Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive this positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations.
Use the Top Unimplemented View below to read OIG's Top Unimplemented Recommendations. In OIG’s view, these top recommendations for HHS programs, if implemented, would have the greatest impact in terms of cost savings, program effectiveness and efficiency, and public health and safety. Learn more
Summary of All Recommendations
Updated Monthly · Last updated on November 14, 2025
1,188
Unimplemented
recommendations
3,135
Implemented and Closed
recommendations since FY 2017
Views
OIG Recommendations Grouped by Report
Showing 1–1 of 1 reports, containing 14 recommendations
Sorted by latest release date
-
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2018
19-A-18-075.01In order to move HHS toward an effective risk management domain, we recommend that the HHS OCIO continue to work with OPDIVs to enhance its enterprise risk management strategy and program to integrate governance functions for information security, strategic planning and strategic reviews, internal control activities, and applicable mission/business areas. These enhancements should include the integration of threat modeling for dynamic risk assessments and appropriate reporting tools to timely respond to new threats as they arise.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.02In order to move HHS toward an effective risk management domain, we recommend that the HHS OCIO continue to develop an approach for the Department to ensure that CDM tools, Security Governance, Risk management, and Compliance (sGRC) tools, and associated processes are implemented at all OPDIVs for the integration of risk management programs at the enterprise, business process, and information system levels to ensure consistency with OMB, NIST, and Department guidelines and requirements.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.03In order to move HHS toward an effective configuration management domain, we recommend that the HHS OCIO continue to work with OPDIVs to leverage qualitative and quantitative performance measures to determine the effectiveness of OPDIVs' configuration management plans. These measures should be based on results from automated toolsets to determine security misconfigurations, unsupported information system components, and effectiveness of flaw remediation processes. Define the timeframe for OPDIV communication of the performance measures to the OCIO.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.04In order to move HHS toward an effective configuration management domain, we recommend that the HHS OCIO continue to Implement the approach for the Department to fully implement CDM tools, sGRC tools, and process tools to consistently record, implement, and maintain configuration controls, baseline configurations of its information systems, and an inventory of related components.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.05In order to move HHS toward an effective identity and access management domain, we recommend that the HHS OCIO continue to work with OPDIVs to determine the effectiveness of identity and access management processes. These measures should monitor OPDIVs' implementation of strong authentication techniques for all privileged and non-privileged users.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.06In order to move HHS toward an effective identity and access management domain, we recommend that the HHS OCIO continue to Assist OPDIV implementation of "to-be" Identity, Credential, and Access Management (ICAM) architecture and integration of their ICAM strategy and activities within its enterprise and Federal ICAM segment architecture.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.07In order to move HHS toward an effective data protection and privacy domain, we recommend that the HHS OCIO continue to HHS OCIO update relevant Department policies, procedures, and guidance.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.08In order to move HHS toward an effective data protection and privacy domain, we recommend that the HHS OCIO continue to Work with the OPDIVs to measure the effectiveness of privacy specific controls and trainings through tracked breaches and maintain current privacy related documentation.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.09We recommend that HHS OCIO continue to work with the OPDIV to assign the necessary personnel to monitor compliance with the security awareness and training program.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.10In order to move HHS toward an effective ISCM domain, we recommend that the HHS OCIO continue to provide department-wide guidance and DHS-supplied CDM tools to each OPDIV for the implementation of their ISCM programs. This should include periodic reporting requirements and metrics to monitor real time threats identified by the Computer Security Incident Response Center (CSIRC) across the HHS enterprise.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.11In order to move HHS toward an effective ISCM domain, we recommend that the HHS OCIO continue to enhance OPDIVs security continuous monitoring efforts to maintain visibility into IT assets, be aware of all vulnerabilities, be informed about security threats, and verify that all software assets are scanned on the network on a regular basis, as required.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.12In order to move HHS toward an effective ISCM domain, we recommend that the HHS OCIO continue to assist OPDIVS in maintaining and managing system ATOs and security control assessments per the HHS policy and guidelines.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.13We recommend that the HHS OCIO work with the OPDIV to improve enforcement and communication of the incident response program organization wide. Improvements should focus on measuring consistent profiling techniques and improve communication between the CSIRC, OPDIVs, and components.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No
19-A-18-075.14In order to move HHS toward an effective contingency planning domain, we recommend that the HHS OCIO continue to Assist OPDIVs in the implementation of a monitoring program that identifies metrics based on defined mission and business risk. The program should validate OPDIVs implementation of contingency planning policies, procedures, and strategies in the following areas: conducting business impact analysis, conducting contingency plan testing, implementing information system backup and storage requirements, incorporating supply chain risks and the selection of alternative processing sites.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/01/2020
- Legislative Related
- No