Beta This is a new resource - your feedback will help us improve it. Learn More.
Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive this positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations.
Use the “Top Unimplemented” View below to read OIG’s Top Unimplemented Recommendations—a subset that we think, if implemented, would have the most impact (learn more). Notable differences from our previous Top Unimplemented Recommendations report include:
- The list is comprised of individual recommendations from OIG reports, not rolled up by topic.
- No arbitrary cap is imposed on the number of recommendations included.
- Status updates as recommendations are implemented.
Summary of All Recommendations
Updated Monthly · Last updated on November 15, 2024
1,306
Unimplemented
recommendations
2,698
Implemented and Closed
recommendations since FY 2017
Views
OIG Recommendations Grouped by Report
Showing 1–1 of 1 reports, containing 19 recommendations
Sorted by latest release date
-
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021
22-A-18-053.01Continue implementation of an automated CDM solution that provides a centralized, enterprise-wide view of risks across all of HHS.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/05/2023
- Legislative Related
- No
22-A-18-053.02Update the ISCM strategy to include a more specific roadmap; including target dates, for ISCM deployment across the HHS enterprise.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2022
- Next Update Expected
- 06/01/2023
- Legislative Related
- No
22-A-18-053.03HHS should perform an enterprise risk assessment over known control weaknesses (e.g., Authority to Operate, incomplete OpDiv provided system inventories, lack of OpDiv adherence to HHS information security policies) due to their federated environment and document an appropriate risk response (e.g., accept, avoid, mitigate, share, or transfer).- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/05/2023
- Legislative Related
- No
22-A-18-053.04HHS OCIO work with all OpDivs to develop a process to monitor information system contingency plans to ensure they are developed, maintained, and integrated with other continuity requirements by information systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/01/2022
- Legislative Related
- No
22-A-18-053.05HHS OCIO work with all OpDivs to ensure that all operational systems have SSPs and FIPS 199 categorizations completed for information systems in accordance with HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2022
- Next Update Expected
- 06/01/2023
- Legislative Related
- No
22-A-18-053.06HHS OCIO work with all OpDivs to ensure that all OpDivs are completing security controls system assessments and POA&Ms at least quarterly or more frequently as defined by the OpDiv.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2022
- Next Update Expected
- 06/01/2023
- Legislative Related
- No
22-A-18-053.07HHS OCIO work with all OpDivs to ensure that baseline configuration requirements are implemented and maintained across all systems within its environment. Additionally, ensure that system owners implement procedures to document and retain evidence of current baseline configurations.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/01/2022
- Legislative Related
- No
22-A-18-053.08HHS OCIO work with all OpDivs to ensure that all systems implement processes to track system changes throughout the change management process, to include testing, validation, and documentation. Additionally, procedures should be implemented to retain evidence of all changes.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/13/2022
- Legislative Related
- No
22-A-18-053.09HHS OCIO work with all OpDivs to develop a management approved Configuration Management policy that addresses purpose, scope, roles, responsibilities, management commitment and coordination among organizational entities. This document should be tailored to the OpDivs' needs and be reviewed and updated according to HHS policy (at least every 3 years).- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2022
- Next Update Expected
- 06/01/2023
- Legislative Related
- No
22-A-18-053.10HHS OCIO work with the OpDivs to ensure that all OpDivs update and implement its personnel security policies to clearly articulate the personnel screening process along with the required access agreements that need to be completed prior to being granted system access. In addition, OpDivs should update and implement their procedures for retrieving and archiving user access agreements for internal control purposes.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2022
- Next Update Expected
- 06/01/2023
- Legislative Related
- No
22-A-18-053.11HHS OCIO work with the OpDivs to ensure that all OpDivs develop and implement an ICAM strategy and authenticator management policy to ensure all information systems undergo a digital identity risk assessment to determine which systems require strong authentication. Once a risk assessment is complete, OpDivs should ensure that authentication mechanisms are implemented for all information systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2022
- Next Update Expected
- 06/01/2023
- Legislative Related
- No
22-A-18-053.12HHS OCIO work with the OpDivs to ensure that all OpDivs establish a process for the review of privileged users on an annual basis to ensure compliance with HHS Policy. In addition, OpDivs should ensure that this process is created to identify user access is still needed; user rights subscribe to the principle of least privileged; and user actions are captured and monitored appropriately as dictated by HHS policy.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 08/10/2023
- Legislative Related
- No
22-A-18-053.13HHS OCIO work with the OpDivs to ensure that all OpDivs iImplement a process to ensure that privileged user's access is reviewed at least within every 365 days by all system owners in compliance with HHS Information System Security and Privacy Policy (IS2P). Evidence of privileged users access reviews should be retained and provided upon request.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/01/2022
- Legislative Related
- No
22-A-18-053.14HHS OCIO work with all OpDivs to ensure that all systems on the network have a valid ATO. OpDivs should ensure that security authorization policies and procedures are fully developed and disseminated to the appropriate personnel to ensure that all OpDiv personnel understand the requirements for completing the ATO process.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/05/2023
- Legislative Related
- No
22-A-18-053.15HHS OCIO work with all OpDivs to ensure that ISCM strategy and procedures should clearly define critical reporting metrics for reports utilized by internal and external stakeholders. Additionally, OpDivs should coordinate reporting efforts with the OCIO to ensure the definitions and reporting requirements are consistently implemented.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 12/01/2022
- Next Update Expected
- 06/01/2023
- Legislative Related
- No
22-A-18-053.16HHS OCIO work with all OpDivs to ensure that accurate system inventory listings are reported to HHS OCIO. OpDivs and HHS OCIO should also implement a process to ensure that ATO status in the HSDW system reporting tool are regularly updated and current.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/01/2022
- Legislative Related
- No
22-A-18-053.17HHS OCIO work with all OpDivs to ensure that a process exists for monitoring contingency plan testing to prevent CPTs from not being performed in accordance with the established HHS policies. Additionally, OpDiv management should improve their HSDW reporting process by educating system owners on required fields for reportable metrics and validating those fields are provided to the OCIO when consolidating HHS wide data.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/01/2022
- Legislative Related
- No
22-A-18-053.18HHS OCIO work with all OpDivs to ensure that OpDivs should improve their processes for monitoring contingency plan testing for all systems to prevent CPTs from not being performed annually in accordance with the established policies.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/14/2023
- Legislative Related
- No
22-A-18-053.19HHS OCIO work with all OpDivs to ensure that OpDiv management ensure that all systems are implementing information system backup and storage as documented in HHS policies and procedures. Additionally, management should require that evidence is retained to document backup and storage procedures.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 12/01/2022
- Legislative Related
- No