Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HHS Office of the Secretary Should Improve Preventative and Detective Controls to More Effectively Mitigate the Risk of Compromise

Issued on  | Posted on  | Report number: A-18-18-08600

Why OIG Did This Audit

This audit entailed conducting a compromise assessment of the HHS Office of the Secretary’s (OS) information systems to independently assess the effectiveness of OS’s cybersecurity defenses, as well as intrusion analysis and incident response capabilities.

Our objectives were to determine; (1) whether there was an active threat on the OS network, or whether there had been a past cyber breach, (2) whether OS’s cybersecurity defenses were effective, and (3) OS’s ability to detect breaches and respond appropriately.

How OIG Did This Audit

We performed the compromise assessment of OS’s network, which included endpoints that they manage for certain smaller HHS Operating Divisions (OpDivs) and Staff Divisions. We performed the assessment from November 2018 through January 2019. We contracted with Defense Point Security (DPS) to provide subject matter experts to conduct the compromise assessment on behalf of OIG. We closely oversaw the work performed by DPS and the assessment was performed in accordance with generally accepted government auditing standards and agreed-upon Rules of Engagement between OIG, DPS, and OS.

What OIG Found

We identified seven previously undetected active threats on OS’s network. We promptly shared significant findings with OS during the course of the audit and provided detailed documentation about our preliminary findings in advance of issuing our draft report.

As for our second audit objective, based on the assessment results, OS needs to improve its cybersecurity defenses. We identified 11 findings in the OS network, which fall under 3 security control categories: unauthorized software, user account and password management, and configuration management.

Regarding our third objective, OS needs to improve its threat mitigation procedures by more fully investigating breaches and conducting comprehensive root cause analysis. OS should also enhance its detection capabilities and technologies to better identify and eradicate advanced unknown adversary attacks.

What OIG Recommends and HHS OS Comments

During the audit, OS provided sufficient evidence that 2 of the 11 findings we identified were remediated. Therefore, we recommend that OS remediate the nine remaining findings that were not remediated and improve their cybersecurity defenses as well as their detection capabilities as part of an enterprise strategy to better protect all OS systems and data.

In written comments to our draft report, OS concurred with 12 of 13 recommendations and described actions it has taken or plans to take to address our findings. OS did not concur with our recommendation to fully implement the Office of Management and Budget’s (OMB) Memorandum M‑17-25 stating that it was not applicable to OS or other OpDivs.

We believe our finding was valid. However, we changed the reference in the finding and modified the related recommendation to reflect the National Institute of Standards and Technology Special Publication 800-53, Revision 4 requirements.

20-A-18-100.02 to OS - Open Unimplemented
Update expected on 04/04/2024
Restrict users' ability (via permissions or application whitelisting) to install and run unauthorized software applications or commands on OS systems. Do not add users to the local administrator's group unless their job responsibilities require such elevated access.

View in Recommendation Tracker

-