Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2017

Overall, the Department has made improvements and continues to implement changes to strengthen its enterprise-wide information security program including adhering to security training procedures and updating policies and procedures. Further, the Department continues to work towards implementing a Department-wide Continuous Diagnostics and Mitigation program, coordinating with the Department of Homeland Security.

While the Department continue to improve its information security program, opportunities to strengthen the overall information security program were identified, which should allow the Department to achieve a higher level of maturity for its information security program. We continued to identify weaknesses in the following areas: risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning.

The Department should further strengthen its information security program. We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them.

Copies can also be obtained by contacting the Office of Public Affairs at

Download the complete report or the Report in Brief.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201