Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Deficiencies With Incorporating Required Cybersecurity Language in HHS Contracts and Timeliness of Contractor Incident Reporting

Issued on  | Posted on  | Report number: A-18-22-06100

Report Materials

Why OIG Did This Audit

  • HHS’s information and communications technology (ICT) service contractors must report any suspected or confirmed incidents or breaches to HHS.
  • A prior Office of Inspector General audit found that some contractors may not be reporting all security incidents to HHS.
  • This audit determined whether (1) the contracts that 3 HHS agencies had with 14 selected ICT service contractors included required language about reporting cybersecurity incidents to HHS and (2) the contractors followed HHS requirements to timely report cybersecurity incidents.

What OIG Found

  • Four of the 14 HHS ICT service contractors that we reviewed reported a total of 10 cybersecurity incidents to HHS; however, 2 of those contractors each failed to report an incident to HHS within the 1-hour timeframe stipulated by their contracts.
  • Eight of the 14 HHS ICT service contracts that we reviewed—which were awarded by two HHS agencies— did not include required security language regarding the reporting of all suspected or confirmed cybersecurity incidents and breaches. The remaining six contracts—including four awarded by the third HHS agency—included the required security language.

What OIG Recommends

We made two recommendations to the HHS Office of the Chief Information Officer (OCIO), including that it implement a step in the procurement process to confirm that ICT service contracts contain all required security language before they are awarded.

HHS OCIO concurred with both of our recommendations.

25-A-18-122.01 to OS - Open Unimplemented
Update expected on 03/21/2026
We recommend that the Department of Health and Human Services Office of the Chief Information Officer require OpDivs to modify any ICT service contracts that lack required security language, including the required language as stated in the HHS Policy for Information Technology Procurements – Security and Privacy Language.

25-A-18-122.02 to OS - Open Unimplemented
Update expected on 03/21/2026
We recommend that the Department of Health and Human Services Office of the Chief Information Officer implement a verification step in the procurement process to confirm that all ICT service contracts include the required security language pertaining to incident reporting before awarding the contracts.

View in Recommendation Tracker
Report Type
Audit
HHS Agencies
Office of the Secretary
Issue Areas
Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.