Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Reporting of Security Incidents by HHS-Contracted Service Providers

In accordance with the Federal Information Security Management Act and OMB Circular A-130, Federal agencies are required to ensure external service providers that are processing, storing, or transmitting Federal information or operating information systems on behalf of the Federal Government meet the same security requirements as Federal agencies. These requirements include policies and procedures for detecting and reporting security incidents. We will conduct an audit to evaluate the effectiveness of controls at selected HHS divisions to ensure service providers are identifying and reporting cybersecurity incidents. The purpose of this audit is to determine whether HHS has effective controls that ensure service providers identify and report cybersecurity incidents in a timely manner.

Announced or Revised Agency Title Component Report Number(s) Expected Issue Date (FY)
Revised Office of the Secretary Reporting of Security Incidents by HHS-Contracted Service Providers Office of Audit Services W-00-22-42042 2024