Review of the Department of Health and Human Services’ Compliance With the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Why OIG Did This Audit

• The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency’s information security programs and practices to determine the effectiveness of those programs and practices. OIG engaged Ernst & Young LLP (EY) to conduct this audit.
• EY conducted a performance audit of HHS’s compliance with FISMA as of July 31, 2025, based upon the 2025 FISMA reporting metrics.
• The audit examined whether HHS’s overall information security program and practices were effective as they relate to Federal information security requirements and included systems from five HHS divisions.

What OIG Found

For FY 2025, EY rated HHS’s information security program “Not Effective” for the sixth consecutive year. To be considered “Effective,” an agency must achieve at least a “Managed and Measurable” maturity level.

In FY 2025, HHS did not achieve a “Managed and Measurable” rating for either the Core or Supplemental Inspector General metrics in any of the six cybersecurity function areas: Govern, Identify, Protect, Detect, Respond, and Recover. Specifically, the overall maturity level for Core metrics was assessed as “Consistently Implemented,” while the Supplemental metrics were rated “Ad Hoc.” Together, these ratings fall below the “Managed and Measurable” level, resulting in an overall determination of “Not Effective.”

What OIG Recommends

Based on the audit, EY made ten recommendations to HHS to strengthen its information security program through improved oversight of the Operating and Staff Divisions’ (Divisions) implementation of Federal information security requirements for an effective FISMA program.

HHS concurred with seven recommendations and detailed steps it has taken and plans to take in response to the recommendations. HHS did not concur with three recommendations.