Department of Health and Human Services Had Email Requirements for Political Appointees, but Office of the Secretary Lacked Effective Monitoring and Enforcement
Why OIG Did This Review
We conducted this audit in response to a congressional letter requesting a review of email usage by political appointees at the Department of Health and Human Services (HHS) to ensure that "…officials are following the spirit and letter of all federal laws and regulations, as well as departmental policies, related to email use."
Our objectives were to determine whether HHS and its Operating Divisions (OpDivs) have controls in place to (1) restrict and monitor, in accordance with Federal laws and regulations, the use of personal email accounts to conduct Government business; and (2) preserve all emails related to Government activities as related to political appointees.
How OIG Did This Review
We reviewed applicable Federal laws, regulations, and guidance; reviewed training records of political appointees from the Office of the Secretary (OS) and four HHS OpDivs; gained an understanding of the current email security at HHS, OS, and selected OpDivs; and assessed the status of HHS's email program against policies, standards, and guidance.
We performed our audit field work from October 2017 through June 2018.
What OIG Found
We found that HHS had some controls in place to restrict and monitor the use of personal email accounts to conduct government business, in accordance with Federal laws and regulations, as well as policies and procedure to preserve all government emails on official email systems. However, three of the five HHS agencies/offices we audited did not have automated controls in place to block employees from accessing personal email accounts while logged into HHS, OS, or OpDiv networks. In addition, we found that OS did not ensure that all political appointees received security awareness training due to improper listing and classification of the political appointees.
What OIG Recommends and HHS Comments
We recommend that:
- HHS implement a policy requiring all HHS agencies and offices to implement automated controls to block employees from accessing personal email accounts from HHS networks;
- OS implement a process to ensure that all OS political appointees, employees, and contractors complete the required security awareness trainings in a timely manner; and
- OS implement procedures to ensure that its staff are properly listed and classified as political appointees, employees, contractors, and supervisors.
In written comments on our draft report, HHS concurred with our recommendations and described actions it plans to take to address our findings.
Filed under: General Departmental