Beta This is a new resource - your feedback will help us improve it. Learn More.
Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive this positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations.
Use the “Top Unimplemented” View below to read OIG’s Top Unimplemented Recommendations—a subset that we think, if implemented, would have the most impact (learn more). Notable differences from our previous Top Unimplemented Recommendations report include:
- The list is comprised of individual recommendations from OIG reports, not rolled up by topic.
- No arbitrary cap is imposed on the number of recommendations included.
- Status updates as recommendations are implemented.
Summary of All Recommendations
Updated Monthly · Last updated on November 15, 2024
1,306
Unimplemented
recommendations
2,698
Implemented and Closed
recommendations since FY 2017
Views
OIG Recommendations Grouped by Report
Showing 1–1 of 1 reports, containing 24 recommendations
Sorted by latest release date
-
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2022
23-A-18-069.01To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to work with the OpDivs to implement automated CDM solutions to increase awareness and improve mitigation efforts across all of HHS.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/08/2024
- Legislative Related
- No
23-A-18-069.02To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to advance the SCRM program to implement defined standards across HHS.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.03To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to work with the OpDivs to ensure privileged users' logical access contains strong authentication mechanisms; and to confirm that OpDivs are periodically performing sufficient monitoring over privileged user access.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.04To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS confirm that the OpDivs contingency plan testing is being performed within the timeframe required by HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.05We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the capability to deny access to mobile devices, such as smartphones and tablets, from connecting to the network if the device's software is outdated.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/08/2024
- Legislative Related
- No
23-A-18-069.06We recommend that the HHS OCIO work with the OpDivs to implement oversight sufficient to ensure that Information Security Continuous Monitoring (ISCM) policies and procedures are consistently implemented in accordance with NIST standards for all systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.07We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs remediate weaknesses identified during controls assessments and review/perform risk assessments within the timeframe established by HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.08We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete its discovery of all information systems and maintain an up- to-date inventory of systems, software, and licenses.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.09We recommend that the HHS OCIO work with the OpDivs to ensure that SCAs are conducted within the appropriate timeframe as defined by policy for all systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.10We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDiv's SCRM policies and procedures are being consistently implemented across the organization and ensure their execution.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- Legislative Related
- No
23-A-18-069.11We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs finalize and implement draft policies and procedures to include the review of suppliers or contractors for risks to the organization's systems and system components.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.12We recommend that the HHS OCIO work with the OpDivs to ensure that OpDivs define and implement policy for data exfiltration, enhanced network defenses, e-mail authentication, and DNS infrastructure tampering mitigation. Further, ensure the OpDiv enforces implementation of data encryption in transit and at rest in accordance with HHS policy, NIST standards, and OMB guidance.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.13We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the requirement to resolve high and critical vulnerabilities within 30 and 15 days respectively and create POA&Ms to monitor and resolve the weakness in a timely manner.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/06/2023
- Legislative Related
- No
23-A-18-069.14We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement its policies and procedures to perform periodic BIAs and contingency plan testing within the timeframe required by HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.15We recommend that the HHS OCIO work with the OpDivs to ensure the timely completion of PIAs for all systems to identify privacy and compliance risk with federal regulations or laws, tracking implementation of privacy controls, identifying instances where the Agency collects or handles PII and/or PHI subject to the Privacy Act of 1974.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/06/2023
- Legislative Related
- No
23-A-18-069.16We recommend that the HHS OCIO work with the OpDivs to ensure that secure configuration settings are being maintained as defined by existing policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.17We recommend that the HHS OCIO work with the OpDivs to ensure that all operational systems have multifactor or an alternative strong authentication mechanism (PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential) for both privileged and non-privileged users.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.18We recommend that the HHS OCIO work with the OpDivs to ensure that policies and procedures for identity and access management are being consistently implemented and proper safeguards (i.e., logging, monitoring, review of privileged user activity) are developed across the Department to ensure their execution.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.19We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs enforce its policies and procedures established to review users' activities periodically.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.20We recommend that the HHS OCIO work with the OpDivs to implement oversight procedures sufficient to ensure that all personnel complete role-based training in a timely manner.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.21We recommend that the HHS OCIO work with the OpDivs to ensure that operational systems have valid and current Authorization to Operate (ATO) and that security controls are assessed annually as per HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 11/27/2023
- Next Update Expected
- 05/27/2024
- Legislative Related
- No
23-A-18-069.22We recommend that the HHS OCIO work with the OpDivs to implement oversight sufficient to ensure that all OpDivs review pre-defined privileged users' activities periodically and document the review and any follow-up activities for all systems.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.23We recommend that the HHS OCIO work with the OpDivs to consistently implement the requirement to assign risk designations, re-signing access agreements, and training for all systems so that OpDivs can restrict privileges for users based on risk designations.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No
23-A-18-069.24We recommend that the HHS OCIO work with the OpDivs to ensure that data encryption methods to protect data determined to be PII or sensitive are implemented across the organization for all systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/27/2023
- Legislative Related
- No