Reporting of Security Incidents by HHS-Contracted Service Providers
In accordance with the Federal Information Security Management Act and OMB Circular A-130, Federal agencies are required to ensure external service providers that are processing, storing, or transmitting Federal information or operating information systems on behalf of the Federal Government meet the same security requirements as Federal agencies. These requirements include policies and procedures for detecting and reporting security incidents. We will conduct an audit to evaluate the effectiveness of controls at selected HHS divisions to ensure service providers are identifying and reporting cybersecurity incidents. The purpose of this audit is to determine whether HHS has effective controls that ensure service providers identify and report cybersecurity incidents in a timely manner.
|Announced or Revised||Agency||Title||Component||Report Number(s)||Expected Issue Date (FY)|
|Revised||Office of the Secretary||Reporting of Security Incidents by HHS-Contracted Service Providers||Office of Audit Services||W-00-22-42042||2024|