did not consistently apply security updates to systems with known vulnerabilities and did not consistently upgrade or patch operating systems that had reached the End-of-Life period and were no longer supported by the vendor. This occurred because CMS did not have effective management oversight to ensure that CMS mitigated vulnerabilities in a timely manner. As a result, some CMS systems had open vulnerabilities that were vulnerable to exploitation by malicious actors beyond the acceptable limits defined in BOD 19-02.
What OIG Recommends
We recommend that CMS: (1) remediate the vulnerabilities identified on internet-facing systems and implement procedures to ensure compliance with BOD 19-02 requirements; (2) implement procedures to ensure that unsupported software that no longer receives security updates, repairs, bug fixes, and threat mitigation is replaced prior to the known end of support or implement compensating controls (if possible) and accept risk in accordance with existing CMS policies and procedures; (3) implement oversight to ensure corrective actions are performed in accordance with Federal requirements and in the timeframe set forth in CMS policy; and (4) implement a process to centralize the monitoring and reporting of vulnerabilities identified in all CMS systems across all CMS data centers.
CMS concurred with all our recommendations and provided supporting documentation to remediate the technical vulnerabilities identified.
Notice
This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.