Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2022

Issued on  | Posted on  | Report number: A-18-22-11200

Why We Did This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency's information security programs and practices to determine the effectiveness of those programs and practices. HHS OIG engaged Ernst & Young LLP (EY) to conduct this audit.

EY conducted a performance audit of HHS' compliance with FISMA as of September 30, 2022, based upon the FISMA reporting metrics defined by the Inspectors General.

Our objective was to determine whether HHS' overall information technology security program and practices were effective as they relate to Federal information security requirements.

How We Did This Audit

We reviewed applicable Federal laws, regulations, and guidance; gained an understanding of the current security program at the Department level and the security programs at 4 of the 12 operating divisions (OpDivs); assessed the status of HHS' security program against the Department and selected OpDivs' information security program policies, other standards and guidance issued by HHS management, and prescribed performance measures; inquired of personnel to gain an understanding of the FISMA reporting metric areas; inspected selected artifacts, and conducted procedures on prior year issues.

What We Found

Overall, through the evaluation of FISMA metrics, it was determined that the HHS' information security program was 'Not Effective'. This determination was made based on HHS not meeting the 'Managed and Measurable' maturity level for the Core Inspector General metrics in the function areas of Identify, Protect, Detect, Respond, and Recover. Overall, HHS remains in a similar position to their previously evaluated maturity level. The Department is aware of opportunities to strengthen their overall information security program. HHS has continued to implement changes that support progress towards improved maturity of their enterprise-wide cybersecurity program across all FISMA domains. HHS continues to define and update policies that are distributed to OpDivs to assist with their own policy definitions or to guide consistent implementation of a compliant cybersecurity strategy. We have identified a number of areas that would strengthen the Department's overall information security program.

What We Recommend and HHS Comments

We made recommendations to the Office of the Chief Information Officer that should further strengthen HHS's cybersecurity program and enhance information security controls at HHS. Recommendations specific to deficiencies found at the reviewed HHS OpDivs were provided separately.

HHS should commit to implementing recommendations identified within this report and incorporate enhancements into the overall formal Cybersecurity Maturity Strategy that allows HHS to continue to advance its cybersecurity program from its current maturity state to Managed and Measurable or to the maturity level that HHS deems as effective for their environment, in agreement with the OIG. HHS' information security program should address gaps between the current maturity levels to the appropriate effective maturity level for each function area. HHS should ensure that policies and procedures are being consistently implemented as defined across all OpDivs in order to meet the requirements for effective maturity. This oversight should extend to all requirements whether they are to be implemented using centralized, federated, or hybrid controls.

In written comments to our draft report, HHS concurred with two of four enterprise-wide recommendations and all of our Department and OpDiv recommendations and described actions it has taken or plans to take to address them. HHS also provided technical comments, which we addressed as appropriate. We maintain that our findings and recommendations are accurate and valid.

23-A-18-069.01 to OS - Closed Unimplemented
Closed on 04/08/2024
To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to work with the OpDivs to implement automated CDM solutions to increase awareness and improve mitigation efforts across all of HHS.

23-A-18-069.02 to OS - Closed Unimplemented
Closed on 11/27/2023
To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to advance the SCRM program to implement defined standards across HHS.

23-A-18-069.03 to OS - Closed Unimplemented
Closed on 11/27/2023
To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to work with the OpDivs to ensure privileged users' logical access contains strong authentication mechanisms; and to confirm that OpDivs are periodically performing sufficient monitoring over privileged user access.

23-A-18-069.04 to OS - Open Unimplemented
Update expected on 05/27/2024
To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS confirm that the OpDivs contingency plan testing is being performed within the timeframe required by HHS policy.

23-A-18-069.05 to OS - Closed Implemented
Closed on 04/08/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the capability to deny access to mobile devices, such as smartphones and tablets, from connecting to the network if the device's software is outdated.

23-A-18-069.06 to OS - Closed Implemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to implement oversight sufficient to ensure that Information Security Continuous Monitoring (ISCM) policies and procedures are consistently implemented in accordance with NIST standards for all systems.

23-A-18-069.07 to OS - Open Unimplemented
Update expected on 05/27/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs remediate weaknesses identified during controls assessments and review/perform risk assessments within the timeframe established by HHS policy.

23-A-18-069.08 to OS - Open Unimplemented
Update expected on 05/27/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete its discovery of all information systems and maintain an up- to-date inventory of systems, software, and licenses.

23-A-18-069.09 to OS - Closed Implemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to ensure that SCAs are conducted within the appropriate timeframe as defined by policy for all systems.

23-A-18-069.10 to OS - Closed Unimplemented
Update expected on
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDiv's SCRM policies and procedures are being consistently implemented across the organization and ensure their execution.

23-A-18-069.11 to OS - Open Unimplemented
Update expected on 05/27/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs finalize and implement draft policies and procedures to include the review of suppliers or contractors for risks to the organization's systems and system components.

23-A-18-069.12 to OS - Closed Unimplemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to ensure that OpDivs define and implement policy for data exfiltration, enhanced network defenses, e-mail authentication, and DNS infrastructure tampering mitigation. Further, ensure the OpDiv enforces implementation of data encryption in transit and at rest in accordance with HHS policy, NIST standards, and OMB guidance.

23-A-18-069.13 to OS - Closed Implemented
Closed on 09/06/2023
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the requirement to resolve high and critical vulnerabilities within 30 and 15 days respectively and create POA&Ms to monitor and resolve the weakness in a timely manner.

23-A-18-069.14 to OS - Open Unimplemented
Update expected on 05/27/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement its policies and procedures to perform periodic BIAs and contingency plan testing within the timeframe required by HHS policy.

23-A-18-069.15 to OS - Closed Implemented
Closed on 09/06/2023
We recommend that the HHS OCIO work with the OpDivs to ensure the timely completion of PIAs for all systems to identify privacy and compliance risk with federal regulations or laws, tracking implementation of privacy controls, identifying instances where the Agency collects or handles PII and/or PHI subject to the Privacy Act of 1974.

23-A-18-069.16 to OS - Open Unimplemented
Update expected on 05/27/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that secure configuration settings are being maintained as defined by existing policy.

23-A-18-069.17 to OS - Open Unimplemented
Update expected on 05/27/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that all operational systems have multifactor or an alternative strong authentication mechanism (PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential) for both privileged and non-privileged users.

23-A-18-069.18 to OS - Closed Implemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to ensure that policies and procedures for identity and access management are being consistently implemented and proper safeguards (i.e., logging, monitoring, review of privileged user activity) are developed across the Department to ensure their execution.

23-A-18-069.19 to OS - Closed Unimplemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs enforce its policies and procedures established to review users' activities periodically.

23-A-18-069.20 to OS - Closed Implemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to implement oversight procedures sufficient to ensure that all personnel complete role-based training in a timely manner.

23-A-18-069.21 to OS - Open Unimplemented
Update expected on 05/27/2024
We recommend that the HHS OCIO work with the OpDivs to ensure that operational systems have valid and current Authorization to Operate (ATO) and that security controls are assessed annually as per HHS policy.

23-A-18-069.22 to OS - Closed Unimplemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to implement oversight sufficient to ensure that all OpDivs review pre-defined privileged users' activities periodically and document the review and any follow-up activities for all systems.

23-A-18-069.23 to OS - Closed Implemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to consistently implement the requirement to assign risk designations, re-signing access agreements, and training for all systems so that OpDivs can restrict privileges for users based on risk designations.

23-A-18-069.24 to OS - Closed Implemented
Closed on 11/27/2023
We recommend that the HHS OCIO work with the OpDivs to ensure that data encryption methods to protect data determined to be PII or sensitive are implemented across the organization for all systems.

View in Recommendation Tracker

-