Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2017

Issued on  | Posted on  | Report number: A-18-17-11200

Report Materials

Overall, the Department has made improvements and continues to implement changes to strengthen its enterprise-wide information security program including adhering to security training procedures and updating policies and procedures. Further, the Department continues to work towards implementing a Department-wide Continuous Diagnostics and Mitigation program, coordinating with the Department of Homeland Security.

While the Department continue to improve its information security program, opportunities to strengthen the overall information security program were identified, which should allow the Department to achieve a higher level of maturity for its information security program. We continued to identify weaknesses in the following areas: risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning.

The Department should further strengthen its information security program. We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them.

18-A-18-076.01 to OCR - Closed Unimplemented
Closed on 04/24/2019
Update relevant policies, procedures, and guidance and implement CDM tools at all OPDIVs to enhance an integrated risk management program at the enterprise, business process, and information system levels that is consistent with OMB, NIST, and Department guidelines and requirements.

18-A-18-076.02 to OCR - Closed Unimplemented
Closed on 04/24/2019
Implement CDM tools and RSA Archer at the Department level and at all OPDIVs to enhance its configuration management program in order to maintain and measure its configuration management activities at the enterprise, business process, and information system levels.

18-A-18-076.03 to OCR - Closed Unimplemented
Closed on 04/24/2019
Enhance the Department-wide ISCM program and continue to provide department-wide guidance and SCAP tools to each OPDIV for the implementation of their ISCM programs. This would also increase the DepartmentÆs awareness of OPDIVsÆ software scanning capabilities.

18-A-18-076.04 to OCR - Closed Unimplemented
Closed on 04/24/2019
Implement and configure DHSÆ CDM inventory management tools and mechanisms to centrally track and report information systems from all OPDIVs.

18-A-18-076.05 to OCR - Closed Implemented
Closed on 04/24/2019
Implement an adequate oversight protocol to monitor and ensure that all OPDIVs report incidents timely to the HHS CSIRC.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Office of the Secretary
Issue Areas
Departmental Operational Issues Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.