Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021

Issued on  | Posted on  | Report number: A-18-21-11200

Why We Did This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency's information security programs and practices to determine the effectiveness of those programs and practices. HHS OIG engaged Ernst & Young LLP (EY) to conduct this audit.

EY conducted a performance audit of HHS' compliance with FISMA as of September 30, 2021, based upon the FISMA reporting metrics defined by the Inspectors General.

Our objective was to determine whether HHS' overall information technology security program and practices were effective as they relate to Federal information security requirements.

How We Did This Audit

We reviewed applicable Federal laws, regulations, and guidance; gained an understanding of the current security program at the Department level and the security programs at 5 of the 12 operating divisions (OpDivs); assessed the status of HHS' security program against the Department and selected OpDivs' information security program policies, other standards and guidance issued by HHS management, and prescribed performance measures; inquired of personnel to gain an understanding of the FISMA reporting metric areas; and inspected selected artifacts.

What We Found

Overall, through the evaluation of FISMA metrics, it was determined that the HHS' information security program was 'Not Effective'. This determination was made based on HHS not meeting the 'Managed and Measurable' maturity level for the Identify, Protect, Detect, and Recover function areas as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics. However, HHS continues to implement changes to strengthen the maturity of its enterprise-wide cybersecurity program. Progress continues to be made to sustain cybersecurity maturity across all FISMA domains. HHS is aware of opportunities to strengthen the Department's overall information security program which would help ensure that all OpDivs are consistently implementing and in line with the requirements across their security programs. We identified opportunities where HHS can strengthen its overall information security program.

What We Recommend and HHS Comments

We made recommendations to the Office of the Chief Information Officer that should further strengthen HHS's cybersecurity program and enhance information security controls at HHS. Recommendations specific to deficiencies found at the reviewed HHS OpDivs were provided separately.

HHS should also commit to implementing the results of the pilot HHS-wide risk assessment into a formal Cybersecurity Maturity Migration Strategy that allows HHS to continue to advance its cybersecurity program from its current maturity state to Managed and Measurable or to the maturity level that HHS deems as effective for their environment, in agreement with the OIG. HHS' information security program should address gaps between the current maturity levels to the deemed effective maturity level for each function area. Roles and shared responsibilities should be articulated and implemented to meet the requirements for effective maturity, including whether requirements are to be implemented using centralized, federated, or hybrid controls.

After issuing our draft report and based on feedback and discussion with HHS prior to HHS providing written comments, we consolidated 3 of our enterprise-wide recommendations into 1 recommendation for an enterprise-wide risk assessment over known control weaknesses in this final report. In written comments to our draft report, HHS concurred with all of our recommendations and described actions it has taken or plans to take to address them. HHS also provided technical comments, which we addressed as appropriate.

22-A-18-053.01 to OS - Closed Implemented
Closed on 06/05/2023
Continue implementation of an automated CDM solution that provides a centralized, enterprise-wide view of risks across all of HHS.

22-A-18-053.02 to OS - Open Unimplemented
Update expected on 06/01/2023
Update the ISCM strategy to include a more specific roadmap; including target dates, for ISCM deployment across the HHS enterprise.

22-A-18-053.03 to OS - Closed Implemented
Closed on 06/05/2023
HHS should perform an enterprise risk assessment over known control weaknesses (e.g., Authority to Operate, incomplete OpDiv provided system inventories, lack of OpDiv adherence to HHS information security policies) due to their federated environment and document an appropriate risk response (e.g., accept, avoid, mitigate, share, or transfer).

22-A-18-053.04 to OS - Closed Implemented
Closed on 12/01/2022
HHS OCIO work with all OpDivs to develop a process to monitor information system contingency plans to ensure they are developed, maintained, and integrated with other continuity requirements by information systems.

22-A-18-053.05 to OS - Open Unimplemented
Update expected on 06/01/2023
HHS OCIO work with all OpDivs to ensure that all operational systems have SSPs and FIPS 199 categorizations completed for information systems in accordance with HHS policy.

22-A-18-053.06 to OS - Open Unimplemented
Update expected on 06/01/2023
HHS OCIO work with all OpDivs to ensure that all OpDivs are completing security controls system assessments and POA&Ms at least quarterly or more frequently as defined by the OpDiv.

22-A-18-053.07 to OS - Closed Implemented
Closed on 12/01/2022
HHS OCIO work with all OpDivs to ensure that baseline configuration requirements are implemented and maintained across all systems within its environment. Additionally, ensure that system owners implement procedures to document and retain evidence of current baseline configurations.

22-A-18-053.08 to OS - Closed Implemented
Closed on 12/13/2022
HHS OCIO work with all OpDivs to ensure that all systems implement processes to track system changes throughout the change management process, to include testing, validation, and documentation. Additionally, procedures should be implemented to retain evidence of all changes.

22-A-18-053.09 to OS - Open Unimplemented
Update expected on 06/01/2023
HHS OCIO work with all OpDivs to develop a management approved Configuration Management policy that addresses purpose, scope, roles, responsibilities, management commitment and coordination among organizational entities. This document should be tailored to the OpDivs' needs and be reviewed and updated according to HHS policy (at least every 3 years).

22-A-18-053.10 to OS - Open Unimplemented
Update expected on 06/01/2023
HHS OCIO work with the OpDivs to ensure that all OpDivs update and implement its personnel security policies to clearly articulate the personnel screening process along with the required access agreements that need to be completed prior to being granted system access. In addition, OpDivs should update and implement their procedures for retrieving and archiving user access agreements for internal control purposes.

22-A-18-053.11 to OS - Open Unimplemented
Update expected on 06/01/2023
HHS OCIO work with the OpDivs to ensure that all OpDivs develop and implement an ICAM strategy and authenticator management policy to ensure all information systems undergo a digital identity risk assessment to determine which systems require strong authentication. Once a risk assessment is complete, OpDivs should ensure that authentication mechanisms are implemented for all information systems.

22-A-18-053.12 to OS - Closed Implemented
Closed on 08/10/2023
HHS OCIO work with the OpDivs to ensure that all OpDivs establish a process for the review of privileged users on an annual basis to ensure compliance with HHS Policy. In addition, OpDivs should ensure that this process is created to identify user access is still needed; user rights subscribe to the principle of least privileged; and user actions are captured and monitored appropriately as dictated by HHS policy.

22-A-18-053.13 to OS - Closed Implemented
Closed on 12/01/2022
HHS OCIO work with the OpDivs to ensure that all OpDivs iImplement a process to ensure that privileged user's access is reviewed at least within every 365 days by all system owners in compliance with HHS Information System Security and Privacy Policy (IS2P). Evidence of privileged users access reviews should be retained and provided upon request.

22-A-18-053.14 to OS - Closed Implemented
Closed on 06/05/2023
HHS OCIO work with all OpDivs to ensure that all systems on the network have a valid ATO. OpDivs should ensure that security authorization policies and procedures are fully developed and disseminated to the appropriate personnel to ensure that all OpDiv personnel understand the requirements for completing the ATO process.

22-A-18-053.15 to OS - Open Unimplemented
Update expected on 06/01/2023
HHS OCIO work with all OpDivs to ensure that ISCM strategy and procedures should clearly define critical reporting metrics for reports utilized by internal and external stakeholders. Additionally, OpDivs should coordinate reporting efforts with the OCIO to ensure the definitions and reporting requirements are consistently implemented.

22-A-18-053.16 to OS - Closed Implemented
Closed on 12/01/2022
HHS OCIO work with all OpDivs to ensure that accurate system inventory listings are reported to HHS OCIO. OpDivs and HHS OCIO should also implement a process to ensure that ATO status in the HSDW system reporting tool are regularly updated and current.

22-A-18-053.17 to OS - Closed Implemented
Closed on 12/01/2022
HHS OCIO work with all OpDivs to ensure that a process exists for monitoring contingency plan testing to prevent CPTs from not being performed in accordance with the established HHS policies. Additionally, OpDiv management should improve their HSDW reporting process by educating system owners on required fields for reportable metrics and validating those fields are provided to the OCIO when consolidating HHS wide data.

22-A-18-053.18 to OS - Closed Implemented
Closed on 04/14/2023
HHS OCIO work with all OpDivs to ensure that OpDivs should improve their processes for monitoring contingency plan testing for all systems to prevent CPTs from not being performed annually in accordance with the established policies.

22-A-18-053.19 to OS - Closed Implemented
Closed on 12/01/2022
HHS OCIO work with all OpDivs to ensure that OpDiv management ensure that all systems are implementing information system backup and storage as documented in HHS policies and procedures. Additionally, management should require that evidence is retained to document backup and storage procedures.

View in Recommendation Tracker

-