Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Department of Health and Human Services Had Email Requirements for Political Appointees, but Office of the Secretary Lacked Effective Monitoring and Enforcement

Why OIG Did This Review

We conducted this audit in response to a congressional letter requesting a review of email usage by political appointees at the Department of Health and Human Services (HHS) to ensure that "…officials are following the spirit and letter of all federal laws and regulations, as well as departmental policies, related to email use."

Our objectives were to determine whether HHS and its Operating Divisions (OpDivs) have controls in place to (1) restrict and monitor, in accordance with Federal laws and regulations, the use of personal email accounts to conduct Government business; and (2) preserve all emails related to Government activities as related to political appointees.

How OIG Did This Review

We reviewed applicable Federal laws, regulations, and guidance; reviewed training records of political appointees from the Office of the Secretary (OS) and four HHS OpDivs; gained an understanding of the current email security at HHS, OS, and selected OpDivs; and assessed the status of HHS's email program against policies, standards, and guidance.

We performed our audit field work from October 2017 through June 2018.

What OIG Found

We found that HHS had some controls in place to restrict and monitor the use of personal email accounts to conduct government business, in accordance with Federal laws and regulations, as well as policies and procedure to preserve all government emails on official email systems. However, three of the five HHS agencies/offices we audited did not have automated controls in place to block employees from accessing personal email accounts while logged into HHS, OS, or OpDiv networks. In addition, we found that OS did not ensure that all political appointees received security awareness training due to improper listing and classification of the political appointees.

What OIG Recommends and HHS Comments

We recommend that:

In written comments on our draft report, HHS concurred with our recommendations and described actions it plans to take to address our findings.

Filed under: General Departmental