The Department Of Health And Human Services Security Management Practices For Computer Systems With Access To Personally Identifiable Information

The Cybersecurity Act of 2015 (Cybersecurity Act) requires the Inspector General of each covered agency to collect and report to Congress information about the covered agency's covered systems within 240 days of the enactment of the Cybersecurity Act. A covered agency is an agency that operates a covered system, which is a Federal computer system that provides access to classified information or personally identifiable information. Reportable areas include logical access controls, multifactor authentication, and information security management practices regarding the covered systems.

The Department of Health and Human Services (HHS) and its operating divisions (OPDIVs) have developed logical access policies and practices based on the National Institute of Standards and Technology standards. HHS and its OPDIVs use logical access controls to access all covered systems. HHS and its OPDIVs reported to us that multifactor authentication is required by privileged users to access nearly all of its covered systems, which includes the use of a personal identity verification card at the network/system level. Seven of HHS's 588 (about 1 percent) covered systems do not require privileged users to provide additional authentication to access those covered systems. The majority of OPDIVs have developed policies and procedures to conduct inventories of software and licenses associated with covered systems. HHS and its OPDIVs use a variety of tools to monitor and detect exfiltration and other threats. All entities, including contractors that provide services to HHS, are required to follow HHS information security management practices for all covered systems.