OBJECTIVE
HHS OIG will perform a series of IT audits at the HHS Office of the Secretary and its Operating Divisions (OPDIVs) in an effort to identify cybersecurity vulnerabilities and possible compromise of the HHS Office of the Secretary and its OPDIVs' systems and networks.
TIMELINE
-
February 1, 2022Announced
-
December 13, 2024Complete
Summary Report for Office of Inspector General Cyber Threat Hunt Audits of Eight HHS Operating Division Networks has been marked as complete. This audit resulted in 3 recommendations.
REPORT PUBLISHED
25-A-18-023.01 to OS - Open Unimplemented
Update expected on
03/30/2026
We recommend that the Department of Health and Human Services Office of the Chief Information Officer enforce existing information security continuous monitoring (ISCM) requirements for detecting, preventing, and reporting the installation of unauthorized software across OpDivs referenced in HHS Policy for Information Security and Privacy Protection (IS2P) and enforce the new ISCM policy once approved.
25-A-18-023.02 to OS - Closed Unimplemented
Closed on
09/30/2025
We recommend that the Department of Health and Human Services Office of the Chief Information Officer enforce HHS's continuous monitoring policy for detecting, preventing, and reporting unauthorized or suspicious network activity across OpDivs.
25-A-18-023.03 to OS - Open Unimplemented
Update expected on
03/30/2026
We recommend that the Department of Health and Human Services Office of the Chief Information Officer update the HHS IS2P to require OpDivs to implement NIST 800-53, Revision 5, CA-8 (2) Red Team Exercises at least every 2 years and RA-10 Threat Hunting yearly for high and moderate Federal Information Processing Standards Publication 199 impact systems.
View in Recommendation Tracker
-