Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Summary Report of Prior Office of Inspector General Cyber Threat Hunt Audits of Eight HHS Operating Division Networks

Issued on  | Posted on  | Report number: A-18-22-07002

Why OIG Did This Audit

  • Government information systems, especially those managed by the Department of Health and Human Service’s (HHS), are under constant threat from cyberattacks.
  • Between 2018 and 2020, OIG assessed eight HHS operating divisions (OpDivs) computer networks for: active threats, evidence of undetected cyber breaches, effective cybersecurity defenses, and the ability to detect breaches and respond appropriately.

What OIG Found

Overall, the eight OpDivs lacked adequate protections to mitigate certain cyberattacks.

  • We identified 19 threats that had been active on OpDivs’ servers and workstations during our audits. We immediately communicated the discoveries to the OpDivs as part of our audit process.
  • We identified a total of 138 vulnerabilities related to 19 National Institute of Standards and Technology Special Publication 800-53, Revision 4, controls that were not effectively implemented.
  • We did not identify any past cyber breaches of the OpDivs’ servers and workstations.

What OIG Recommends

We made three recommendations to the HHS Office of the Chief Information Officer (OCIO), including that it revise and enforce HHS policy to effectively mitigate the risk of compromise.

The OCIO concurred with two of our recommendations and detailed steps it has taken and plans to take to address them. The OCIO did not concur with one recommendation.

25-A-18-023.01 to OS - Open Unimplemented
Update expected on 06/12/2025
We recommend that the Department of Health and Human Services Office of the Chief Information Officer enforce existing information security continuous monitoring (ISCM) requirements for detecting, preventing, and reporting the installation of unauthorized software across OpDivs referenced in HHS Policy for Information Security and Privacy Protection (IS2P) and enforce the new ISCM policy once approved.

25-A-18-023.02 to OS - Open Unimplemented
Update expected on 06/12/2025
We recommend that the Department of Health and Human Services Office of the Chief Information Officer enforce HHS's continuous monitoring policy for detecting, preventing, and reporting unauthorized or suspicious network activity across OpDivs.

25-A-18-023.03 to OS - Open Unimplemented
Update expected on 06/12/2025
We recommend that the Department of Health and Human Services Office of the Chief Information Officer update the HHS IS2P to require OpDivs to implement NIST 800-53, Revision 5, CA-8 (2) Red Team Exercises at least every 2 years and RA-10 Threat Hunting yearly for high and moderate Federal Information Processing Standards Publication 199 impact systems.

View in Recommendation Tracker
