Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023

Issued on  | Posted on  | Report number: A-18-23-11200

Report Materials

Why We Did This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency’s information security programs and practices to determine the effectiveness of those programs and practices. HHS OIG engaged Ernst & Young LLP (EY) to conduct this audit.

EY conducted a performance audit of HHS’ compliance with FISMA as of July 31, 2023, based upon the FISMA reporting metrics defined by the Inspectors General.

Our objective was to determine whether HHS’ overall information technology security program and practices were effective as they relate to Federal information security requirements.

How We Did This Audit

We reviewed applicable Federal laws, regulations, and guidance; gained an understanding of the current security program at the Department level and the security programs at four (4) of the 12 Operating Divisions (OpDivs) and one (1) Staff Division (StaffDiv); assessed the status of HHS’ security program against the Department and selected OpDivs’ information security program policies, other standards and guidance issued by HHS management, and prescribed performance measures; inquired of personnel to gain an understanding of the FISMA reporting metric areas; inspected selected artifacts; and conducted procedures on prior-year issues.

What We Found

Overall, through the evaluation of FISMA metrics, it was determined that the HHS’ information security program was “Not Effective.” This determination was made based on HHS’ inability to meet the “Managed and Measurable” maturity level for the Core and Supplemental Inspector General metrics in the function areas of Identify, Protect, Detect, Respond, and Recover. Overall, the HHS information security program rated ineffective for FY 2023, matching the evaluated program rating from FY 2022. HHS is a federated environment and large disparities continue to exist between the maturity levels at individual OpDivs and StaffDivs. While better performing OpDivs are approaching or at a Managed and Measurable maturity level, certain OpDivs and StaffDiv selected for the audit are either stagnant in their progress towards the Managed and Measurable maturity rating or are regressing and significantly below the Managed and Measurable maturity rating. The Department continues to define and update policies that are distributed to OpDivs and StaffDivs to assist with their own policy definitions or guide consistent implementation of a compliant cybersecurity strategy. However, the Department must go beyond defining and updating policies to achieve the Managed and Measurable level.

What We Recommend and HHS Comments

We made recommendations to the Office of the Chief Information Officer to improve its oversight and to enforce accountability to further strengthen HHS’s information security program and enhance information security controls at HHS. Recommendations specific to deficiencies found at the reviewed HHS OpDivs and StaffDiv were provided separately. HHS should commit to implementing recommendations identified within this report and incorporate enhancements into the overall formal cybersecurity maturity strategy that allows HHS to continue to advance its information security program from its current maturity state to Managed and Measurable. HHS should work to ensure that findings are communicated across the organization to increase awareness of identified gaps to help decrease disparity shown across OpDivs and StaffDivs.

In written comments to our report, HHS concurred with our Department and OpDiv recommendations, and enterprise-wide recommendation 3; while not concurring with enterprise-wide recommendations 1, 2, 4, 5, and 6. For two non-concur responses regarding duplicative recommendations, the recommendations are similar but not identical to address weaknesses at the Department and OpDiv levels. For one non-concur related to the repeat of a similar recommendation made in the FY2022 FISMA audit report. The recommendation was removed from this report and the FY2022 recommendation will remain open until addressed. For two non-concur responses, they were associated with the separation of responsibilities between the HHS OCIO and OpDivs. We maintain that our recommendations are valid.

24-A-18-086.01 to OS - Open Unimplemented
Update expected on 12/25/2024
Refine their enterprise architecture system inventory and software/hardware asset inventories to ensure the inclusion of the information systems and components active on the HHS network. HHS should utilize these inventories to monitor assets continuously and identify and remediate vulnerabilities timely to better manage the risks to these assets.

24-A-18-086.02 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that HHS require OpDivs to implement a cybersecurity risk management strategy to assess and respond to identified risks within the agency, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.

24-A-18-086.03 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that HHS confirm that all organization-wide and system-level risk assessments have been completed in an accurate and timely manner and include data points such as the threat vectors, likelihood, and tolerance level. This will help with the ability to address risks at the organization consistently and promptly.

24-A-18-086.04 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that HHS require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. HHS should ensure that all OpDivs are appropriately assessing vendors and submitting data points to assist with tracking and monitoring components on the network.

24-A-18-086.05 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that HHS require OpDivs to assess and inventory privileged user accounts across the agency by an established due date and confirm completion. HHS should confirm that OpDivs policies are defined to require privileged user account monitoring in both logging and activity reviews, preferably at an automated level.

24-A-18-086.06 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO monitor and confirm that the OpDivs conduct an annual review of the System Security & Privacy Plan and annually perform risk assessments for all operational systems, according to organizational policy.

24-A-18-086.07 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO monitor and confirm that the OpDivs appropriately track software license information and maintain an accessible, up-to-date inventory for all its software licenses.

24-A-18-086.08 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO monitor and confirm that the OpDivs perform the SAR and ATO in accordance with the organization's policy.

24-A-18-086.09 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO monitor and confirm that the OpDivs utilize automated solutions to provide a portfolio view of cybersecurity risk at the organization is consistently implemented in accordance with NIST standards.

24-A-18-086.10 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO confirm OpDivs define and implement an OpDiv level supply chain risk management strategy based on HHS departmental policy and NIST standards.

24-A-18-086.11 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that OpDivs' vulnerabilities are tracked and remediated in a timely manner and create POA&Ms for any vulnerabilities in accordance with the organization's policy.

24-A-18-086.12 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs' baseline configurations are documented and tracked for each system in the OpDiv.

24-A-18-086.13 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs' TIC 3.0 program use cases are reviewed for relevance and capabilities that are new to the latest revision of the TIC guidance are consistently implemented in accordance with HHS Policy for the Implementation of TIC and OMB M-19-26.

24-A-18-086.14 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs acquire the resources to fully implement MFA or an alternative strong authentication and implement multi-factor authentication or an alternative strong authentication for both privileged and non-privileged users on all operational systems.

24-A-18-086.15 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs provision, manage, and review privileged user accounts for operational systems.

24-A-18-086.16 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs are properly implementing remote session timeouts of 30 minutes (or less) for operating systems.

24-A-18-086.17 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs consistently implement access policies and procedures in accordance with the organization's Risk Management Safeguards policy across the organization.

24-A-18-086.18 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs' operational systems have an approved and up-to-date PIA in accordance with the HHS Policy of Privacy Impact Assessment.

24-A-18-086.19 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs implement data encryption methods to protect data determined to be PII or sensitive by the systems and enhanced network defenses in accordance with NIST standards.

24-A-18-086.20 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO require and confirm that all OpDivs have a process in place to evaluate their workforce gaps. Furthermore, confirm that all OpDivs are implementing a compliant security training strategy as defined by overarching HHS policy.

24-A-18-086.21 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO ensure that all OpDivs are inheriting and consistently implementing policies and procedures defined by HHS department level policy.

24-A-18-086.22 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO continuously monitor to ensure that all OpDivs inherit and consistently implement policies or procedures to govern their incident response strategy.

24-A-18-086.23 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO continuously monitor to ensure that all OpDivs define common threat vector taxonomy for classifying incidents and its processes for detecting, analyzing, and prioritizing incidents in accordance with NIST standards, USCERT Federal Incident Notification Guidelines and OMB guidance across the organization.

24-A-18-086.24 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO work with the OpDivs to require and confirm that all OpDivs' operational systems have a complete and up-to-date BIA.

24-A-18-086.25 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO work with the OpDivs to require and confirm that all OpDivs' operational systems conduct Contingency Plan testing and exercises as required by their risk rating. Any testing and exercises conducted should be followed with after-action reports as necessary.

24-A-18-086.26 to OS - Open Unimplemented
Update expected on 12/25/2024
We recommend that the HHS OCIO work with the OpDivs to confirm that all OpDivs' policies and procedures covering Contingency Plan testing are in accordance with policy requirements by Departmental policy, NIST standards, and OMB guidance.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Office of the Secretary
Issue Areas
Departmental Operational Issues Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.